topic Re: DST-NAT Query in Network Security

DST-NAT Query

marcusbrutus — Tue, 12 Mar 2019 02:53:04 GMT

Hi Experts,

Given a scenario where I have a hosts say 10.1.1.0/24 on the inside interface of the ASA (code 8.3 above), and a DMZ proxy with IP say 192.168.1.1 and an outside interface as usual, if I create the below manual nat statement, will traffic flow from inside host to DMZ proxy and out the outside interface?

(I am asking cause the ASA doesn't have a route-map/PBR and I wish to redirect traffic to the DMZ proxy before leaving out the outside interface).

object network mypublicIP
host 1.1.1.1

object network myhosts
subnet 10.1.1.0 255.255.255.0

object network myproxy
host 192.168.1.1
nat(dmz,out) dynamic mypublicIP

object network dst-any
subnet 0.0.0.0 0.0.0.0

nat (inside,dmz) source dynamic myhosts myhosts destination static dst-any myproxy

*ACLs are in place to allow all traffic in this example.

DST-NAT Query

marcusbrutus — Wed, 16 Oct 2013 21:52:47 GMT

*A default route to the outside is already in place.

Re: DST-NAT Query

Jouni Forss — Wed, 16 Oct 2013 22:15:37 GMT

Hi,

I would imagine that a Proxy setup should be handled with something else than resorting to NAT?

The configuration does seem to have the right idea with regards to forwarding traffic destined to any destination address to the single host.

I have had situations where your "dst-any" object has simply not worked with the NAT configuration so I have used an alternative.

Here is an example configuration where I forward traffic from my WLAN network to a single LAN host no matter what the destination IP address

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

object network HOST

host 10.0.0.100

object network WLAN

subnet 10.0.255.0 255.255.255.0

nat (WLAN,LAN) source static WLAN WLAN destination static ALL HOST

Though the thing with this configuration is that it forwards ALL traffic.

With a minor change it could be changed to match only TCP/80 and TCP/443 (actually 2 "nat" commands)

object service WWW

service tcp destination eq www

object service HTTPS

service tcp destination eq https

nat (WLAN,LAN) source static WLAN WLAN destination static ALL HOST service WWW WWW

nat (WLAN,LAN) source static WLAN WLAN destination static ALL HOST service HTTPS HTTPS

This would forward the traffic to the destination host. Rest would be up to the server

- Jouni

DST-NAT Query

marcusbrutus — Thu, 17 Oct 2013 14:19:04 GMT

Hi Jouni,

Appreciate the reply.

Could you confirm that traffic is indeed redirected to the host?

If this is the case then I believe this would solve the route-map limitation on the ASA. This has always been a major design consideration why most companies prefer ScreenOS.

DST-NAT Query

Jouni Forss — Thu, 17 Oct 2013 14:23:06 GMT

Hi,

I tested it simply by sending ICMP Echo to the destination IP address 8.8.8.8 (any address should do outside the source network since all destination addresses should be NATed to one single host)

I then opened the Wireshark on the actual destination host and saw ICMP coming from the source host.

I could probably post some Wireshark pictures and outputs from the ASA later today to confirm it.

But it does seem that it forwarded all traffic to the single host.

- Jouni

Re: DST-NAT Query

Jouni Forss — Thu, 17 Oct 2013 16:58:29 GMT

Hi,

So here are some ouputs/pictures of the setup

This is the interface configuration on the ASA

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.254.0

route LAN 10.0.0.0 255.255.255.0 10.0.10.1 1

interface Vlan20

description WLAN

nameif WLAN

security-level 100

ip address 10.0.255.1 255.255.255.0

This is the NAT configuration mentioned already above

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

object network HOST

host 10.0.0.100

object network WLAN

subnet 10.0.255.0 255.255.255.0

nat (WLAN,LAN) source static WLAN WLAN destination static ALL HOST

Here is the view from my iPad on the WLAN network doing ICMP to the destination IP of 8.8.8.8 (click to enlarge)

There are some packet loss here as I started the ICMP before I entered the NAT configurations again. There also seemed to be connectivity problems with the iPad at the start and had to reconnect it to the network again.

Here is what we see on the ASA

ICMP WLAN:10.0.255.12/12564 (10.0.255.12/12564) LAN:10.0.0.100/0 (8.8.8.8/0), idle 0s, uptime 0s, timeout 2s, bytes 56

Here is capture from the destination host specified in the "object network HOST" (click to enlarge)

If I were to remove the original "nat" configuration and add the ones for TCP/80 and TCP/443 I see this

TCP WLAN:10.0.255.12/60799 (10.0.255.12/60799) LAN:10.0.0.100/80 (8.8.8.8/80), flags UIOB, idle 14s, uptime 14s, timeout 1h0m, bytes 376

For both ports (HTTP/HTTPS) we can confirm with "packet-tracer" that the traffic is forwarded correctly.

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (WLAN,LAN) source static WLAN WLAN destination static ALL HOST service WWW WWW

Additional Information:

NAT divert to egress interface LAN

Untranslate 8.8.8.8/80 to 10.0.0.100/80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (WLAN,LAN) source static WLAN WLAN destination static ALL HOST service HTTPS HTTPS

Additional Information:

NAT divert to egress interface LAN

Untranslate 8.8.8.8/443 to 10.0.0.100/443

Hope these clarifies the setup

Please remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.

Feel free to ask more if needed.

- Jouni

DST-NAT Query

marcusbrutus — Thu, 17 Oct 2013 19:14:11 GMT

Hi Jouni,

Thanks so much!!!

I will simulate the same when I get the chance.

But this sounds promising! Hope this resolves the PBR limitation.