Solved

Cisco ASA NAT problem

Posted on 2013-05-16
16
541 Views
Last Modified: 2013-05-17
I am having an issue where I would like to have a different NAT address depending on what source address is making the connection.

ex.
source A =  1.1.1.1
source B =  1.1.1.2

source A  targets IP address = 2.2.2.1 translate to 3.3.3.3
source B  target IP address = 2.2.2.2  translate to 3.3.3.3

If I configue a static one to one NAT then I can make a connection using either

static (int1,int2) 2.2.2.1 3.3.3.3
or
static (int1,int2) 2.2.2.2 3.3.3.3

then I can make a connection using either statement.

However, if I try a nat / global combination

I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Is there a way to make a connection to the same host using different target IP's based on different source address'?

thanks
0
Comment
Question by:FREDARCE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 2
16 Comments
 

Author Comment

by:FREDARCE
ID: 39173081
I forgot to mention.  I am running version 8.2 on the ASA :(
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174477
this involves using Policy NAT

first, create an ACL to match the traffic that you want to have this special NAT config
access-list pol-nat permit ip host 1.1.1.1 host 2.2.2.1
access-list pol-nat permit ip host 1.1.1.2 host 2.2.2.2

second create the nat
nat (inside) 5 access-list pol-nat
global (outside) 5 3.3.3.3

you might be able to do a static though but it may complain as well in which case you have to use the above.  the only difference is that instead of the global/nat you do the following

static (inside, outside) 3.3.3.3 access-list pol-nat
0
 
LVL 28

Expert Comment

by:asavener
ID: 39174542
I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Does you have a route to 2.2.2.1/0?

Can you provide "show route"?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:FREDARCE
ID: 39174583
I made a mistake in explaining.  I want the destination address to be natted from 2.2.2.1 to 3.3.3.3 and from 2.2.2.2 to 3.3.3.3
Will this accomplish that?
0
 

Author Comment

by:FREDARCE
ID: 39174749
If i use
static (outside,inside) 2.2.2.1 3.3.3.3

it works but then I have no condition for when a user tries to connect to 2.2.2.2
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174878
access-list pol-nat permit ip host 2.2.2.1 host 1.1.1.1
access-list pol-nat permit ip host 2.2.2.2 host 1.1.1.2

static (inside, outside) 3.3.3.3 access-list pol-nat

in that case I think the above is what you want.  i know it doesn't seem totally logical but ACLs are slightly used differently in nat commands.  sorry, i don't have access to my lab at this time to test it out.  also, i'll be honest, I haven't done one exactly like this before so not 100% sure on that solution
0
 

Author Comment

by:FREDARCE
ID: 39174901
sorry Cyclops3590 but that didn't work.  Just to be clear 3.3.3.3 is the actual IP address of the host I am connecting to on the outside.

thanks
0
 

Author Comment

by:FREDARCE
ID: 39174915
looking at the logs.  I do see the following:
Built static translation from outside:2.2.2.1 to inside(pol-nat):3.3.3.3
Failed to locate egress interface for ICMP from inside:1.1.1.1/45 to 2.2.2.1/0
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39174930
true, but to be honest that doesn't really matter.  the interfaces were reversed so the "real" and "mapped" were reversed as well.
EDIT:  though that wouldn't be the first time I've been wrong when doing more complicated policy nat

but just to be sure lets reverse what I gave you.  It's the only other thing I can think of for your scenario

access-list pol-nat1 permit ip host 3.3.3.3 host 1.1.1.1
access-list pol-nat2 permit ip host 3.3.3.3 host 1.1.1.2

static (outside, inside) 2.2.2.1 access-list pol-nat1
static (outside, inside) 2.2.2.2 access-list pol-nat2

if that doesn't work then I can't help until I have access to my lab again which isn't going to be for awhile.  sorry
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174943
that log entry just means its not right at all
0
 

Author Comment

by:FREDARCE
ID: 39175029
i was able to do this on my checkpoint firewall.  This rules look like this:

NAT Rule 1
Original Packet:
source - 1.1.1.1
dest - 2.2.2.1

Translated Packet:
source - 1.1.1.1
dest - 3.3.3.3

Nat Rule 2
Original Packet:
source - 1.1.1.2
dest - 2.2.2.2

Translated Packet:
source - 1.1.1.2
dest - 3.3.3.3

In both cases the traffic gets forwarded to the destination address of 3.3.3.3
This is what I'm trying to accomplish on the ASA.

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175079
ya, if we had an ios device I know exactly how to do it there.  unfortunately cisco seems to want to make the asa more complex than it needs to.  granted outside style nat is not exactly common, it shouldn't be as hard was what it is on the asa.  though they did change how nat is configured and works on 8.3 and above (which I haven't used yet) so I'm not sure if it is easier there or not. asavener might know that one.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175117
you know it may just be easier to go into the ASDM and configure the NAT rule from in there as well.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39175266
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.1
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.2
static (outside,inside) 3.3.3.3 access-list Destination_NAT
0
 

Author Closing Comment

by:FREDARCE
ID: 39175664
that worked!!!

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175672
glad to hear.  I'm still a little weak in the area of destination policy nat so I wasn't 100% sure that would work or not.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question