topic Re: ASA 5525: simple nat CLI code help please? in Network Security

ASA 5525: simple nat CLI code help please?

MicJameson1 — Mon, 20 Feb 2023 21:31:54 GMT

Hello.

Goal:
On ASA-5525...
...to permit servers 10.0.1.1/24, 10.0.1.2, 10.0.1.3...
...which use protocol sftp
...to dynamically translate IP's to public Outside interface
...to reach server 3.3.3.3 on its port 2222

Question: What is the CLI code for this?

Thank you.

Re: ASA 5525: simple nat CLI code help please?

MHM Cisco World — Mon, 20 Feb 2023 21:35:06 GMT

why dynamic ??

Re: ASA 5525: simple nat CLI code help please?

MicJameson1 — Mon, 20 Feb 2023 21:44:55 GMT

You are correct= static. Can you please write code? I've struggled with this a long time.

Re: ASA 5525: simple nat CLI code help please?

MHM Cisco World — Mon, 20 Feb 2023 22:35:41 GMT

I think you must look to ALL picture,
the ACL must allow SFTP
the NAT must NATing the traffic or UN-NATing the traffic

object network SFTP

host <ServerPrivate IP>

nat (inside,outside) static <Server Public IP> service tcp 22 22

the Inspection <<- here are you run bypass as I mention before ?

Re: ASA 5525: simple nat CLI code help please?

MicJameson1 — Mon, 20 Feb 2023 22:51:07 GMT

1. inside_in ACL is healthy and being hit. <<COMPLETE>>

2. Can you help me attain my intent here (to use object group in config)? I think I need to use manual NAT.
object-group network MY_3_SERVERS_to_VENDOR1
network-object host 10.0.1.1
network-object host 10.0.1.2
network-object host 10.0.1.3
nat (Inside,Outside) static 3.3.3.3 service tcp 2222
^
ERROR: % Invalid input detected at '^' marker.

Re: ASA 5525: simple nat CLI code help please?

MHM Cisco World — Mon, 20 Feb 2023 23:12:02 GMT

I will test use object-group with multi network host mapped to one public IP
but before that can you check add single network host
also are the 3.3.3.3 is reachable via OUT interface ??
are you use Inside, Outside as nameif of interface ??

Re: ASA 5525: simple nat CLI code help please?

MicJameson1 — Mon, 20 Feb 2023 23:20:07 GMT

but before that can you check add single network host
also are the 3.3.3.3 is reachable via OUT interface ?? YES confirmed
are you use Inside, Outside as nameif of interface ?? YES confirmed

I think it's best to not get too complex. I think it's simple config error.

I just need code that satisfies 1st post. Your code is right idea, but it's best to use 1 object group for the three hosts. so...

object network SFTP
host <ServerPrivate IP>
nat (inside,outside) static <Server Public IP> service tcp 2222

...needs to be changed to an "object group" config. thats all i think.

Re: ASA 5525: simple nat CLI code help please?

MHM Cisco World — Mon, 20 Feb 2023 23:26:34 GMT

object network SFTP <<- you can change as you want butI recommend always keep name referring to IP or service
host <ServerPrivate IP>
nat (inside,outside) static <Server Public IP> service tcp 22 22

Re: ASA 5525: simple nat CLI code help please?

MicJameson1 — Mon, 20 Feb 2023 23:52:31 GMT

Some progress. I took PCAP from device not ASA-- 1 hop past Outside interface of ASA. Pcap says the translated destination port is NOT required 2222.

Below is present config

object network SFTP
nat (Inside,Outside) static 3.3.3.3 service tcp 2222 2222
access-group Outside_access_in in interface Outside

How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure)

(REAL destination port needs exactly "2222")

Re: ASA 5525: simple nat CLI code help please?

MHM Cisco World — Mon, 20 Feb 2023 23:58:50 GMT

tcp 22 22 is not meaning port 2222
it meaning
source tcp port 22 will NATing to tcp port 22

that why I make it bold.

Re: ASA 5525: simple nat CLI code help please?

MicJameson1 — Tue, 21 Feb 2023 00:08:31 GMT

OK, we have misunderstanding here, because there is strange coincidence...

The vendor has open port EXACTLY THIS NUMBER "2222" (2230-8=2222, the number 2222)

The protocol is sftp, which uses port 22. I need the code to connect to destination port exactly 2222.

(now maybe later, there is a completely different issue that SERVICE 22 used by SFTP (and also SSH) is blocked by firepower or something. But that is later troubleshoot.)

Below is present config

object network SFTP
nat (Inside,Outside) static 3.3.3.3 service tcp 2222 2222
access-group Outside_access_in in interface Outside

How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure)

...or maybe my big misunderstanding is that TCP protocol is NOT a port, it is different thing. So again, please tell me how to fix?

Re: ASA 5525: simple nat CLI code help please?

MHM Cisco World — Tue, 21 Feb 2023 00:11:37 GMT

How I fix so TRANSLATED destination port is 2222 ? (I think i need manual twice NAT, but i'm not sure) ?
you you want to NAT port
you already have static PAT
and you receive SFTP toward 2222.
no need any other NAT for this case.

Re: ASA 5525: simple nat CLI code help please?

MicJameson1 — Tue, 21 Feb 2023 00:22:24 GMT

right now PCAP on device 1 hop past outside int of ASA going to www, shows destination port is NOT 2222. It is random port. It needs to be 2222.

Below is present config

object network SFTP

host 10.0.1.1
nat (Inside,Outside) static 3.3.3.3 service tcp 2222 2222