topic Hi Christian, in Network Security

Auto Nat and Manual Nat in cisco ASA

diwakar410 — Tue, 12 Mar 2019 08:03:14 GMT

I have a public IP of 201.202.203.204.

And then, i have pool IP of 205.206.207.208 which is routable to 201.202.203.204.

I have a service running on my server which opens locally on port 3456. ie, i get the access of server from inside network using 172.16.32.45:3456.

I want this service to be opened from outside too and for this we need to do the port forwarding. I want this service to be opened on port 7890 ie,

i want to be accessed from outside using 205.206.207.208:7890.

How can i achieve this using:

1.Auto NAT

2.Manual NAT

I had asked this type of question before but it was regarding it was regarding manual NAT. I want to know the clear difference between them and please specify the ports to be used as source/destination.

Please help me with the command lines.

Here is something to get you

Cristian Nilsson — Thu, 28 Jul 2016 10:54:39 GMT

Here is something to get you started: (I hope i understood you correctly).

object network PUBLIC-IP
host 201.202.203.204

object network IP-POOL
host 205.206.207.208

object service DESTINATION-TCP-3456
service tcp destination eq 3456

object service DESTINATION-TCP-7890
service tcp destination eq 7890

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

Regards,

Cristian

Hello there,

diwakar410 — Sat, 30 Jul 2016 04:27:22 GMT

Hello there,

I don't know if this command works or not. Haven't tried it.

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

I used to do manual NAT this way:

object network obj-172.16.32.45

host 172.16.32.45

bject network PUBLIC-IP
host 201.202.203.204

object network IP-POOL
host 205.206.207.208

object service SOURCE-TCP-3456
service tcp source eq 3456

object service DESTINATION-TCP-7890
service tcp destination eq 7890

and the command would be:

nat(inside,outside) source static obj-172.16.32.45 IP-POOL service SOURCE-TCP-3456 DESTINATION-TCP-7890

I believe port 3456 should be source, isn't it?

This is manual NAT.

How can the same thing be achieved using auto NAT?

If possible, please clearify this command line :

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

Hello,

Cristian Nilsson — Tue, 02 Aug 2016 06:06:20 GMT

Hello,

I never use auto-nat myself but this should be the correct NAT rule:

object network obj-172.16.32.45
 nat (INSIDE,OUTSIDE) static IP-POOL service tcp 3456 7890

Regarding manual-nat you have the wrong idea about source and destination.

You have to think of it in nat rule direction - and keep in mind its always both ways unless specefied not to be.

Example:

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

Could have been writen as:

nat (INSIDE,OUTSIDE) source static IP-POOL PUBLIC-IP service SOURCE-TCP-3456 SOURCE-TCP-7890 destination any any

I hope i´m not confusing you.

//Cristian

Hi Cristain,

diwakar410 — Tue, 02 Aug 2016 08:51:13 GMT

Hi Cristain,

Finally, i guess, i am trying to get the real meaning.

Let me ellaborate what i understood.

My WLC opens at port 80. I want the request on 80 to be opened at 8080 when someone accesses it from outside.

So in manual NAT:

In this case, from what i got from your help, when going to internet ie, inside to outside, my source port is 80 and destination port is still 80.

But if someone tries to get in my WLC from remote side, ie, outside to inside, then for them 8080 becomes source and 80 becomes destination.

Am i right?

Hello again,

Cristian Nilsson — Tue, 02 Aug 2016 10:01:53 GMT

Hello again,

You are correct.

But to help you a bit more, think of the NAT (depending on direction nat rule is) from the source perspective.

INSIDE > OUTSIDE, inside host perspective (deal with SOURCE IP/ports)

OUTSIDE > INSIDE, outside host perspective (deal with DESTINATION IP/ports)

A quote from course leader regarding manual/twice-NAT-thinking:

"REAL-NAT-NAT-REAL". This has helped me many times when i started with NAT.

And i my opinion, manual NAT is much easier to read and get a quick view of.

//Cristian

Hi Christian,Thank you for

diwakar410 — Wed, 03 Aug 2016 15:09:09 GMT

Hi Christian,
Thank you for your help so far.
Still not clear regarding some issues.
Today i was asked to do the port forwarding in IP 192.168.10.100:3389 to be opened as 201.202.203.204:2234 for RDP.
As i am used to auto NAT,i did this:
object network obj-192.168.10.100
host 192.168.10.100
nat (private,public) static interface service tcp 3389 3334
Then i had this access list:
access-list access-list-name extended permit tcp any host 11192.168.10.100 eq 3389 and it was fine. The port was
opened and everything worked.
Later, i decided to do this using manual NAT, using your help.
As per your command line,
nat (INSIDE,OUTSIDE) source static IP-POOL PUBLIC-IP service SOURCE-TCP-3456 SOURCE-TCP-7890 destination any any

i modified this way:
nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any
and i had this issues:
1. the command after destination any any didn't work
2. i removed command after destination any any then there was this error that obj-201.202.203.204 overlaps with public IP.

So i used the second command :
nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456
and modified as:
nat (OUTSIDE,INSIDE) source static any any destination static obj-192.168.10.100 obj-201.202.203.204 service DESTINATION-TCP-2234 DESTINATION-TCP-3389

then the command was accepted but the port failed to open.
I tried using the packet tracer command and it indicated the port failed to open because flow was denied by the configured rule.
But there was already this command:
access-list access-list-name extended permit tcp any host 11192.168.10.100 eq 3389

What could be the reason for that.

Is it because i am using version 9.2?

Please help.

Hello,

Cristian Nilsson — Wed, 03 Aug 2016 16:30:55 GMT

Hello,

You forgot destination STATIC any any, that is why command was rejected.

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any

This is reversed as you NAT in direction private to public.

nat (private,public) source static any any destination static obj-192.168.10.100 obj-201.202.203.204 service DESTINATION-TCP-2234 DESTINATION-TCP-3389

Try this

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

Dont forget to create the service objects accordingly.

//Cristian

Hello Christian,

diwakar410 — Fri, 05 Aug 2016 05:54:13 GMT

Hello Christian,

Thank you for your help. But there are some issues still not solved.

According to your command:

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

I get this error:

ERROR: any doesn't match an existing object or object-group

similarly, using the first command:

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any

I get this error:

ERROR: Address 201.202.203.204 overlaps with Public-IP interface address.
ERROR: NAT Policy is not downloaded.

Actually things are working fine using Auto NAT, but as you suggested Manual NAT is better that Auto NAT, i am trying to learn that one. If you are not irritated, then please help me.

Hello,

Cristian Nilsson — Fri, 05 Aug 2016 06:08:31 GMT

Hello,

No worries :). Manual NAT is not by nature better in any way, i just find it "cleaner" to read.

So lets see, ERROR: any doesn't match an existing object or object-group.

One or more objects doesn't exist, check that you have all objects created.

ERROR: Address 201.202.203.204 overlaps with Public-IP interface address.
ERROR: NAT Policy is not downloaded.

Is this the same IP that is assigned to your outside/public interface?

If so, use the interface command instead.

nat (private,public) source static obj-192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any

This should NAT:

Host 192.168.10.100 tcp 3389 to public interface IP tcp 2234.

Or maybe clearer (remember they are always bi-directional unless specified not to):

When any outside host access public interface IP at tcp 2234 NAT to private host 192.168.10.100 tcp 3389

//Cristian

Hi Christian,

diwakar410 — Fri, 05 Aug 2016 06:27:10 GMT

Hi Christian,

This command worked without destination any any.

Can you let me know why the destination any any wasn't included?

As you said, "remember they are always bi-directional unless specified not to"

How can i make it unidirectional.

What happens when it is unidirectional?

nat (private,public) source static obj-192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234

Hello,

Cristian Nilsson — Fri, 05 Aug 2016 06:42:07 GMT

Hello,

Sorry i totally mixed that line up and also forgot the static command.

nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

You can apply the unidirectional at the end.

nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234 unidirectional

Now the rule only applies in one direction, i have yet to see a use for this thou (multicast/udp traffic?)

//Cristian

Christian,

diwakar410 — Fri, 05 Aug 2016 07:07:37 GMT

Christian,

Noted. Thanks a lot.

This command doesn't need any any

nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

If we use any any then there will be this error:

ERROR: any doesn't match an existing object or object-group

we can simply use:

nat (private,public) source static obj-192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234

This helped me and solved my issue too. So thanks a lot.I am marking your recent answer as correct answer.

Hello,

Cristian Nilsson — Fri, 05 Aug 2016 07:36:36 GMT

Hello,

Happy to help.

//Cristian