So, I have to admit, Im not just excited about the new NAT translation syntax. Its taken me some time to understand it. Here is the NAT command that I need to accomplish what Im trying to do above:
nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-5.5.5.0 obj-5.5.5.0
I also needed this command, for hairpinning to take place (some people call this u-turning):
same-security-traffic permit intra-interface
Anyway, when I look at the command above, what does it mean exactly. Well, generically speaking, it allows 10.10.10.0 (remote-access vpn traffic) to be NAT'ed to the public address (interface keyword) of the ASA, when its destined for the remote network (on the Internet) of 5.5.5.0. Well, lets dive deeper into this explanation. This is called "twice NAT'ing".
nat (outside,outside)
Notice the nat (outside,outside) piece of the command. That means that traffic coming IN from the outside interface and traffic going OUT the outside interface. Remember, you cant do that in an ASA, unless you use that second command above.
source
Source meaning what is the source address of the packet. In this case above, its two entries: obj-10.10.10.0 and interface
The first entry (obj-10.10.10.0) is the original address. In this case, the remote-access client IP. The IP DHCP pool gave out. Its the "LAN-LOCAL" address. If you do a "?" after the dynamic command, you get this: Specify object or object-group name for real source
The second entry (interface) is the NAT'ed address. Its what the destination sees you coming from. In this case, its the ASA public IP address. Lets just say is 65.65.65.65. If you do a "?" after the dynamic command, you get this: Specify object or object-group name for mapped source So, 10.10.10.0 remote-access clients get NAT'ed to be 65.65.65.65 (only when the destination is 5.5.5.0).
destination
Ok, this is the stating you are about to see the destination addresses in the command.
obj-5.5.5.0 obj-5.5.5.0
Ok, notice that you have two entries here. Both, in this case, are the same. We want our destination address in this NAT statement to be 5.5.5.0. Meaning, we want our remote-access clients to be able to come across the VPN tunnel, traverse through the ASA, and then out to the Internet to a destination of 5.5.5.0. Now, why two entries? Ok, stay with me here. It gets a little messed up in the syntax if you ask me. So the first "obj-5.5.5.0" is the NAT'ed address. Ok, so that sounds to me like you can change the destination address, or forward it to somewhere else if you wanted to. I mean, Im thinking if someone wanted to go to www.google.com, you could, as the admin of the firewall, forward them to www.ipchicken.com instead. That is what I get from it, although I have never done anything else besides the same destination for both. It might be funny to mess with some people though, to redirect them to something else. [: p Ill have to test that later, this is only a thought on that. If you do a "?" after the keyword "destination static", you get this: Specify object or object-group name for mapped destination Ahhh. That seems odd and backwards to me. Yes, that is the NAT'ed address of the destination. I really dont get what Cisco was thinking when they came up with this order. I miss the pre-8.3 static commands. Now, for the second "obj-5.5.5.0", that is the real IP of the destination the remote-access client was trying to get to. If you do a "?" after the keyword "destination static", you get this: Specify object or object-group name for real destination. That is messed up, but that is the way it is.
So, here is the what the syntax really looks like:
nat (outside,outside) source dynamic LAN-LOCAL LAN-NAT'ed destination static REMOTE-NAT'ed REMOTE-LOCAL
Now, lets look at two more entries that I didnt mention yet. The keywords "dynamic" and "static".
Im using dynamic in the first part to say that if I wanted to use a pool of addresses to NAT to, I could do that for the 10.10.10.0 remote-access clients. For example, if I have 65.65.65.65 through 65.65.65.68. I could let dynamic NAT use any of these addresses as it chooses.
If I used the keyword static, that will mean Im doing a 1 to 1 NAT translation. In this case, the destination is "not NAT'ing", but I have to use a keyword there anyway, and static is appropriate in this case.
Im going to put these two side by side each other, just for comparison.
nat (outside,outside) source dynamic obj-10.10.10.0 interface destination static obj-5.5.5.0 obj-5.5.5.0
nat (outside,outside) source dynamic LAN-LOCAL LAN-NAT'ed destination static REMOTE-NAT'ed REMOTE-LOCAL
I hope this was helpful. Its a new command in this 8.3 and above IOS that is a little difficult to grasp.
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.