• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1239
  • Last Modified:

Cisco ASA 8.3 NAT

Hi,

I have an ASA firewall and I am trying to understand the concept when ASA performs NAT from inside to outside. For example, if a host on the inside of the firewall were to access networks outside of the firewall multiple hops away, the ip address would be nated based on the configuration. However, if the host would like to access the network outside of the ASA (same subnet of the outside interface of the ASA), based on packet capture I dont seems to see any nat being performed. Instead it makes use of the internal ip address of the host. I was wondering if there may be additional configuration which may be used to ensure that the ASA performs the NAT even though hosts inside the ASA are access clients outside of the ASA but on the same subnet of the ASA outside interface. I have illustrate the diagram below :



10.0.0.0/24 (outside)---Layer 3 switch(155.69.239.254/22)--(155.69.239.249/22, Outside interface of ASA)--ASA--172.16.1.1/16(Inside interface of ASA)----PCs/hosts

 

 

The following confgiurations has been applied:

 

object network obj-155.69.239.245
host 155.69.239.245


object network obj-172.16.30.245
host 172.16.30.245

object network obj-172.16.30.245
nat (Inside,Outside) static obj-155.69.239.245

 

When the clients tries to access 10.0.0.0/24, I could see it being nated to 155.69.239.245. However, when the clients tries to access other devices on 155.69.236.0/22, I dont see any nating being performed. I am seeing the actual host ip address(172.16.30.245) accessing the 155.69.236.0/22 subnet. I was wondering if there may any configuration required to perform the nating even though the client is accessing 155.69.236.0/22?

 

Thanks.
0
cwtang
Asked:
cwtang
  • 4
  • 3
1 Solution
 
Ken BooneNetwork ConsultantCommented:
Once the packet leaves the ASA it should have a src ip address of the 155 address.
Here are 3 ways you can test your theory
1) set up a span port on the external switch and use wireshark to capture the data when you attempt to make a connection from the 172 address to the layer 3 switch.  See what shows as your src ip address.
2) telnet or ssh to the external layer 3 switch form the 172 device and then from the layer 3 switch use what ever commands are necessary to view who has the open connections to it.  This should again show you the src ip address as it would be known to the switch.
3)  Set up a PC on the outside with a 155.x address and attempt to make a connection to that PC.  Have wireshark running on that PC to capture the traffic.
0
 
cwtangAuthor Commented:
Hi,
Thanks for the information. I have setup a simple test using icmp ping. I performed a ping from a host inside the ASA (172.16.30.245) to 155.69.239.254(layer 3 switch svi ip address) and 155.69.238.100 (PC connected outside).

From the wireshark, I am seeing 172.16.30.245 as the src ip address when it leaves the ASA for 155.69.239.254 and 155.69.238.100. However If i perform a ping to 10.0.0.0/24 or any other layer 3 that is not on the same subnet as 155.69.236.0/22; I am seeing 155.69.239.245 as the nated src ip address.

I am confused if this is by design of ASA or incomplete configuration or bug in ASA code.

Thanks.
0
 
mlchelpCommented:
can you post a sanitized config so we can take a look
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Ken BooneNetwork ConsultantCommented:
Yea lets see the whole sanitized config.  That would not be normal.
0
 
cwtangAuthor Commented:
Hi,
I have attached the configuration of the ASA as follows:

ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 155.69.239.249 255.255.252.0 standby 155.69.239.250
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 155.69.251.141 255.255.255.0 standby 155.69.251.142
 management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
object network obj-172.16.0.0
 subnet 172.16.0.0 255.255.0.0
object network obj-155.69.236.0
 subnet 155.69.236.0 255.255.252.0
object network is0
 host 172.16.20.60
 description is0
object network is1
 host 172.16.20.61
 description is1
object network Isadmin
 host 172.16.20.69
 description Isadmin
object network erpprd
 host 172.16.1.11
 description erpprd
object network erpdev
 host 172.16.1.12
 description erpdev
object network erpwpq
 host 172.16.20.52
 description erpwpq
object network Advpn
 host 172.16.20.88
 description Advpn
object network admin
 host 172.16.20.70
 description admin
object network topcall
 host 172.16.20.55
 description topcall
object network gebiz
 host 172.16.20.56
 description gebiz
object network prdgebiz
 host 172.16.20.57
 description prdgebiz
object network erpwps
 host 172.16.20.58
 description erpwps
object network Aventail-1
 host 172.16.30.246
 description Aventail-l
object network Aventail-2
 host 172.16.30.247
 description Aventail-2
object network Aventail-VIP
 host 172.16.30.245
 description Aventail-VIP
object network erpdev1
 host 172.16.20.18
 description erpdev1
object network erpwps1
 host 172.16.20.20
 description erpwps1
object network erpwps2
 host 172.16.20.21
 description erpwps2
object network erpprd1
 host 172.16.20.22
 description erpprd1
object network erpprd2
 host 172.16.20.23
 description erpprd2
object network sapprd
 host 172.16.20.16
 description sapprd
object network sqlprd
 host 172.16.20.17
 description sqlprd
object network taurusdb01
 host 172.16.20.31
 description taurusdb01
object network taurusdb02
 host 172.16.20.32
 description taurusdb02
object network admds20
 host 155.69.236.10
 description admds20
object network N4AP0059C
 host 172.16.20.25
 description N4AP0059C
object network PAT
 host 155.69.239.248
 description PAT
object network Alpha
 host 155.69.5.67
 description Alpha
object network hsmonsrv
 host 155.69.24.79
 description hsmonsrv  
object network CED-MarkEntry
 host 155.69.240.171
 description CED-MarkEntry  
object network GBIZUAT
 host 10.244.1.180
 description GBIZUAT  
object network gebiz1
 host 10.244.126.253
 description gebiz1  
object network gebiz2
 host 10.244.126.254
 description gebiz2  
object network GBIZPRD
 host 10.244.1.156
 description GBIZPRD  
object network GebizProxy
 host 10.247.1.10
 description GebizProxy  
object network CIT_Subnet
 subnet 155.69.251.0 255.255.255.0
 description CIT_Subnet  
object network NET
 subnet 155.69.0.0 255.255.0.0
 description NET  
object network ISS_Scanner
 host 155.69.251.125
 description ISS_Scanner  
object network MasterBK
 host 155.69.5.96
 description MasterBK  
object network SNMP_Monitor
 host 155.69.251.155
 description SNMP_Monitor  
object network SAPSvr
 subnet 172.16.1.0 255.255.255.0
 description SAPSvr
object network Staff4
 host 172.16.20.161
 description Staff4
object network gebiz3
 host 10.244.126.249
 description gebiz3
object network TanSiewEim_PC
 host 155.69.251.151
 description TanSiewEim_PC
object network staff11
 host 155.69.5.152
 description staff11
object network staff10
 host 155.69.5.150
 description staff10
object network staff6
 host 155.69.160.252
 description staff6
object network NTU_Hall_Network
 subnet 172.20.0.0 255.255.0.0
 description NTU_Hall_Network
object network NTU_Wireless_Network
 subnet 172.22.0.0 255.255.0.0
 description NTU_Wireless_Network
object-group network AdminBldgNW_GRP
 description AdminBldgNW_GRP
 network-object 155.69.236.128 255.255.255.128
 network-object 155.69.237.0 255.255.255.0
 network-object 155.69.238.0 255.255.255.0
 network-object 155.69.239.0 255.255.255.0
object-group network SQL_Svrs_Grp
 description SQL Servers
 network-object 172.16.20.60 255.255.255.255
 network-object 172.16.20.61 255.255.255.255
 network-object 172.16.20.69 255.255.255.255
object-group network TCP_Svc_3200-3399
 description TCP Service 3200-3399
 network-object 172.16.1.11 255.255.255.255
 network-object 172.16.20.52 255.255.255.255
 network-object 172.16.1.12 255.255.255.255
 network-object 172.16.20.58 255.255.255.255
object-group network CITS_GeBIZ
 network-object 172.16.20.56 255.255.255.255
 network-object 172.16.20.57 255.255.255.255
object-group network External_GeBIZ
 network-object 10.244.126.249 255.255.255.255
 network-object 10.244.126.253 255.255.255.255
 network-object 10.244.126.254 255.255.255.255
object-group network CITS_GeBIZ_ref
 network-object host 155.69.236.21
 network-object host 155.69.236.22
object-group network AdminSvr_Administrator
 network-object 155.69.251.151 255.255.255.255
object-group network ISS_Scan_SVR
 network-object 172.16.20.60 255.255.255.255
 network-object 172.16.20.61 255.255.255.255
 network-object 172.16.20.70 255.255.255.255
object-group network ISS_Scan_SVR_ref
 network-object host 155.69.236.15
 network-object host 155.69.236.16
 network-object host 155.69.236.17
object-group network NetBackup_Client
 network-object 172.16.20.18 255.255.255.255
 network-object 172.16.20.20 255.255.255.255
 network-object 172.16.20.21 255.255.255.255
 network-object 172.16.20.22 255.255.255.255
 network-object 172.16.20.23 255.255.255.255
 network-object 172.16.20.31 255.255.255.255
 network-object 172.16.20.32 255.255.255.255
object-group network NetBackup_Client_ref
 network-object host 155.69.236.10
 network-object host 155.69.236.26
 network-object host 155.69.236.27
 network-object host 155.69.236.28
 network-object host 155.69.236.29
 network-object host 155.69.236.9
 network-object host 155.69.236.30
object-group network NetBackup_RemoteExeClient
 network-object 172.16.20.16 255.255.255.255
 network-object 172.16.20.17 255.255.255.255
 network-object 172.16.20.31 255.255.255.255
 network-object 172.16.20.32 255.255.255.255
object-group service NetBackup_RemoteExe tcp
 port-object eq 135
 port-object eq 1056
object-group network NetBackup_RemoteExeClient_ref
 network-object host 155.69.236.10
 network-object host 155.69.236.13
 network-object host 155.69.236.14
 network-object host 155.69.236.9
object-group network CITS_Svr
 network-object 155.69.5.150 255.255.255.255
 network-object 155.69.5.152 255.255.255.255
 network-object 155.69.160.252 255.255.255.255
object-group network Direct_Access_Private_IP
 description Private IP access directly from Outside
 network-object 172.16.20.70 255.255.255.255
 network-object 172.16.1.12 255.255.255.255
 network-object 172.16.20.58 255.255.255.255
 network-object 172.16.1.11 255.255.255.255
 network-object 172.16.20.52 255.255.255.255
 network-object 172.16.20.60 255.255.255.255
 network-object 172.16.20.61 255.255.255.255
 network-object 172.16.20.69 255.255.255.255
object-group network SQL_Svrs_Grp_ref
 network-object 155.69.236.16 255.255.255.255
 network-object 155.69.236.17 255.255.255.255
 network-object 155.69.236.18 255.255.255.255
object-group network Svr_4_Backup
 description Server access by backup
 network-object 172.16.20.20 255.255.255.255
 network-object 172.16.20.21 255.255.255.255
object-group network Svr_4_Backup_ref
 network-object host 155.69.236.27
 network-object host 155.69.236.28
object-group network Block_non_User
 network-object object NTU_Hall_Network
 network-object object NTU_Wireless_Network
object-group network ISx_servers
 network-object 172.16.20.60 255.255.255.255
 network-object 172.16.20.61 255.255.255.255
object-group network ISx_servers_ref
 network-object host 155.69.236.17
 network-object host 155.69.236.16
access-list IN extended permit udp any any
access-list IN extended permit tcp any any
access-list IN extended permit ip 172.16.0.0 255.255.0.0 any
access-list Inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group CITS_Svr
access-list Inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 155.69.236.0 255.255.252.0
access-list Inside_pnat_outbound extended permit ip 172.16.0.0 255.255.0.0 any
access-list OUT extended deny ip object-group Block_non_User any log disable
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object-group SQL_Svrs_Grp eq sqlnet
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object-group TCP_Svc_3200-3399 range 3200 3399
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object admin eq ftp
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object admin eq telnet
access-list OUT extended permit tcp object Alpha object is0
access-list OUT extended permit tcp object admds20 object admin
access-list OUT extended permit tcp object hsmonsrv object-group SQL_Svrs_Grp_ref eq sqlnet
access-list OUT extended permit tcp object CED-MarkEntry object-group ISx_servers_ref eq sqlnet
access-list OUT extended permit tcp object GBIZUAT object gebiz eq 1523
access-list OUT extended permit tcp object gebiz1 object gebiz eq 1523
access-list OUT extended permit tcp object gebiz2 object gebiz eq 1523
access-list OUT extended permit tcp object GBIZPRD object prdgebiz eq 1523
access-list OUT extended permit tcp object-group External_GeBIZ object prdgebiz eq 1523
access-list OUT extended permit tcp object GebizProxy object-group CITS_GeBIZ_ref eq 1523
access-list OUT extended permit tcp object CIT_Subnet object-group CITS_GeBIZ_ref eq 1523
access-list OUT extended permit tcp object NET object Aventail-VIP eq https
access-list OUT extended permit tcp object NET object Aventail-VIP eq www
access-list OUT extended permit tcp object-group AdminSvr_Administrator object Aventail-1
access-list OUT extended permit tcp object ISS_Scanner object-group ISS_Scan_SVR_ref eq www
access-list OUT remark Net Backup
access-list OUT extended permit tcp object MasterBK object-group NetBackup_Client_ref eq 13724
access-list OUT remark Net Backup Remote Execution Client
access-list OUT extended permit tcp object MasterBK object-group NetBackup_RemoteExeClient_ref object-group NetBackup_RemoteExe
access-list OUT extended permit tcp object MasterBK object-group Svr_4_Backup_ref eq 13724
access-list OUT extended permit ip object CIT_Subnet object NET
access-list OUT extended permit tcp object SNMP_Monitor object erpprd2 eq 161
access-list OUT extended permit icmp any object NET information-reply
access-list OUT extended permit icmp any 172.21.125.0 255.255.255.0 information-reply
access-list OUT extended permit tcp 10.244.0.0 255.255.0.0 object N4AP0059C eq ssh
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered informational
logging trap informational
logging asdm informational
logging facility 16
logging host Outside 155.69.5.97
mtu Outside 1500
mtu Inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover replication http
failover link Failover GigabitEthernet0/3
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit 155.69.251.0 255.255.255.0 Outside
icmp permit 172.16.0.0 255.255.0.0 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static CITS_Svr CITS_Svr unidirectional
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-155.69.236.0 obj-155.69.236.0 unidirectional
!
object network obj-172.16.0.0
 nat (Inside,Outside) dynamic PAT
object network is0
 nat (Inside,Outside) static 155.69.236.16
object network is1
 nat (Inside,Outside) static 155.69.236.17
object network Isadmin
 nat (Inside,Outside) static 155.69.236.18
object network erpprd
 nat (Inside,Outside) static 155.69.236.11
object network erpdev
 nat (Inside,Outside) static 155.69.236.12
object network erpwpq
 nat (Inside,Outside) static 155.69.236.19
object network Advpn
 nat (Inside,Outside) static 155.69.236.25
object network admin
 nat (Inside,Outside) static 155.69.236.15
object network topcall
 nat (Inside,Outside) static 155.69.236.20
object network gebiz
 nat (Inside,Outside) static 155.69.236.21
object network prdgebiz
 nat (Inside,Outside) static 155.69.236.22
object network erpwps
 nat (Inside,Outside) static 155.69.236.23
object network Aventail-1
 nat (Inside,Outside) static 155.69.239.246
object network Aventail-2
 nat (Inside,Outside) static 155.69.239.247
object network Aventail-VIP
 nat (Inside,Outside) static 155.69.239.245
object network erpdev1
 nat (Inside,Outside) static 155.69.236.26
object network erpwps1
 nat (Inside,Outside) static 155.69.236.27
object network erpwps2
 nat (Inside,Outside) static 155.69.236.28
object network erpprd1
 nat (Inside,Outside) static 155.69.236.29
object network erpprd2
 nat (Inside,Outside) static 155.69.236.30
object network sapprd
 nat (Inside,Outside) static 155.69.236.13
object network sqlprd
 nat (Inside,Outside) static 155.69.236.14
object network taurusdb01
 nat (Inside,Outside) static 155.69.236.9
object network taurusdb02
 nat (Inside,Outside) static admds20
object network N4AP0059C
 nat (Inside,Outside) static 155.69.236.24
access-group OUT in interface Outside
access-group IN in interface Inside
route Outside 0.0.0.0 0.0.0.0 155.69.239.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 155.69.251.0 255.255.255.0 Outside
http 155.69.251.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1500
no sysopt connection permit-vpn
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 155.69.251.0 255.255.255.0 Outside
telnet timeout 30
ssh 155.69.251.0 255.255.255.0 Outside
ssh 172.16.0.0 255.255.0.0 Inside
ssh timeout 30
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 155.69.5.7 source Outside
webvpn
username ncs password 9zqpneaSYTaL64Pv encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect ftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context

Not too sure if there is any configuration statement causing the nat not to work correctly.

Thanks.
0
 
Ken BooneNetwork ConsultantCommented:
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-155.69.236.0 obj-155.69.236.0 unidirectional

This command is stating NOT to nat between 172.16.0.0 and 155.69.236.0 network.  That is why it is doing what it is doing.
0
 
cwtangAuthor Commented:
Hi kenboonejr,
Really appreciate for pointing out the cause of it. Didnt realize the above configuration was for no nat as it was migrated using cisco migration tool from 7.x to 8.3.  

Thanks alot for the assistance.
0
 
cwtangAuthor Commented:
Really appreciate the help.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now