topic ASA 5545 object nat in Network Access Control

ASA 5545 object nat

yvonne-tsara — Mon, 07 Oct 2024 12:53:14 GMT

Good day

May you please assist me. I have a scenario were on object nat has been created on ASA 5545 using one public ip for 2 different private ips with different port. Only one instance is working is working while the other one isnt.

I have also tried using static nats but when one works the other one doesn't. How best can I handle this? Below is my configuration.

object network TEST_DMZ_ORIGINAL_8291
host 10.10.11.8
object network LIVE_DMZ_ORIGINAL_8290
host 10.10.11.7
object network TEST_DMZ_ORIGINAL_8291
nat (dmz,outside) static PUBLIC service tcp 8291 8291
object network LIVE_DMZ_ORIGINAL_8290
nat (dmz,outside) static PUBLIC service tcp 8290 8290

Re: ASA 5545 object nat

MHM Cisco World — Mon, 07 Oct 2024 13:04:28 GMT

ASA(config)# nat (dmz,outside) 1 source static 
TEST_DMZ_ORIGINAL_8291 <interface or public IP object network name> service tcp 8290 8290

Above is correct, remove auto NAT you use before.

MHM

Re: ASA 5545 object nat

yvonne-tsara — Mon, 07 Oct 2024 13:17:35 GMT

I am not sure if I have an auto nat configured. All the static nats I had initially configured, I removed them but the object nat is only working for one server.

Re: ASA 5545 object nat

MHM Cisco World — Mon, 07 Oct 2024 13:20:23 GMT

ASA(config)# nat (dmz,outside) 1 source static 
TEST_DMZ_ORIGINAL_8291 <interface or public IP object network name> service tcp 8291 8291

ASA(config)# nat (dmz,outside) 1 source static 
LIVE_DMZ_ORIGINAL_8290 <interface or public IP object network name> service tcp 8290 8290

Add above

And remove

TEST_DMZ_ORIGINAL_8291
nat (dmz,outside) static PUBLIC service tcp 8291 8291
object network LIVE_DMZ_ORIGINAL_8290
nat (dmz,outside) static PUBLIC service tcp 8290 8290

MHM

Re: ASA 5545 object nat

yvonne-tsara — Mon, 07 Oct 2024 13:24:12 GMT

Thank you, let me try that.

Re: ASA 5545 object nat

MHM Cisco World — Mon, 07 Oct 2024 13:32:25 GMT

Sure take your time

MHM

Re: ASA 5545 object nat

yvonne-tsara — Mon, 07 Oct 2024 13:35:45 GMT

After the service command, i only have 2 options shown below.

configure mode commands/options:
WORD Specify object name for real service
any All service objects

My IOS version is shown below:

Cisco Adaptive Security Appliance Software Version 9.12(4)30
SSP Operating System Version 2.6(1.232)
Device Manager Version 7.17(1)152

Re: ASA 5545 object nat

MHM Cisco World — Mon, 07 Oct 2024 13:43:25 GMT

object service 8290
 service tcp source eq 8290

object service 8291
 service tcp source eq 8291

Use object service as above in NAT command.

MHM

Re: ASA 5545 object nat

yvonne-tsara — Mon, 07 Oct 2024 14:30:29 GMT

Thank you so much. It is working now. What makes the object nat and the ordinary static nat fail to work.

Re: ASA 5545 object nat

MHM Cisco World — Mon, 07 Oct 2024 14:33:45 GMT

Order'

Auto NAT (object NAT) come in order and if you use have dyanimc NAT above these server static auto NAT then the traffic will hit wrong NAT.

So we use manual NAT because these NAT always be in top list of NAT config in ASA and after it come other object NAT.

MHM

Re: ASA 5545 object nat

yvonne-tsara — Mon, 07 Oct 2024 15:45:06 GMT

Thanks a million

Re: ASA 5545 object nat

MHM Cisco World — Mon, 07 Oct 2024 15:47:42 GMT

You are welcome billion