topic Hi Akshay, Thanks for the in Network Security

Static NAT with Object Group on ASA 9.1(6)

ritchieb — Tue, 12 Mar 2019 06:44:57 GMT

I have the following configured on an ASA FW (Version 9.1(6));

nat (dmz-interface,outside) source static OBJECT-GROUP Nat_10.10.10.20 destination static COMPANY-A_172.16.1.0 COMPANY-A_172.16.1.0

OBJECT-GROUP is a group, containing 3 hosts;

object-group network OBJECT-GROUP
network-object object 10.1.75.33
network-object object 10.1.75.34
network-object host 10.1.67.12

My understanding was that if there’s a many-to-one configuration then no inbound connection permitted as the address it should be translated to isn’t known. But……

This appears to be allowing inbound connectivity from outside to 10.10.10.20, translating to 10.1.75.33

ASA-FW# show xlate | inc 10.10.10.20
NAT from dmz-interface:10.1.75.33, 10.1.75.34, 10.1.67.12 to outside:10.10.10.20
ASA-FW#
ASA-FW# show nat detail | inc 10.10.10.20
14 (dmz-interface) to (outside) source static OBJECT-GROUP Nat_10.10.10.20 destination static COMPANY-A_172.16.1.0 COMPANY-A_172.16.1.0
Source - Origin: 10.1.75.33/32, 10.1.75.34/32, 10.1.67.12/32, Translated: 10.10.10.20/32
ASA-FW#
ASA-FW# show conn | inc 10.1.75.33
TCP outside 172.16.1.1:51318 dmz-interface 10.1.75.33:5672, idle 0:01:24, bytes 912, flags UIOB
TCP outside 172.16.1.1:42717 dmz-interface 10.1.75.33:5672, idle 0:00:29, bytes 3528, flags UIOB
TCP outside 172.16.1.1:41029 dmz-interface 10.1.75.33:5672, idle 0:01:22, bytes 9472, flags UIOB
ASA-FW#

My question is – how is the internal host address determined when a group is used? Does it take the first in the list?

Hi,In Many-to-one mapping,

Akshay Rastogi — Wed, 14 Oct 2015 17:37:12 GMT

Hi,

In Many-to-one mapping, all the internal host would be able to go outside with the mapped address but connection for them would not be able to go out. Lowest Real IP address should be selected as the real address for the bidirectional one. (i am not quite sure why it has taken the object .33 instead of host .12. You could try replace keyword 'object' with 'real' under that object group).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html#wp1107407

Above link explain the scenarios with different mapping scenarios and how to select real or mapped address.

ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. These other mapping options, however, might result in unintended consequences. We recommend using only one-to-one or one-to-many mappings.

Regards,

Akshay Rastogi

Hi Akshay, Thanks for the

ritchieb — Thu, 15 Oct 2015 07:56:36 GMT

Hi Akshay,

Thanks for the info, that seems to make sense. I think maybe it would be the lowest IP if the first connection was inbound outside -> dmz-interface. Perhaps the first connection to perform NAT on was from 10.1.75.33 and therefore it became the translated address, as your link states "The first translation is always active so both translated and remote hosts can initiate connections, but the subsequent mappings are unidirectional to the real host. "

If I had some equipment to test I would!

Regards,

Brian

Hi Brian,That's correct.

Akshay Rastogi — Thu, 15 Oct 2015 11:22:25 GMT

Hi Brian,

That's correct.

Please mark the answer as correct if it helps.

Regards,

Akshay Rastogi