topic Re: ASA 5515-x Static NAT & PAT in Network Security

ASA 5515-x Static NAT & PAT

emily00001 — Tue, 12 Mar 2019 03:49:18 GMT

I'm trying to set up remote access to some computers behind this firewall without success. The way I tried to set-up remote access is basically covered within the following lines (in this case a test to the snmp server's port 80). Any help or guidance would be appreciated 😃

object network centos-snmp

host 10.10.1.10

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

object network centos-snmp

nat (inside,outside) static interface service tcp www www

access-group outside-to-centos-snmp in interface outside

ciscoasa# packet-tracer input outside tcp 1.2.3.4 www 10.10.1.10 www

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.1.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

This is the configuration I'm currently running with the sensitive information removed from this post:

: Saved

ASA Version 9.1(1)

hostname ciscoasa

enable password abcd encrypted

passwd abcd encrypted

names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.0

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

interface GigabitEthernet0/1.1

description Inside Main VLAN

vlan 1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0

interface GigabitEthernet0/1.2

description Inside Guest

vlan 2

nameif guest

security-level 10

ip address 10.10.2.1 255.255.255.0

interface GigabitEthernet0/1.3

description Inside Office

vlan 3

nameif office

security-level 30

ip address 10.10.3.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network centos-snmp

host 10.10.1.10

object-group network Inside-Networks

network-object 10.10.1.0 255.255.255.0

object-group network Guest-Networks

network-object 10.10.2.0 255.255.255.0

object-group network Office_Inside-Networks

network-object 10.10.3.0 255.255.255.0

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (guest,outside) source dynamic Guest-Networks interface

nat (office,outside) source dynamic Office_Inside-Networks interface

nat (inside,outside) source dynamic Inside-Networks interface

object network centos-snmp

nat (inside,outside) static interface service tcp www www

access-group outside-to-centos-snmp in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.3.4 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 4443

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 10.10.1.10 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd domain mydomain.com

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

dhcpd address 10.10.2.21-10.10.2.254 guest

dhcpd dns 11.22.33.44 55.66.77.88 interface guest

dhcpd enable guest

dhcpd address 10.10.1.21-10.10.1.254 inside

dhcpd dns 11.22.33.44 55.66.77.88 interface inside

dhcpd option 43 hex f1040a0a0102 interface inside

dhcpd enable inside

dhcpd address 10.10.3.21-10.10.3.254 office

dhcpd dns 11.22.33.44 55.66.77.88 interface office

dhcpd enable office

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username emily password abcde encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:abcde

: end

Re: ASA 5515-x Static NAT & PAT

Veronika Klauzova — Sun, 23 Feb 2014 22:36:24 GMT

Hello,

first of all you need to move your PAT entries to after-auto NAT table section:

no nat (inside,outside) source dynamic Inside-Networks interface
no nat (office,outside) source dynamic Office_Inside-Networks interface
no nat (guest,outside) source dynamic Guest-Networks interface




sh run nat
!
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
!
nat (inside,outside) after-auto source dynamic Inside-Networks interface
nat (office,outside) after-auto source dynamic Office_Inside-Networks interface
nat (guest,outside) after-auto source dynamic Guest-Networks interface

NAT table will look like this:

sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static centos-snmp interface   service tcp www www
    translate_hits = 1, untranslate_hits = 2
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic Inside-Networks interface
    translate_hits = 0, untranslate_hits = 0
2 (office) to (outside) source dynamic Office_Inside-Networks interface
    translate_hits = 0, untranslate_hits = 0
3 (guest) to (outside) source dynamic Guest-Networks interface
    translate_hits = 0, untranslate_hits = 0

You can test your configuration with following packet-tracer simulation command. Please keep in mind that 8.8.8.8 is source IP address and source port is random for example 1025 and destination IP address is IP address of your outside interface. Once the traffic will match IP address of your outside interface and destination port 80 traffic will be translated towards your host on inside network 10.10.1.10 and port 80:

packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/80 to 10.10.1.10/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-to-centos-snmp in interface outside
access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic Inside-Networks interface
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

I hope that it helps. For more information I recommend to read this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Kind regards,

Veronika

ASA 5515-x Static NAT & PAT

emily00001 — Sun, 23 Feb 2014 23:55:05 GMT

Thank you Veronika,

This helped, I had attempted to use the after-auto parameter but only on the nat that related directly to the network that the computer was on. Also thank you for clarifying the packet-tracer component of ASA as I had this wrong.

Best regards,

Emily