Solved

Cisco ASA NAT problem

Posted on 2013-05-16
16
535 Views
Last Modified: 2013-05-17
I am having an issue where I would like to have a different NAT address depending on what source address is making the connection.

ex.
source A =  1.1.1.1
source B =  1.1.1.2

source A  targets IP address = 2.2.2.1 translate to 3.3.3.3
source B  target IP address = 2.2.2.2  translate to 3.3.3.3

If I configue a static one to one NAT then I can make a connection using either

static (int1,int2) 2.2.2.1 3.3.3.3
or
static (int1,int2) 2.2.2.2 3.3.3.3

then I can make a connection using either statement.

However, if I try a nat / global combination

I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Is there a way to make a connection to the same host using different target IP's based on different source address'?

thanks
0
Comment
Question by:FREDARCE
  • 7
  • 7
  • 2
16 Comments
 

Author Comment

by:FREDARCE
ID: 39173081
I forgot to mention.  I am running version 8.2 on the ASA :(
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174477
this involves using Policy NAT

first, create an ACL to match the traffic that you want to have this special NAT config
access-list pol-nat permit ip host 1.1.1.1 host 2.2.2.1
access-list pol-nat permit ip host 1.1.1.2 host 2.2.2.2

second create the nat
nat (inside) 5 access-list pol-nat
global (outside) 5 3.3.3.3

you might be able to do a static though but it may complain as well in which case you have to use the above.  the only difference is that instead of the global/nat you do the following

static (inside, outside) 3.3.3.3 access-list pol-nat
0
 
LVL 28

Expert Comment

by:asavener
ID: 39174542
I end up getting a Failed to locate egress interface for ICMP from int2:1.1.1.1 to 2.2.2.1/0

Does you have a route to 2.2.2.1/0?

Can you provide "show route"?
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:FREDARCE
ID: 39174583
I made a mistake in explaining.  I want the destination address to be natted from 2.2.2.1 to 3.3.3.3 and from 2.2.2.2 to 3.3.3.3
Will this accomplish that?
0
 

Author Comment

by:FREDARCE
ID: 39174749
If i use
static (outside,inside) 2.2.2.1 3.3.3.3

it works but then I have no condition for when a user tries to connect to 2.2.2.2
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174878
access-list pol-nat permit ip host 2.2.2.1 host 1.1.1.1
access-list pol-nat permit ip host 2.2.2.2 host 1.1.1.2

static (inside, outside) 3.3.3.3 access-list pol-nat

in that case I think the above is what you want.  i know it doesn't seem totally logical but ACLs are slightly used differently in nat commands.  sorry, i don't have access to my lab at this time to test it out.  also, i'll be honest, I haven't done one exactly like this before so not 100% sure on that solution
0
 

Author Comment

by:FREDARCE
ID: 39174901
sorry Cyclops3590 but that didn't work.  Just to be clear 3.3.3.3 is the actual IP address of the host I am connecting to on the outside.

thanks
0
 

Author Comment

by:FREDARCE
ID: 39174915
looking at the logs.  I do see the following:
Built static translation from outside:2.2.2.1 to inside(pol-nat):3.3.3.3
Failed to locate egress interface for ICMP from inside:1.1.1.1/45 to 2.2.2.1/0
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39174930
true, but to be honest that doesn't really matter.  the interfaces were reversed so the "real" and "mapped" were reversed as well.
EDIT:  though that wouldn't be the first time I've been wrong when doing more complicated policy nat

but just to be sure lets reverse what I gave you.  It's the only other thing I can think of for your scenario

access-list pol-nat1 permit ip host 3.3.3.3 host 1.1.1.1
access-list pol-nat2 permit ip host 3.3.3.3 host 1.1.1.2

static (outside, inside) 2.2.2.1 access-list pol-nat1
static (outside, inside) 2.2.2.2 access-list pol-nat2

if that doesn't work then I can't help until I have access to my lab again which isn't going to be for awhile.  sorry
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39174943
that log entry just means its not right at all
0
 

Author Comment

by:FREDARCE
ID: 39175029
i was able to do this on my checkpoint firewall.  This rules look like this:

NAT Rule 1
Original Packet:
source - 1.1.1.1
dest - 2.2.2.1

Translated Packet:
source - 1.1.1.1
dest - 3.3.3.3

Nat Rule 2
Original Packet:
source - 1.1.1.2
dest - 2.2.2.2

Translated Packet:
source - 1.1.1.2
dest - 3.3.3.3

In both cases the traffic gets forwarded to the destination address of 3.3.3.3
This is what I'm trying to accomplish on the ASA.

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175079
ya, if we had an ios device I know exactly how to do it there.  unfortunately cisco seems to want to make the asa more complex than it needs to.  granted outside style nat is not exactly common, it shouldn't be as hard was what it is on the asa.  though they did change how nat is configured and works on 8.3 and above (which I haven't used yet) so I'm not sure if it is easier there or not. asavener might know that one.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175117
you know it may just be easier to go into the ASDM and configure the NAT rule from in there as well.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39175266
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.1
access-list Destination_NAT permit ip host 2.2.2.1 host 1.1.1.2
static (outside,inside) 3.3.3.3 access-list Destination_NAT
0
 

Author Closing Comment

by:FREDARCE
ID: 39175664
that worked!!!

thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39175672
glad to hear.  I'm still a little weak in the area of destination policy nat so I wasn't 100% sure that would work or not.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question