Cisco asa 5510 firewall source nat BUT no association with any interfaces

I have a need to source NAT a range of addresses on a one to one basis on a Cisco ASA5510, but the firewall has no association (interfaces) with the range of addresses that source NAT is to be applied and I only want to apply this translation when the original source addresses browse to a specific public address.

To try an explain further I will use the private address 192.168.100.100 as the destination public address.

Internal host 10.10.10.10/24 browses to public address 192.168.100.100 via  asa 5510 firewall.
The asa 5510 has an inside address 10.20.20.1/30 and an outside address 10.30.30.1/30.
When internal host browses to public address 192.168.100.100, the 5510 uses source address translation and changes the 10.10.10.10 address to 10.40.40.10.

Another internal host 10.10.10.11/24 browses to the same public address 192.168.100.100 via the asa 5510 firewall as above scenario, but this time the 5510 (still using source address translation) translates to address 10.40.40.11 and so on (ie on a one to one source translation basis).

Is this possible and if so please could you provide me with an example configuration.

kind regards
mtuttonAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
vreinaldoConnect With a Mentor Commented:
Hello there,

Luck, lrmoore was close, but first of all, in your explanation there's a mistake (i hope it is :D),

You said:

Internal host 10.10.10.10/24....
The asa 5510 has an inside address 10.20.20.1/30...
I guest it should be:
The asa 5510 has an inside address 10.10.10.1/24...

if NOT, you have another device in the middle of the inside net and the inside interface of the cisco ASA... But OK, it is irrelevant to what we want, just make sure the device in the "middle" is not doing PAT or Dynamic NAT...
 
What you want is a Policy Static NAT translation, this is commonly used in environments where there's a duplicity in the inside networks (when dealing with VPN's)...
In fact you should do this.

1) access list to match the criteria:
access-list to-out permit ip 10.10.10.0 255.255.255.0 host 192.168.100.100

2) Define the Policy Static:

static (inside,outside) 10.40.40.0 access-list to-out


And this is it..

it will make an static one to one translation..

10.10.10.1 ---> 10.40.40.1

10.10.10.2 ---> 10.40.40.2

10.10.10.3 ---> 10.40.40.3
.
.! And So on
.
10.10.10.254 ---> 10.40.40.254

obviously you should have an dynamic nat translation for traffic to other destinations:

nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface (for example)
 

I hope is what you want.!
0
 
lrmooreConnect With a Mentor Commented:
Actually, this is easier than you might think, using conditional nat. Here's an example:

public host = 12.34.56.78

ASA outside public interface IP used as PAT global: 34.56.78.9
ASA inside interface 10.20.20.1
ASA has a route internally to 10.10.10.0:
  route inside 10.10.10.0 255.255.255.0 10.20.20.250

now we just create the conditions, defining traffic that we want to nat:
 access-list CONDITIONAL_NAT1 permit ip host 10.10.10.11 host 12.34.56.78
 access-list CONDITIONAL_NAT2 permit ip host 10.10.10.12 host 12.34.56.78
 access-list CONDITIONAL_NAT3 permit ip host 10.10.10.13 host 12.34.56.78

now, apply the conditions to static xlates:
 static (inside,outside) 34.56.78.11 access-list CONDITIONAL_NAT1
 static (inside,outside) 34.56.78.12 access-list CONDITIONAL_NAT2
 static (inside,outside) 34.56.78.13 access-list CONDITIONAL_NAT3

Alternative solution that also may work with fewer lines of code:
  access-list CONDITIONAL permit ip 10.10.10.0 255.255.255.0 host 12.34.56.78
 global (outside) 2 34.56.78.11-34.56.78.13 netmask 255.255.255.0
 nat (inside) 2 access-list CONDITIONAL

0
 
mtuttonAuthor Commented:
Hi Genius,

Thanks for response but the solution does not provide what I require.

This solution provides nat/pat based on the outside interface (in your case) 34.56.78.0. I require the source address (ie 10.10.10.11) to be translated to an address NOT associated with ANY addresses associated with the firewall eg source 10.10.10.11 translates to source 10.40.40.11 when destination address is a specific public address.

regards
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
lrmooreCommented:
OK, the concept is the same regardless of whether or not the address is associated with the outside interface or not. I simply misunderstood your requirement.
You can nat to any address, regardless of interface addressing. This is especially handy when you connect via VPN tunnel to a location that has overlapping IP address space.
0
 
mtuttonAuthor Commented:
Hi vreinaldo and Irmoore,

Thank you both for your replies.  

However, niether of you had understood my question. This is obviously down to myself not explaining my problem properly. So I will reiterate:
 
We have a very large network and I quote a key sentence in my first paragraph, 'but the firewall has no association (interfaces) with the range of addresses that source NAT is to be applied'.

So for example:

inside network is 10.20.20.0/24
outside network is 10.30.30.0/24
Source addresses that reside somewhere within inside network 10.10.10.0/24 (note: this subnet is NOT associated to any of the IP addresses associated with firewall (which are 10.20.20.0 & 10.30.30.0) - in my example.

So what I require is the source address coming from an internal network within the large enterprise (eg 10.10.10.10) and entering the firewall from the inside interface (10.20.20.1/24) needs to have its source address changed by the firewall to 10.40.40.10, when the source has a destination address of 192.168.100.100 (my public address example).

Hope this explains it clearer. My appoligies for not explaining better in the first place.

As I mentioned I don't know whether this is indeed possible becuase there is NO association with any addresses attached to firewall.

regards

Mark

0
 
vreinaldoCommented:
Hi there,


it doesn't matter my friend, it looks that you haven't made the test... but ok, as i told you last time in this scenario:
"The asa 5510 has an inside address 10.10.10.1/24...

if NOT, you have another device in the middle of the inside net and the inside interface of the cisco ASA... But OK, it IS IRRELEVANT to what we want, just make sure the device in the "middle" is not doing PAT or Dynamic NAT..."

What i mean with this is:

if u have a device doing PAT, you will NOT BE ABLE to make a One-to-one translation.
If u have a device doing Dynamic Nat,  you will NOT BE ABLE to make a One-to-one translation.
If u have a device doing routing without nat you will BE ABLE to make a One-to-one translation using the above configuration!!.

That's what i THINK  is your problem, if not, try to put it clear please better with a diagram. or at least tell me what device is connecting the ASA with the Inside LAN.

Have a nice Day..!
0
 
vreinaldoCommented:
That's what i think, if it's not... so you're right I DONT GET IT

HAVE A LOOK!!
EX-diagram.jpg
0
 
mtuttonAuthor Commented:
Hi vreinaldo,

There are two firewalls (inside and outside) and the inside is NOT doing any dynamic NAT or PAT, just routing and the outside firewall is attached to a router (which connects to the internet) which does PAT.

Between the two Firewalls is ettectively a DMZ. In this DMZ is a VPN device. This device must see source addresses coming from inside network in the range from 10.40.40.0/24 (in my example) when internal clients browse a specific public address.

However, clients on inside network use subnets other than this, thus the need for translation of source address.  The VPN device then uses this as interesting traffic and brings up a VPN to a remote device (via internet).

I was reluctant to expand in this manner, as I thought it might detract from what I was trying to achieve. Clearly by not expanding has caused more confusion.  

So, to summarise, this can be done and I would use (using my example) for one specific internal client:

access-list to-out permit ip 10.10.10.10 255.255.255.255 host 192.168.100.100
static (inside,outside) 10.40.40.10 access-list to-out

This access-list would be applied to the inside interface.

regards
0
 
mtuttonAuthor Commented:
Hi vreinaldo

Please ignore (hopefully you already have done), my last comment in post, ie. 'This access-list would be applied to the inside interface', obviously thats nonsense.

But I do understand now how my overall objective can be achieved, thanks to you and lrmoore.

Thanks for you both for your time and effort in helping me.

regards
0
 
lrmooreCommented:
Thanks for sticking with us!
The bottom line is that you can certainly NAT any internal network - as long as you have a route to it - to any IP address as it goes out regardless of any association with the outside interface with a simple ACL applied to a static statement.
0
All Courses

From novice to tech pro — start learning today.