1 Reply Latest reply: Feb 11, 2019 3:37 AM by Sergey RSS

    ASA NAT

    Tyson

      REQUIREMENT:

      1. When the file server with the inside local address of 10.100.0.3 goes to the outside, it uses the auto NAT rule that translates the address to the ASA's outside interface (10.0.0.50) via PAT.

      2. When a device on the outside goes to 10.0.0.51, that traffic is sent to the server (new traffic flow that is unrelated to the flow initiated by the file server)

       

      PROCEDURE: Attempted to do this using object NAT and then an after-auto manual NAT statement:

       

      object network NETWORK_10.100.0.0_24

      subnet 10.100.0.0 255.255.255.0

      nat (any, OUTSIDE) dynamic interface

      object network HOST_10.100.0.3

      host 10.100.0.3

      object network HOST_10.0.0.51

      host 10.0.0.51

      !

      nat (OUTSIDE,INSIDE) after-auto source static any any destination static HOST_10.0.0.51 HOST_10.100.0.3

      !

      access-list OUTSIDE_access_in extended permit ip any object HOST_10.100.0.3

      access-group OUTSIDE_access_in in interface OUTSIDE

       

      PROBLEM: the file server is still using the 10.0.0.51 address instead of the 10.0.0.50 address. I would assume that since the static NAT entry specifically calls to be after the auto NAT that this would make it so traffic sourced from the file server to the outside would translate to 10.0.0.50 and traffic sourced from outside towards the file server would have to reach 10.0.0.51 but this isn't what is actually happening. When I do a packet-tracer in the CLI, I notice the static NAT entry is invoked which has me confused as to why.

       

      Any ideas where I'm going wrong here? Just trying to get a better grasp on this. Thanks.

        • 1. Re: ASA NAT
          Sergey

          Tyson,

           

          You are correct, because the auto NAT statement is higher up in the list, the return traffic from server will always hit it first and will use auto NAT. I think the best you can do is create a specific NAT entry for a port on the server and place it higher up. So, that if traffic is originating from a certain port, which typically will be only in response to client request, then use address .51. And the default will be caught by your auto NAT entry.