• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 561
  • Last Modified:

Cisco ASA NAT problem

I am having an issue where I would like to have a different NAT address depending on what source address is making the connection.

ex.
source A =  1.1.1.1
source B =  1.1.1.2

source A  targets IP address = 2.2.2.1 translate to 3.3.3.3
source B  target IP address = 2.2.2.2  translate to 3.3.3.3

If I configue a static one to one NAT then I can make a connection using either

static (int1,int2) 2.2.2.1 3.3.3.3
or
static (int1,int2) 2.2.2.2 3.3.3.3

then I can make a connection using either statement.

However, if I try a nat / global combination

I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Is there a way to make a connection to the same host using different target IP's based on different source address'?

thanks
0
FREDARCE
Asked:
FREDARCE
  • 7
  • 7
  • 2
1 Solution
 
FREDARCEAuthor Commented:
I forgot to mention.  I am running version 8.2 on the ASA :(
0
 
Cyclops3590Commented:
this involves using Policy NAT

first, create an ACL to match the traffic that you want to have this special NAT config
access-list pol-nat permit ip host 1.1.1.1 host 2.2.2.1
access-list pol-nat permit ip host 1.1.1.2 host 2.2.2.2

second create the nat
nat (inside) 5 access-list pol-nat
global (outside) 5 3.3.3.3

you might be able to do a static though but it may complain as well in which case you have to use the above.  the only difference is that instead of the global/nat you do the following

static (inside, outside) 3.3.3.3 access-list pol-nat
0
 
asavenerCommented:
I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Does you have a route to 2.2.2.1/0?

Can you provide "show route"?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
FREDARCEAuthor Commented:
I made a mistake in explaining.  I want the destination address to be natted from 2.2.2.1 to 3.3.3.3 and from 2.2.2.2 to 3.3.3.3
Will this accomplish that?
0
 
FREDARCEAuthor Commented:
If i use
static (outside,inside) 2.2.2.1 3.3.3.3

it works but then I have no condition for when a user tries to connect to 2.2.2.2
0
 
Cyclops3590Commented:
access-list pol-nat permit ip host 2.2.2.1 host 1.1.1.1
access-list pol-nat permit ip host 2.2.2.2 host 1.1.1.2

static (inside, outside) 3.3.3.3 access-list pol-nat

in that case I think the above is what you want.  i know it doesn't seem totally logical but ACLs are slightly used differently in nat commands.  sorry, i don't have access to my lab at this time to test it out.  also, i'll be honest, I haven't done one exactly like this before so not 100% sure on that solution
0
 
FREDARCEAuthor Commented:
sorry Cyclops3590 but that didn't work.  Just to be clear 3.3.3.3 is the actual IP address of the host I am connecting to on the outside.

thanks
0
 
FREDARCEAuthor Commented:
looking at the logs.  I do see the following:
Built static translation from outside:2.2.2.1 to inside(pol-nat):3.3.3.3
Failed to locate egress interface for ICMP from inside:1.1.1.1/45 to 2.2.2.1/0
0
 
Cyclops3590Commented:
true, but to be honest that doesn't really matter.  the interfaces were reversed so the "real" and "mapped" were reversed as well.
EDIT:  though that wouldn't be the first time I've been wrong when doing more complicated policy nat

but just to be sure lets reverse what I gave you.  It's the only other thing I can think of for your scenario

access-list pol-nat1 permit ip host 3.3.3.3 host 1.1.1.1
access-list pol-nat2 permit ip host 3.3.3.3 host 1.1.1.2

static (outside, inside) 2.2.2.1 access-list pol-nat1
static (outside, inside) 2.2.2.2 access-list pol-nat2

if that doesn't work then I can't help until I have access to my lab again which isn't going to be for awhile.  sorry
0
 
Cyclops3590Commented:
that log entry just means its not right at all
0
 
FREDARCEAuthor Commented:
i was able to do this on my checkpoint firewall.  This rules look like this:

NAT Rule 1
Original Packet:
source - 1.1.1.1
dest - 2.2.2.1

Translated Packet:
source - 1.1.1.1
dest - 3.3.3.3

Nat Rule 2
Original Packet:
source - 1.1.1.2
dest - 2.2.2.2

Translated Packet:
source - 1.1.1.2
dest - 3.3.3.3

In both cases the traffic gets forwarded to the destination address of 3.3.3.3
This is what I'm trying to accomplish on the ASA.

thanks
0
 
Cyclops3590Commented:
ya, if we had an ios device I know exactly how to do it there.  unfortunately cisco seems to want to make the asa more complex than it needs to.  granted outside style nat is not exactly common, it shouldn't be as hard was what it is on the asa.  though they did change how nat is configured and works on 8.3 and above (which I haven't used yet) so I'm not sure if it is easier there or not. asavener might know that one.
0
 
Cyclops3590Commented:
you know it may just be easier to go into the ASDM and configure the NAT rule from in there as well.
0
 
asavenerCommented:
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.1
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.2
static (outside,inside) 3.3.3.3 access-list Destination_NAT
0
 
FREDARCEAuthor Commented:
that worked!!!

thanks
0
 
Cyclops3590Commented:
glad to hear.  I'm still a little weak in the area of destination policy nat so I wasn't 100% sure that would work or not.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now