Solved

Cisco ASA NAT problem

Posted on 2013-05-16
16
521 Views
Last Modified: 2013-05-17
I am having an issue where I would like to have a different NAT address depending on what source address is making the connection.

ex.
source A =  1.1.1.1
source B =  1.1.1.2

source A  targets IP address = 2.2.2.1 translate to 3.3.3.3
source B  target IP address = 2.2.2.2  translate to 3.3.3.3

If I configue a static one to one NAT then I can make a connection using either

static (int1,int2) 2.2.2.1 3.3.3.3
or
static (int1,int2) 2.2.2.2 3.3.3.3

then I can make a connection using either statement.

However, if I try a nat / global combination

I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Is there a way to make a connection to the same host using different target IP's based on different source address'?

thanks
0
Comment
Question by:FREDARCE
  • 7
  • 7
  • 2
16 Comments
 

Author Comment

by:FREDARCE
ID: 39173081
I forgot to mention.  I am running version 8.2 on the ASA :(
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174477
this involves using Policy NAT

first, create an ACL to match the traffic that you want to have this special NAT config
access-list pol-nat permit ip host 1.1.1.1 host 2.2.2.1
access-list pol-nat permit ip host 1.1.1.2 host 2.2.2.2

second create the nat
nat (inside) 5 access-list pol-nat
global (outside) 5 3.3.3.3

you might be able to do a static though but it may complain as well in which case you have to use the above.  the only difference is that instead of the global/nat you do the following

static (inside, outside) 3.3.3.3 access-list pol-nat
0
 
LVL 28

Expert Comment

by:asavener
ID: 39174542
I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Does you have a route to 2.2.2.1/0?

Can you provide "show route"?
0
 

Author Comment

by:FREDARCE
ID: 39174583
I made a mistake in explaining.  I want the destination address to be natted from 2.2.2.1 to 3.3.3.3 and from 2.2.2.2 to 3.3.3.3
Will this accomplish that?
0
 

Author Comment

by:FREDARCE
ID: 39174749
If i use
static (outside,inside) 2.2.2.1 3.3.3.3

it works but then I have no condition for when a user tries to connect to 2.2.2.2
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174878
access-list pol-nat permit ip host 2.2.2.1 host 1.1.1.1
access-list pol-nat permit ip host 2.2.2.2 host 1.1.1.2

static (inside, outside) 3.3.3.3 access-list pol-nat

in that case I think the above is what you want.  i know it doesn't seem totally logical but ACLs are slightly used differently in nat commands.  sorry, i don't have access to my lab at this time to test it out.  also, i'll be honest, I haven't done one exactly like this before so not 100% sure on that solution
0
 

Author Comment

by:FREDARCE
ID: 39174901
sorry Cyclops3590 but that didn't work.  Just to be clear 3.3.3.3 is the actual IP address of the host I am connecting to on the outside.

thanks
0
 

Author Comment

by:FREDARCE
ID: 39174915
looking at the logs.  I do see the following:
Built static translation from outside:2.2.2.1 to inside(pol-nat):3.3.3.3
Failed to locate egress interface for ICMP from inside:1.1.1.1/45 to 2.2.2.1/0
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39174930
true, but to be honest that doesn't really matter.  the interfaces were reversed so the "real" and "mapped" were reversed as well.
EDIT:  though that wouldn't be the first time I've been wrong when doing more complicated policy nat

but just to be sure lets reverse what I gave you.  It's the only other thing I can think of for your scenario

access-list pol-nat1 permit ip host 3.3.3.3 host 1.1.1.1
access-list pol-nat2 permit ip host 3.3.3.3 host 1.1.1.2

static (outside, inside) 2.2.2.1 access-list pol-nat1
static (outside, inside) 2.2.2.2 access-list pol-nat2

if that doesn't work then I can't help until I have access to my lab again which isn't going to be for awhile.  sorry
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174943
that log entry just means its not right at all
0
 

Author Comment

by:FREDARCE
ID: 39175029
i was able to do this on my checkpoint firewall.  This rules look like this:

NAT Rule 1
Original Packet:
source - 1.1.1.1
dest - 2.2.2.1

Translated Packet:
source - 1.1.1.1
dest - 3.3.3.3

Nat Rule 2
Original Packet:
source - 1.1.1.2
dest - 2.2.2.2

Translated Packet:
source - 1.1.1.2
dest - 3.3.3.3

In both cases the traffic gets forwarded to the destination address of 3.3.3.3
This is what I'm trying to accomplish on the ASA.

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175079
ya, if we had an ios device I know exactly how to do it there.  unfortunately cisco seems to want to make the asa more complex than it needs to.  granted outside style nat is not exactly common, it shouldn't be as hard was what it is on the asa.  though they did change how nat is configured and works on 8.3 and above (which I haven't used yet) so I'm not sure if it is easier there or not. asavener might know that one.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175117
you know it may just be easier to go into the ASDM and configure the NAT rule from in there as well.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39175266
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.1
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.2
static (outside,inside) 3.3.3.3 access-list Destination_NAT
0
 

Author Closing Comment

by:FREDARCE
ID: 39175664
that worked!!!

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175672
glad to hear.  I'm still a little weak in the area of destination policy nat so I wasn't 100% sure that would work or not.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now