topic Re: Object NAT on ASA 5525 in Network Security

Object NAT on ASA 5525

gurowar — Thu, 25 Jan 2024 19:01:08 GMT

Good Morning All,

Not sure why this isn't working but I have a ASA 5525 running Version 9.2(2)4. What I am trying to do is add an Object Static NAT. Now on the firewall I see how similar policies are configured and I copied the config, minus the IPs and name of course but still not working. This is what I have

object network ext-data4
host 210.10.197.74 <-- Public IP
object network vip-data4
host 10.3.10.44 <-- DMZ IP

I have an ACL that the VIP goes into so now the NAT, when I attempt to do the following Object NAT it looks like it works but when I search for it in the config or do a show xlate for the name/IP nothing shows up

object network vip-data4
nat (any,any) static ext-data4 net-to-net

When I input the config, looks like it works:

OmedaColoASA(config)# object network vip-data4
OmedaColoASA(config-network-object)# nat (any,any) static ext-data4
OmedaColoASA(config-network-object)#
OmedaColoASA(config-network-object)#

But when I check the config its not even in there.

What am I missing? Thank you in advance!!!

Re: Object NAT on ASA 5525

MHM Cisco World — Thu, 25 Jan 2024 19:06:54 GMT

object network ext-data4
host 210.10.197.74 <-- Public IP

object network vip-data4
host 10.3.10.44 <-- DMZ IP

nat (DMZ,OUT ) static ext-data4 net-to-net no route-lookup

This must work

MHM

Re: Object NAT on ASA 5525

gurowar — Thu, 25 Jan 2024 20:36:37 GMT

Bummer didn't work, it didn't like the "no route-lookup" so I left that out but I put in what you suggested

object network vip-data4
host 10.3.10.44

nat (DMZ,OUT) static ext-data4 net-to-net

still doesn't show up in the config, probably something silly I am missing...still looking

Re: Object NAT on ASA 5525

MHM Cisco World — Thu, 25 Jan 2024 20:40:55 GMT

Can I see

Show run nat

MHM

Re: Object NAT on ASA 5525

gurowar — Thu, 25 Jan 2024 21:21:45 GMT

Its kind of long but here here it is I don't see any of the NAT statements we put in

Re: Object NAT on ASA 5525

MHM Cisco World — Thu, 25 Jan 2024 21:40:39 GMT

object network dmz
 nat (dmz,outside) dynamic interface

This come before static NAT so we need to change NAT type to manaul NAT and not use object NAT.

NAT (DMZ'Outside) source static object real IP object mapped IP

MHM

Re: Object NAT on ASA 5525

gurowar — Thu, 25 Jan 2024 21:14:11 GMT

Oh ok I see so I need to build it as

nat (dmz,outside) static vip-datad4 destination static ext-data4

object network ext-data4
host 210.10.197.74 <-- Public IP
object network vip-data4
host 10.3.10.44 <-- DMZ IP

ok will try that then...thank you sir!

Re: Object NAT on ASA 5525

MHM Cisco World — Thu, 25 Jan 2024 21:24:19 GMT

You are welcome

MHM

Re: Object NAT on ASA 5525

gurowar — Thu, 25 Jan 2024 21:39:53 GMT

Hmm it didn't like the "static" had to enter "source static" also had to change it up a little it doesn't like what I have below:

nat (dmz,outside) static vip-data4 destination static ext-data4

configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0
OmedaColoASA(config)# $ ext-data4 ?
ERROR: % Unrecognized command
OmedaColoASA(config)# $ vip-data4 ?

configure mode commands/options:
WORD Specify object or object-group name for mapped source
interface Specify interface NAT

So now my nat statement looks like this:

nat (dmz,outside) source static vip-data4 vip-data4 destination static ext-data4 ext-data4

So at first I thought I did something wrong when i saw this

OmedaColoASA# sh xlate | inc 210.10.197.74
NAT from outside:210.10.197.74 to dmz:210.10.197.74

OmedaColoASA# sh xlate | inc 10.3.10.44
NAT from dmz:10.3.10.44 to outside:10.3.10.44

but I believe this is ok as those are the IPs we want to see when they hit the interfaces.

If I am wrong please let me know otherwise I believe I am good now. Thank you for your help!!!

One more thing if I put this statement at the bottom, then we would of be able to do the object NAT?

object network dmz nat (dmz,outside) dynamic interface

Re: Object NAT on ASA 5525

MHM Cisco World — Thu, 25 Jan 2024 21:41:48 GMT

NAT (DMZ'Outside) source static object real IP object mapped IP <<- this correct one, NO need to add destination
MHM

Re: Object NAT on ASA 5525

gurowar — Thu, 25 Jan 2024 21:56:24 GMT

Thank you sir looks good

OmedaColoASA# sh xlate | inc 210.10.197.74
NAT from dmz:10.3.10.44 to outside:210.10.197.74

Re: Object NAT on ASA 5525

MHM Cisco World — Thu, 25 Jan 2024 21:57:29 GMT

please clean your config, delete all other NOT work NAT we add during troubleshooting
thanks a lot
have a nice day
MHM

Re: Object NAT on ASA 5525

Marius Gunnerud — Thu, 25 Jan 2024 22:27:59 GMT

You have entered correct commands for object NAT to work correctly (though I would suggest using specific interfaces rather than any). If the commands look to be accepted but do not show up in the configuration then this ASA is not in a healthy state. Perhaps it needs a reboot, and definately needs an upgrade if it is running 9.2.

This configuration was correct and should have been present in the configuration:

object network ext-data4
host 210.10.197.74

object network vip-data4
host 10.3.10.44
nat (any,any) static ext-data4

Now, just for clarification: Manual NAT, which is when you define NAT (any,any) source static..., is a top down match. Auto-NAT will be matched after manual NAT but it is matched in a longest prefix manner and there for not top down. So if you have a default NAT located above a more specific NAT in this section it will still match on the more specifc NAT rule. And then you have After-auto NAT, which is similar to manual NAT as it is a top down match but will only be matched if there have been no other match in manual NAT or Auto-NAT. So keep this in mind when configuring the ASA.

Re: Object NAT on ASA 5525

gurowar — Fri, 26 Jan 2024 14:39:49 GMT

H Marius,

Thank you for the info, yes it is actually 9.2 and needs a reboot badly as from my understanding hasn't been reboot in a few years. As far as the NAT goes thank you for the information!! I will keep that in mind next time and thank you for taking the time to explain!!!

Thank you sir!