NAT problems

Hi !

 

I have an ASA and I have absolutely no idea how to configure the following topology.

 

Server (server_local_ip) ----- (local_interf_IP) Cisco ASA (Internet_interf_ip) ----- internet

 

I have to access the local server from the internet on port 80 so that
part a startic nat from internet_interf_ip 80 to server_local_ip 80
will do it, but here starts my problem. Here's how I want the system to
work from my server's point of view: packets comming from the internet,
lets say from address 4.4.4.4, going to internet_intef_ip port 80 will be
sent to server_local_ip on port 80 but at the same time I want NAT to
be performed so my server won't receive packets with internet addresses
so all packets arriving to my server have the source address of
local_interf_ip (because of routing and firewalling issues that I can't
change in any way).

Comments

  • This should work...

    static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 

    HTHs


    On Sep 14, 2009, at 1:24 PM, vlaad wrote:

    Hi !

     

    I have an ASA and I have absolutely no idea how to configure the following topology.

     

    Server (server_local_ip) ----- (local_interf_IP) Cisco ASA (Internet_interf_ip) ----- internet

     

    I have to access the local server from the internet on port 80 so that part a startic nat from internet_interf_ip 80 to server_local_ip 80 will do it, but here starts my problem. Here's how I want the system to work from my server's point of view: packets comming from the internet, lets say from address 4.4.4.4, going to internet_intef_ip port 80 will be sent to server_local_ip on port 80 but at the same time I want NAT to be performed so my server won't receive packets with internet addresses so all packets arriving to my server have the source address of local_interf_ip (because of routing and firewalling issues that I can't change in any way).




    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • abrayton, so that's static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 and packets arriving at my server (192.168.1.2) will have as source address the inside_interface_ip ?

    I'm asking because untill now I had instead of "interface" the outside IP and packets arriving at my local web server still had as source address the internet IPs where they orinally came from. The static translation works fine, but I need one extra issue:

    After the static port forwarding was done, I want ASA to change the source IP of all internet packets forwarded by the static translation rule from their original source address to the inside_interface_ip because due to some weird routing rules, routers in the local network will only forward packets with local IPs.

  • The static (inside, outside) will handle the translation to your web server.

     

    In order to translate incoming addresses to the inside interface of your ASA, you will need an additional NAT translation.

     

    Nat (outside) 1 0 0 outside

    Global (inside) 1 interface

    If you are already using identity value 1 somewhere, you can configure with a different number.

     

  • Hi Marvin,

     

    Thanks for your feedback. I will give it a shot shortly and sintax-wise it looks exactly like the thing that I was looking for.

Sign In or Register to comment.