Cisco ASA Static NAT Multiple Global IPs to Single Real IP

I am finally getting comfortable with Cisco ASA Object NAT introduced with software version 8.3. I like that ACLs use the real IP address not the global/translated IP Address.

I am still struggling when in the CLI trying to parse the different elements of the of the object because there are two "object network XYX" references in the configuration, one for the host and one for the NAT mapping.

Now on to the NAT fun....

I had an interesting Static NAT configuration scenario with Cisco ASA software version 9.1(1) recently. A customer has a domain registered and hosts their own public DNS servers. Originally they had two Authoritative Name Servers (NS) with different IP Addresses.

NS1
Public IP X.X.X.1
Private IP Z.Z.Z.1

NS2
Public IP X.X.X.2
Private IP Z.Z.Z.2

The ASA had the standard object with static nat translations:

object network inside-NS1
 host Z.Z.Z.1
 nat (inside,outside) static X.X.X.1
!
object network inside-NS2
 host Z.Z.Z.2
 nat (inside,outside) static X.X.X.2


They wanted to decommission the NS2. The NS records with the Internet Domain Name Registrar where updated, NS2 was powered off, and object inside-NS2 NAT and access list references was removed from the ASA configuration.

After a few days I saw in the ASA logs, packets blocked for DNS requests to X.X.X.2/Z.Z.Z.2. Since there was no long a real server at Z.Z.Z.2 I could not recreate the NAT translation.

I found Cisco documentation for Static NAT with One-to-Many. This allows for multiple public/global/outside IP addresses to be mapped to a single real/internal address.

1st we have to remove the remaining NS1 translation

object network inside-NS1
 host Z.Z.Z.1
 no nat (inside,outside) static X.X.X.1

2nd we create the object range for the global/outside addresses

object network outside-ns1-ns2
 range X.X.X.1 X.X.X.2

3rd we add a new nat statement

object network inside-ns1
 host Z.Z.Z.1
 nat (inside,outside) static outside-ns1-ns2

The nice thing about this solution is how it handles traffic flows. When Internet traffic sent to X.X.X.1, the returning traffic has a source IP of X.X.X.1, and Internet traffic sent to X.X.X.2, the returning traffic has a source IP of X.X.X.2.

Cisco ASA One to Many Static NAT
Cisco ASA One to Many Static NAT


For this post:
 X.X.X.# = external, public, Internet routable IP Addresses
Z.Z.Z.# = internal, private, IP Addresses.
References:
Cisco Support Forums ASA 8.3 Upgrade - What You Need to Know
Cisco ASA CLI Configuration Guide, 9.0


Home
at
Labels: , ,