Using Cisco ASA without NAT

grantsewell
grantsewell used Ask the Experts™
on
I'm using as ASA 5510, and for my specific purpose I need to publish a server to our corporate WAN without using NAT. I've looked for some configuration examples online, but I've been unable to locate anything adequate. Here's some information:

ASA Version 8.3(2) - NAT was changed slightly in this version, just FYI

Because you can't have overlapping networks on interfaces, I divided our external subnet like this:

35.2.3.0/24 - Eth0/0 - Internet External Interface
45.2.3.0/25 - Eth0/3 - Corporate WAN External Interface
45.2.3.128/25 - Eth0/1.10, Internal Sub-Interface
192.168.0.0/24 - Eth0/1 - Internal Interface

I assigned the IP 45.2.3.129 to the Internal Interface, and assigned IP address 45.2.3.130 to the server. I have an existing PAT masquerade rule which should work (and does, technically, the ASA shows no packet blocking and packet traces work fine), but it doesn't.

The PAT rule masquerades any traffic sent to the Eth0/3 interface to 45.2.3.3. Other systems with traditional NAT from Eth0/1 work fine. I also created a NAT rule that made the server keep it's assigned address (45.2.3.130), but still no connectivity. The firewall logs look fine:

6      Oct 19 2010      09:45:52            45.2.3.130      57990      45.138.198.215      53      Built outbound UDP connection 143741 for WAN_Corp:45.138.198.215/53 (45.138.198.215/53) to DMZ_Corp:45.2.3.130/57990 (45.2.3.130/57990)

Routing this system over a PAT rule to the Internet on Eth0/0 works fine.

I'm confused if this is the "best practice" way to do this or not. I can't have overlapping IP ranges, but the internal addresses are not advertised on the outside interface, so I don't understand how the firewall will even receive the traffic on a response, let alone a request.

Any ideas on best practice for no NAT for a specific system?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I would normally configure access-lists to specify the traffic that I do not want natted and then reference that in a 'nat (interface) 0 access-list nonat-acl' command.  With Cisco firewalls if you don't want NAT you have 2 options.  One is NAT the traffic from itself to itself, basically you tell the ASA to route it from interface to interface and the global and local IPs are the same.  Or you specify it as a nat 0 acl and the Cisco ignores the traffic for NATing completely.

So for example:
access-list nonat-wan permit ip 45.2.3.0 255.255.255.128 45.2.3.128 255.255.255.128
access-list nonat-wan permit ip 45.2.3.0 255.255.255.128 192.168.0.0 255.255.255.0
nat (waninterface) 0 access-list nonat-wan

You'd do that for each interface, specifying the inbound traffic and the destination.  

For it to work your upstream router will need to be routing the 45.2.3.0/24 network to the outside Internet interface of your Firewall, because you won't be using proxy arp, the firewall will just be routing the traffic.



Author

Commented:
Thanks! In that case, my NAT rules look fine, I think I'm good on that end.

Being that my upstream router is not directly managed by me, couldn't I just setup a proxy ARP on the outside CORP interface, and configure it for the IP address and MAC of my non-NATed server?

Commented:
I think you're going to have to have your ISP add a route for it to work no matter how you set it up.  Your Internet IP block being on 35.2.3.0/24 and your internal use block being on 45.2.3.0/24 means that even if you NAT or PAT the traffic Proxy arp isn't going to work because they're not on the same network subnet.  The Internet router wouldn't be sending arp requests to the firewall for it to reply to for traffic on the 45.2.3.0/24 networks.  Now if the internet router has a route for 45.2.3.0/24 and pointed it to your External Internet interface of your firewall, both NATing it or not-NATing it will work.

Author

Commented:
I understand - I may not have conveyed my intentions correctly.

We'll be publishing without NAT to our corporate WAN, with specific routes already present. My no-NAT NAT rule (that sounded weird) only triggers for traffic sent to the corporate WAN interface. Any traffic to the Internet would not be able to use that IP address anyways, and so we're using the default Internet masquerade for traffic to that interface.

I added the proxy ARP and everything is working fine, life saver! Thanks again!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial