topic Re: ASA 5506-X PAT,NAT,ACL Single Public IP in Network Security

ASA 5506-X PAT,NAT,ACL Single Public IP

Ryeloc — Fri, 21 Feb 2020 16:11:17 GMT

I'm having a confusing moment configuring static NAT with a Single IP address.

I want to allow TCP-1723 traffic through to a server on the inside interface, while using a single IP address for this static NAT and PAT from inside to outside.

So for starters I'm using

nat (inside,outside) source dynamic any interface

This gets me up and running using PAT. Now I want to configure my internal server to allow the connections for a static TCP port inbound

object service TCP-1723

service tcp destination eq pptp

object network SERVER-1

host 10.1.1.10

object network WAN-2

host 1.1.1.2

nat (outside,inside) source static any any destination static WAN-2 SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

ERROR: Address 1.1.1.2 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

That doesn't seem to work... so I went another route

object network SERVER-1

nat (inside,outside) static interface service tcp 1723 1723

access-list outside_access_in extended permit tcp any object SERVER-1 eq 1723

access-group outside_access_in in interface outside

The ASA seems to have accepted the commands and created a network object NAT rule.

I test, and nothing. I check my ACL and it has 0 hit counts. Not sure what the issue is here, I don't seem to have any issues when using a public IP address that's not assigned to my outside interface. For example, if I used 1.1.1.3/29. In my environment I only have a single public IP address so that's not going to be doable.

Re: ASA 5506-X PAT,NAT,ACL Single Public IP

balaji.bandi — Mon, 03 Sep 2018 20:08:54 GMT

Look out good example and explained well :

https://www.packet6.com/configuring-nat-for-a-public-server-using-same-outside-interface/

Re: ASA 5506-X PAT,NAT,ACL Single Public IP

Ajay Saini — Tue, 04 Sep 2018 08:43:34 GMT

Hello,

The configuration looks okay. Can you please attach a packet-tracer output:

packet-tracer input outside tcp 4.2.2.2 3344 <outside interface IP> 1723 det

also, you would need to enable pptp inspection so that secondary channel for GRE can be opened dynamically by the Firewall.

HTH

Re: ASA 5506-X PAT,NAT,ACL Single Public IP

Ryeloc — Tue, 04 Sep 2018 13:11:33 GMT

Thanks for the reply, I did find that same article and it doesn't work in my lab. That was the second option I did with the network object NAT policy. The packet is dropped at the Firewall by the global deny all ACL.

Re: ASA 5506-X PAT,NAT,ACL Single Public IP

Ryeloc — Tue, 04 Sep 2018 13:14:42 GMT

Ajay,

I was able to get this figured out for the original nat. Instead of using the network object for my WAN-IP I just used the interface command instead. Example.

nat (outside,inside) source static any any destination static interface SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

I still wasn't able to get it to work with the network object NAT policy but that's probably because I don't understand the network object NAT policies as much. I will rebuild the lab later today and send you the packet tracer outputs for the network object NAT.

Re: ASA 5506-X PAT,NAT,ACL Single Public IP

Ryeloc — Tue, 11 Sep 2018 21:34:42 GMT

Sorry for the late reply, I ended up figuring this out. The reason I couldn't get it to work is because I needed to use my outside IP address. For that I had to use the "interface" command rather than the "object" command in the NAT line.

OLD: nat (outside,inside) source static any any destination static WAN-2 SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

NEW: nat (outside,inside) source static any any destination static interface SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp