Solved

Cisco ASA NAT problem

Posted on 2013-05-16
16
544 Views
Last Modified: 2013-05-17
I am having an issue where I would like to have a different NAT address depending on what source address is making the connection.

ex.
source A =  1.1.1.1
source B =  1.1.1.2

source A  targets IP address = 2.2.2.1 translate to 3.3.3.3
source B  target IP address = 2.2.2.2  translate to 3.3.3.3

If I configue a static one to one NAT then I can make a connection using either

static (int1,int2) 2.2.2.1 3.3.3.3
or
static (int1,int2) 2.2.2.2 3.3.3.3

then I can make a connection using either statement.

However, if I try a nat / global combination

I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Is there a way to make a connection to the same host using different target IP's based on different source address'?

thanks
0
Comment
Question by:FREDARCE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 2
16 Comments
 

Author Comment

by:FREDARCE
ID: 39173081
I forgot to mention.  I am running version 8.2 on the ASA :(
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174477
this involves using Policy NAT

first, create an ACL to match the traffic that you want to have this special NAT config
access-list pol-nat permit ip host 1.1.1.1 host 2.2.2.1
access-list pol-nat permit ip host 1.1.1.2 host 2.2.2.2

second create the nat
nat (inside) 5 access-list pol-nat
global (outside) 5 3.3.3.3

you might be able to do a static though but it may complain as well in which case you have to use the above.  the only difference is that instead of the global/nat you do the following

static (inside, outside) 3.3.3.3 access-list pol-nat
0
 
LVL 28

Expert Comment

by:asavener
ID: 39174542
I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Does you have a route to 2.2.2.1/0?

Can you provide "show route"?
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:FREDARCE
ID: 39174583
I made a mistake in explaining.  I want the destination address to be natted from 2.2.2.1 to 3.3.3.3 and from 2.2.2.2 to 3.3.3.3
Will this accomplish that?
0
 

Author Comment

by:FREDARCE
ID: 39174749
If i use
static (outside,inside) 2.2.2.1 3.3.3.3

it works but then I have no condition for when a user tries to connect to 2.2.2.2
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174878
access-list pol-nat permit ip host 2.2.2.1 host 1.1.1.1
access-list pol-nat permit ip host 2.2.2.2 host 1.1.1.2

static (inside, outside) 3.3.3.3 access-list pol-nat

in that case I think the above is what you want.  i know it doesn't seem totally logical but ACLs are slightly used differently in nat commands.  sorry, i don't have access to my lab at this time to test it out.  also, i'll be honest, I haven't done one exactly like this before so not 100% sure on that solution
0
 

Author Comment

by:FREDARCE
ID: 39174901
sorry Cyclops3590 but that didn't work.  Just to be clear 3.3.3.3 is the actual IP address of the host I am connecting to on the outside.

thanks
0
 

Author Comment

by:FREDARCE
ID: 39174915
looking at the logs.  I do see the following:
Built static translation from outside:2.2.2.1 to inside(pol-nat):3.3.3.3
Failed to locate egress interface for ICMP from inside:1.1.1.1/45 to 2.2.2.1/0
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39174930
true, but to be honest that doesn't really matter.  the interfaces were reversed so the "real" and "mapped" were reversed as well.
EDIT:  though that wouldn't be the first time I've been wrong when doing more complicated policy nat

but just to be sure lets reverse what I gave you.  It's the only other thing I can think of for your scenario

access-list pol-nat1 permit ip host 3.3.3.3 host 1.1.1.1
access-list pol-nat2 permit ip host 3.3.3.3 host 1.1.1.2

static (outside, inside) 2.2.2.1 access-list pol-nat1
static (outside, inside) 2.2.2.2 access-list pol-nat2

if that doesn't work then I can't help until I have access to my lab again which isn't going to be for awhile.  sorry
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174943
that log entry just means its not right at all
0
 

Author Comment

by:FREDARCE
ID: 39175029
i was able to do this on my checkpoint firewall.  This rules look like this:

NAT Rule 1
Original Packet:
source - 1.1.1.1
dest - 2.2.2.1

Translated Packet:
source - 1.1.1.1
dest - 3.3.3.3

Nat Rule 2
Original Packet:
source - 1.1.1.2
dest - 2.2.2.2

Translated Packet:
source - 1.1.1.2
dest - 3.3.3.3

In both cases the traffic gets forwarded to the destination address of 3.3.3.3
This is what I'm trying to accomplish on the ASA.

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175079
ya, if we had an ios device I know exactly how to do it there.  unfortunately cisco seems to want to make the asa more complex than it needs to.  granted outside style nat is not exactly common, it shouldn't be as hard was what it is on the asa.  though they did change how nat is configured and works on 8.3 and above (which I haven't used yet) so I'm not sure if it is easier there or not. asavener might know that one.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175117
you know it may just be easier to go into the ASDM and configure the NAT rule from in there as well.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39175266
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.1
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.2
static (outside,inside) 3.3.3.3 access-list Destination_NAT
0
 

Author Closing Comment

by:FREDARCE
ID: 39175664
that worked!!!

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175672
glad to hear.  I'm still a little weak in the area of destination policy nat so I wasn't 100% sure that would work or not.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question