topic NAT and port mapping on ASA in Network Security

NAT and port mapping on ASA

ronald.su — Fri, 21 Feb 2020 14:17:26 GMT

hey, something confusing me: i have 2 internet boardband, and set default route via ISP1, some server will using ISP2 to access internet (using PBR to achieve that)。

here is my config:

object network LAN

subnet 10.0.0.0 255.255.0.0

nat (inside,ISP1) dynamic interface

object network srv1

host 10.0.0.100

nat (inside,ISP2) static x.x.x.x

route ISP1 0.0.0.0 0.0.0.0 a.b.c.d (gateway)

access-list to_ISP2 extended permit ip object srv1 any ### for PBR

route-map ISP2_map permit 100
match ip address to_ISP2
set ip next-hop x.x.y.y ### ISP2 gateway

access-list SRV_RDP extended permit ip object srv1 any 3389 ###(imapping remote desktop port)

access-group SRV_RDP in interface ISP2

now, i found srv1 can using ISP's IP to access the internet. BUT, if I using IP3 to telnet srv1 (ISP2's IP).

the srv1 can received the packet from IP3, but IP3 cannot receive any respond from ISP2's IP.

until I add a static route to IP3, it seems the the PBR is not effect....

but if the PBR is not effiect, why my srv1 can using ISP2 to access the internet.

BTW, i received some warning on ASA:

WARNING: If access-list to_ISP2 having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.

i wanna know if i have 2 isp boardband on ASA, i cannot using PBR to make subnet1 to ISP1 , subnet2 to ISP2 ????

Re: NAT and port mapping on ASA

jumora1 — Mon, 11 Sep 2017 17:28:57 GMT

Check the other response

Re: NAT and port mapping on ASA

jumora1 — Mon, 11 Sep 2017 17:18:24 GMT

Sorry for the strange answer before if PBR is not doing what is expected I would suggest to tun the next debug:

debug policy-route

Now I did not see that you applied this to an interface buT I could be wrong:

Here is an example:

Configure an interface and enter interface configuration mode: interface interface_id Example:

ciscoasa(config)# interface GigabitEthernet0/0

Step 6 Configure policy based routing for through-the-box traffic:

policy-route route-map route-map_name

Example: ciscoasa(config-if)# policy-route route-map testmap

Re: NAT and port mapping on ASA

ronald.su — Tue, 12 Sep 2017 02:07:27 GMT

i did applied on the interface... and i think somehow the PBR is working, as you can see, the PBR is force the srv1 to using ISP2 out. as my test: if i not apply the PBR, the srv1 go using ISP1 out. and then i applied the PBR, srv1 going out via ISP2. so i think the PBR is working...somehow.

and the port mapping is configuration is working fine too, i telnet to srv1 internet IP (ISP2's IP). the netstat shows

" TCP 10.0.0.88:3389 216.x.x.x:59912 SYN_RECEIVED"

so the packet from internet -> ASA-->srv1 is ok

and srv1 did sent respond to 216.x.x.x (i saw it on wireshark capture).

but 216.x.x.x not got any respond.

I guessed it routing problem, so i add the route as below:

route ISP2 216.x.x.x 255.255.255.255 isp2 gateway

making packet to 216.x.x.x using ISP2 out.

and this work, i can telnet now.

so.... this is really confusing me.

the static route telling me it's the routing issue, means the PBR is not working.

but the srv1 can using ISP2 IP address to access internet after i applied the PBR, means the PBR is working.

odd? ???

Re: NAT and port mapping on ASA

jumora1 — Tue, 12 Sep 2017 11:48:33 GMT

Can you send me the configuration?

show tech and also a show route

Re: NAT and port mapping on ASA

jumora1 — Tue, 12 Sep 2017 11:51:38 GMT

if you have skype we can conference and check the configuration together

Re: NAT and port mapping on ASA

ronald.su — Wed, 13 Sep 2017 06:18:10 GMT

thanks, add you via skype.

Re: NAT and port mapping on ASA

ronald.su — Wed, 13 Sep 2017 09:09:13 GMT

i also send the configuration to your gmail. thx!

Re: NAT and port mapping on ASA

jumora1 — Thu, 14 Sep 2017 11:51:44 GMT

add a second default route to isp2 with a metric of 2, although traffic is forced when packets start from the internal server towards the ISP2 when connections come in through ISP2 it has no route to forward the packet out from where it came from.

The route needs to be configured although it will not be installed on the show route.

This is based on experience so give it a try and I'm sure it will work.

Re: NAT and port mapping on ASA

jumora1 — Thu, 14 Sep 2017 11:55:38 GMT

Let me explain.

When you initiate a connection from the Internet to the NATTED IP traffic will reach the ASA but when traffic needs to be routed back to the client that resides on the Internet all it has is a default gateway on ISP1, thus the connection that you want to establish has no way to be routed back to your client.

That explains why when you add a static route it works.

Re: NAT and port mapping on ASA

ronald.su — Fri, 15 Sep 2017 01:41:23 GMT

great~~~it work! thank you so much !!!

u really help!