topic Policy Based PAT in Network Security

Policy Based PAT

steve martin — Tue, 12 Mar 2019 03:40:40 GMT

Hello,

I'm having a problem setting up a policy based pat. I 'll tell you what I tried to do and then you can advise me if this is correct. This is on a

ASA 8.6 5540.

We are trying to access a webpage that an application running on port 8080, external to my firewall on 172.53.16.17. The partner organisation wants the source address to be 172.53.130.17 and is dropping anything which has an internal ip address. I therefore followed the example on the cisco website

object network PAT-SOURCE ( my lan)
subnet 172.30.0.0 255.255.0.0

object network PAT-SOURCE-MAPPED (the transition)
host 172.53.130.17

object network PAT-DESTINATION (the app)
host 172.53.16.17

object service SERVICE ( the service which translates the www traffic to 8080)
service tcp source eq www destination eq 8080

When I run the following command

nat (inside,outside) source static PAT-SOURCE PAT-SOURCED-MAPPED destination static PAT-DESTINATION PAT-DESTINATION service SERVICE SERVICE

I receive the following error-

ERROR: PAT-SOURCED-MAPPED doesn't match an existing object or object-group

Any help would greatly appreciated.

Re: Policy Based PAT

Jouni Forss — Wed, 05 Feb 2014 13:29:55 GMT

Hi,

The ERROR messages states that you are using the "object" or "object-group" name that doesnt exist.

Notice that you have typed it wrong

The command has PAT-SOURCED-MAPPED

The actual "object" is named PAT-SOURCE-MAPPED

Though I think you might have to change the "object" name a bit because of other reasons. The that reason is that you should probably change the NAT to be a Dynamic Policy PAT by changing the "source static" to "source dynamic" and because of this the "object" name starting with PAT might confuse the ASA. Or atleast I think I had such a problem in the past.

To me it seems that there are some things that need to be changed in the configurations.

"source static" -> "source dynamic"
PAT-SOURCE-MAPPED --> MAPPED-IP (for example)
"object service" needs redoing
Because of the above changes the actual "nat" command needs changes

I would suggest the following configuration

object network PAT-SOURCE
subnet 172.30.0.0 255.255.0.0

object network MAPPED-IP
host 172.53.130.17

object network PAT-DESTINATION
host 172.53.16.17

object service TCP-80
service tcp destination eq 80

object service TCP-8080

service tcp destination eq 8080

nat (inside,outside) source dynamic PAT-SOURCE MAPPED-IP destination static PAT-DESTINATION PAT-DESTINATION service TCP-8080 TCP-80

The above configuration does so that when connection is coming from PAT-SOURCE and going to PAT-DESTINATION with the destination port TCP-80 then the source address will be NATed to MAPPED-IP and the destination port will be UN-NATed to TCP-8080

If I missunderstood the purpose of the NAT configuration (according to the above description I gave) then please correct me.

Hope this helps

Let me know how it goes

- Jouni

Policy Based PAT

steve martin — Wed, 05 Feb 2014 14:17:14 GMT

Thanks for your help, I've spend two days looking at it and I still had typo's. Works a treat.