Cisco – using NAT with a difference IP/range from the outside interface + proxy ARP

cisconat;

I need to NAT the source address of the traffic from my local LAN going out of the ASA firewall.

From the diagram above, my outside interface IP on the ASA firewall is set at 192.168.12.2

q1) Am i able to set NAT on this outside interface to use another range of IP (e.g. 10.10.10.1) as its source when routing traffic from the local LAN to Router 0 (10.10.10.2) ?

q2) if the above is achievable, how does Router 0 know how to send to the ASA firewall ?
Does it means that the ASA firewall will reply to ARP request for 10.10.10.1 even though its physical interface is set to 192.168.12.2 ?
Does it also means that I have to turn on PROXY-ARP on the ASA firewall outside interface in order for the setup to work ?

Regards,
Noob

Best Answer

You are changing the source address on the IP packets. Router0 will not ARP for an address in the range you are translating to because it knows it has no direct connection to that network. ARP only works for directly connected networks.

What you need to do is to let Router0 and Router1 know to go to 192.168.12.2 for any destination addresses in your translation range.

This is routing 101. A router gets routes into its routing table from three different ways: directly connected networks, statically configured routes, and/or a routing protocol.

Since your proposed network is not directly connected to either Router0 or Router1, you will need to either statically configure a route for it in those routers, or you will need to run a routing protocols with those routers and the ASA, and have the ASA tell those routers that it has your translation network via 192.168.12.2.

You also need to somehow let the ASA know what networks are behind each of the other routers.

Edit:

Based on the comments below, others think you are going to have the Router0 address in a different network than the Router1 and ASA addresses to which it connects. You can't do that unless the switch is a layer-3 switch and it routes between the interface to which Router0 connects and a VLAN to which Router1 and the ASA connect.

Related Solutions

Cisco – About the inside local and outside local and inside global and outside global

Usually NAT will be used to translate between private to public IP address but this is not the only use case. You can also translate between any addresses you want such as private to private.

The terms local and global most often refer to the inside and outside of your network but this doesn't mean that it MUST be LAN and WAN although it often is.

So say that we have a webserver on our LAN with the IP 10.0.0.1. We want the webserver to be accessible from a public IP of 130.130.130.130.

ip nat inside source static 10.0.0.1 130.130.130.130

What this does is to translate all packets from 10.0.0.1 (Source IP) to a source of 130.130.130.130 when exiting on the outside interface. This command is bidirectional so all packets entering the outside interface with a destination IP of 130.130.130.130 will also get translated to 10.0.0.1.

The ip nat inside destination command translates from inside global to one or several inside locals. This is primarily used to do primitive load sharing.

ip nat inside destination list 1 pool real-hosts
ip nat pool real-hosts 10.0.0.1 10.0.0.3 prefix-length 24 type rotary
access-list 1 permit 130.130.130.130

What this does is to translate from 130.130.130.130 to 10.0.0.1, 10.0.0.2 and 10.0.0.3 in a rotary fashion. So for every incoming request to the inside global IP of 130.130.130.130 it will be translated to a different inside local address in a round robin fashion.

IP nat outside source static translates between outside global and outside local IP. One common use case would be if you have overlapping subnets. Like if you are doing a merger and both companies use the same IP subnets. So say that both company A and company B are using 10.0.0.0/24 for something. So you are working for company A and you want to translate all 10.0.0.0/24 on the outside to 192.168.0.0/24.

ip nat outside source static network 10.0.0.0 192.168.0.0 /24

Then you would have to do the same for traffic going from the inside to the outside of course.

Regarding your last question it only really makes sense to either translate the source or the destination of the packet. What you are suggesting sounds like some kind of policy routing. You can use inside and outside NAT to do everything you need.

Cisco – IP addrs Outside of DHCP range blocked by Cisco ASA 5505

I see you have an access-list :access-list outside_access_in But idon't see it applied on the interface. I think you should have an Access-list for inside interface too, and applied to it. Permit icmp, http,https from inside and any other protocol you need. Then do a traceroute.

You can also try this command: packet-tracer see how to use it here: https://supportforums.cisco.com/docs/DOC-5796

This command can show you were your packets fail.

EDIT

So you need 2 ACL's , one for inside interface and one for outside. I see you already have one for outside but it is not applied to the interface. Like this :access-group outside_access_in in interface outside

Create an ACL for inside too, and apply it.

It is useless to test packet-tracet from outside to inside. like this :"packet-tracer input outside icmp 75.75.75.75 0 0 10.1.10.11"

this is because it will be always dropped becuae you don't have a static NAT mapping and an ACL entry perminting the traffic.

SO the first packet-tracer test is what we needed and it looks ok. We want to see that traffic coming form inside is forming a flow.The fireweall will permit the returning flow. (This is a statefull firewall)

So create an apply ACL for inside and outside and see if it works.

Best Answer

Related Solutions

Cisco – About the inside local and outside local and inside global and outside global

Cisco – IP addrs Outside of DHCP range blocked by Cisco ASA 5505

Related Topic