topic Thanks again Jon :-) in Network Security

NAT with multiple external IPs and multiple internal IPs sharing public specific IPs

shell_uk_ — Tue, 12 Mar 2019 05:39:54 GMT

Hi all

I can't quit hit the nail on the head with this one. Any help would be very much appreciated please 🙂

Cisco ASA 5505
Running 8.4(1)

Example of what I am trying to do (I've basically ran out of public IPs and need to direct access to certain hosts and services inside but for complicated reasons I won't go in to as it won't help here/just complicate it more for no reason, they can't be on the 'general usage' IP so I need to share some of these other public IPs).

Public IP range: 12.34.56.1 - 12.34.56.5

Internal IP range: 192.168.1.1 - 192.168.1.254

12.34.56.5:
'General usage' IP. So by default everything goes in and out on this IP.

12.34.56.1:
Port 443 goes to 192.168.1.2
Port 80 goes to 192.168.1.3
Traffic from 192.168.1.2 and 192.168.1.3 to the internet comes from 12.34.56.1

12.34.56.2/.3/.4:
These are all dedicated to certain servers and work fine.

Bits of the config I think are relevant (please say if I've missed something):

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

object network LAN
 subnet 192.168.1.0 255.255.255.0
object network NAT-IP-1
 host 12.34.56.1
object network server-2
 host 192.168.1.2
object network server-3
 host 192.168.1.3
object-group network SOURCE-ADDRESSES-2
 network-object host 192.168.1.2
 network-object host 192.168.1.3

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www

nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

object network LAN
 nat (inside,outside) dynamic interface
object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https

Traffic for server-2 and server-3 goes out on 12.34.56.1 instead of 12.34.56.5, that's fine. The port forwarding isn't happening though.

This results in this in the log:

4 Mar 19 2015 15:00:45 106023 5.6.7.8 53966 12.34.56.1 443 Deny tcp src outside:5.6.7.8/53966 dst outside:5.6.7.8/443 by access-group "outside_access" [0x0, 0x0]

If I do a packet trace it's just not showing the NAT entries expected (and the log above doesn't show the destination as the LAN IP either as expected):

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   12.34.56.1    255.255.255.248 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

What am I messing up with the NATing/port forwarding please?

Thank you!

Edit: Sorry John. Typo - corrected!

In the config you provided I

mlovellette — Thu, 19 Mar 2015 16:44:59 GMT

In the config you provided I do not see what NAT-IP-2 is referencing in the following line:

"object network server-2 nat (inside,outside) static NAT-IP-2 service tcp https https"

Traffic from 192.168.1.2 and

Jon Marshall — Thu, 19 Mar 2015 16:55:35 GMT

Can you post a "sh nat" ?

Jon

Jon:Saw your original reply

shell_uk_ — Thu, 19 Mar 2015 16:55:36 GMT

Jon:

Saw your original reply on the notification email. Was my typo sorry. Corrected it in the original post now. I believe that nat line is correct.

# sh nat
Manual NAT Policies (Section 1)
1 <vpn stuff>
2 <vpn stuff>
3 <port translation for general IP>
4 <another port translation for general IP>
5 <another>
6 (inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
    translate_hits = 10828, untranslate_hits = 9773
(I'm not if this count is for when I got it working for just one server at one point.. not worked out again how I did that)

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static server-4 12.34.56.2
    translate_hits = 11406622, untranslate_hits = 576964
2 (inside) to (outside) source static server-2 NAT-IP-1 service tcp https https
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static server-5 12.34.56.3
    translate_hits = 97036, untranslate_hits = 1149482
4 (inside) to (outside) source static server-6 12.34.56.4
    translate_hits = 65, untranslate_hits = 174
5 <vpn stuff>
6 (inside) to (outside) source dynamic LAN interface
    translate_hits = 63479715, untranslate_hits = 53493227

Corrected it, sorry.I daftly

shell_uk_ — Thu, 19 Mar 2015 16:58:19 GMT

Corrected it, sorry.

I daftly changed the example IPs around after writing the post so they related better (well that was the aim) to what I'm actually dealing with but messed up 😞

This is your problem ie, you

Jon Marshall — Thu, 19 Mar 2015 16:59:56 GMT

This is your problem ie, you have in section 1 -

(inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

and then in section 2

(inside) to (outside) source static server-2 NAT-IP-1 service tcp https https

the first rule is matching the inbound traffic so it never gets to your section 2 port mappings.

What do you actually want to do in terms of the outbound traffic from those servers ?

Jon

If traffic from both those

Jon Marshall — Thu, 19 Mar 2015 17:12:54 GMT

Edit - ignore, just noticed interface IP is 12.34.56.5 🙂

Jon

Everything except the

shell_uk_ — Thu, 19 Mar 2015 17:27:59 GMT

Everything except the specified stuff goes out and in on 12.34.56.5.

I need these 2 internal servers to share the public IP '12.34.56.1' both in and out basically.

Edit: And 12.34.56.2/.3/.4 are all dedicated to specific internal IPs. This works fine.

Can you post a full "sh nat"

Jon Marshall — Thu, 19 Mar 2015 17:43:27 GMT

Can you post a full "sh nat" without editing anything out ?

Jon

Hello,Please find below

jeevak mukadam — Thu, 19 Mar 2015 17:55:22 GMT

Hello,

Please find below mentioned your requirement and confirmed.

1. Server 192.168.1.2 and 192.168.1.3 will use ip 12.34.65.1 for traffic 443 and 80

2. Rest of the network will use 12.35.56.5 for coummunication

Jeevak,

Public IP.. LAN IP..12

shell_uk_ — Thu, 19 Mar 2015 18:02:03 GMT

Public IP.. LAN IP..

12.34.56.1 192.168.1.2 (port 443) and 192.168.1.3 (port 80)

12.34.56.2 192.168.1.4 (various ports)

12.34.56.3 192.168.1.10 (various ports)

12.34.56.4 192.168.1.50 (various ports)

12.34.56.5 Any 192.168.1.* IP not mentioned above

Thanks

# sh nat

shell_uk_ — Thu, 19 Mar 2015 18:46:42 GMT

# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24_DIALINVPN NETWORK_OBJ_10.10.10.0_24_DIALINVPN
    translate_hits = 16375, untranslate_hits = 1081417
2 (inside) to (outside) source static LAN LAN destination static RemoteLANVPN RemoteLANVPN
    translate_hits = 90500794, untranslate_hits = 123604551
3 (inside) to (outside) source static internalhost1 interface service INTERNAL_PORT1 EXTERNAL_PORT1    this happens on the general use ip
    translate_hits = 4145, untranslate_hits = 27308
4 (inside) to (outside) source static internalhost2 interface service INTERNAL_PORT1 EXTERNAL_PORT2    this happens on the general use ip
    translate_hits = 0, untranslate_hits = 657
5 (outside) to (inside) source static any any destination static interface internalhost7 service 8080 8080    this happens on the general use ip
    translate_hits = 7724, untranslate_hits = 14632
6 (inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
    translate_hits = 16449, untranslate_hits = 14853

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static server-4 12.34.56.2
    translate_hits = 11406622, untranslate_hits = 576964
2 (inside) to (outside) source static server-2 NAT-IP-1 service tcp https https
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static server-3 NAT-IP-1 service tcp http http
    translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static server-5 12.34.56.3
    translate_hits = 97036, untranslate_hits = 1149482
5 (inside) to (outside) source static server-6 12.34.56.4
    translate_hits = 65, untranslate_hits = 174
6 (inside) to (outside) source dynamic NETWORK_OBJ_10.10.10.0_24_DIALINVPN interface
    translate_hits = 0, untranslate_hits = 0
7 (inside) to (outside) source dynamic LAN interface
    translate_hits = 63479715, untranslate_hits = 53493227

Number 5 on the "manual NAT" section is odd. It works but it's basically doing the same as 3 and 4 so I'm not sure why it is that way round (outside inside vs inside outside).

You can try doing the

mlovellette — Thu, 19 Mar 2015 19:01:36 GMT

You can try doing the following

no nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

nat (inside,outside) after-auto source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

Okay, it's the problem I

Jon Marshall — Thu, 19 Mar 2015 19:03:55 GMT

Okay, it's the problem I described before ie. you are not getting to your static statements because the earlier NAT rule is matching.

So you have two choices -

1) you could move your section 2 static statement for those servers to section 1 and make sure they appear before the dynamic statements. You can choose the order in sections 1 and 3

2) or you can move the section 1 dynamic statement for those servers to section 2 where static takes precedence over static.

The only problem here is you cannot order the rules and from what I understand if you have multiple dynamic rules the larger number of IPs takes precedence and you have -

(inside) to (outside) source dynamic LAN interface

which would override your dynamic translation for just the two servers.

So you would need to move the above rule to section 3 eg.

nat (inside,outside) after-auto dynamic LAN interface

Whichever you choose you are going to have to move some NAT rules around I'm afraid.

Jon

I don't think it would ever

Jon Marshall — Thu, 19 Mar 2015 19:08:22 GMT

I don't think it would ever get there because there is a general dynamic rule in section 2 for all LAN IPs.

Jon

Hello, Remove all current nat

jeevak mukadam — Thu, 19 Mar 2015 19:14:08 GMT

Hello,

Remove all current nat statement and try as following.

object network server-2
host 192.168.1.2
nat (inside,outside) static 12.34.56.1 service tcp 443 443

object network server-3
host 192.168.1.3
nat (inside,outside) static 12.34.56.1 service tcp 80 80

object network server-4
host 192.168.1.4
nat (inside,outside) static 12.34.56.2

object network server-10
host 192.168.1.10
nat (inside,outside) static 12.34.56.3

object network server-50
host 192.168.1.5
nat (inside,outside) static 12.34.56.4

object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 5 source dynamic any interface

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www
access-list outside_access extended permit ip any object server-4
access-list outside_access extended permit ip any object server-10
access-list outside_access extended permit ip any object server-50

access-group outside_access in inerface outside

Jeevak,

Just for your reference there

Jon Marshall — Thu, 19 Mar 2015 19:14:33 GMT

Just for your reference there is a great document if you haven't already seen it that covers NAT and the ordering and helps explain your issue.

It also has recommendations as to which sections certain NAT rules should go -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

John is right, your all

jeevak mukadam — Thu, 19 Mar 2015 19:17:07 GMT

John is right, your all traffic match at section-2

Jeevak,

JeevakThat's not what he

Jon Marshall — Thu, 19 Mar 2015 19:20:15 GMT

Jeevak

That's not what he wants though.

He doesn't want server-2 and server-3 to use the outside interface IP when they access the internet.

So you need dynamic NAT for those two servers and this is where the problem is.

Jon

Sorry Jon, I did not see your

mlovellette — Thu, 19 Mar 2015 19:22:24 GMT

Sorry Jon, I did not see your comment from earlier and yes you are correct.