topic NAT object with destination address exclusion (ASA) in Network Security

NAT object with destination address exclusion (ASA)

mareks-vader — Tue, 12 Mar 2019 02:51:38 GMT

Hello,

can you please advice how to make a NAT object where I want map all traffic from one address a.b.c.d to address x.y.v.z exluding that traffic which is going to k.l.m.n.

It is like this BSD rule:

map xl3 from a.b.c.d/24 ! to k.l.m.n/13 -> x.y.v.z/32

Thank you.

NAT object with destination address exclusion (ASA)

Jouni Forss — Sun, 13 Oct 2013 12:19:20 GMT

Hi.

I am not sure I understand your question completely.

Are you saying that you simply want to map a certain host address to something else when it going to a certain destination address? If so you can naturally configure this with Manual NAT. This Manual NAT would only apply when traffic is coming from certain source address and going to certain destination address. All other traffic would have some other NAT rule applied.

You can't really exclude anything from a NAT configurations in the new ASA software levels (8.3 and above). You simply configure the NAT to be as specific as it can to apply to only the certain traffic you want.

The older software levels (8.2 and below) I think had some changes to exclude some traffic from a NAT rule but even then it had pretty limited options.

So I think we need a bit clarification on what the actual setup requirement is (atleast I do )

- Jouni

NAT object with destination address exclusion (ASA)

mareks-vader — Sun, 13 Oct 2013 12:29:01 GMT

Jouni, thank you for quick reply.

It is that I´m new in this, and reading a manual is not helping me. I can do a simple rule like

object network obj_name

host a.b.c.d

nat (GE0/1,any) static x.y.v.z service tcp no1 no2

Which I simply understand that it is maping outgoing ip a.b.c.d to x.y.v.z

What I need is that firewall will look on packet and if it would go to destination ip k.l.m.n it won ´t translate address a.b.c.d to x.y.v.z

Or maybe I´m confused a lot 🙂

-Marek

NAT object with destination address exclusion (ASA)

Jouni Forss — Sun, 13 Oct 2013 12:42:45 GMT

Hi,

Seems that your original NAT rule above is a Static PAT configuration.

Its also configured that this translation will apply to any destination interface. I personally tend to use only the required destination interface in the "nat" command so that it doesnt apply to traffic from other interfaces.

So to know that I am giving the right instructions I would need to know behind which interface are the destination networks to which your example NAT should apply to and behind which interface is the destination k.l.m.n address that this NAT should not apply to?

I am still a bit confused on the NAT configuration you have provided. Its a Static PAT configurations that is usually configured to enable connections incoming from the destination interface of the command and it usually doesnt apply to connections formed from the source host a.b.c.d (except when its replying to the connection coming from behind the other interface)

If you had said that you had this Static NAT configurations (that doesnt mention the service)

object network obj_name

host a.b.c.d

nat (GE0/1,any) static x.y.v.z

Then the example would have been clearer.

Just to give an example

I have a Static NAT configurations that binds a local address to public address

object network STATIC

host 10.10.10.10

nat (LAN,WAN) static 1.1.1.1

Now if the host 10.10.10.10 connects to any network behind interface "WAN" it will always have this NAT applied.

If we want to avoid this from happening and have some certain destination IP address to which we dont want to do any translation then we would configure

object network DESTINATION

host k.l.m.n

object network HOST

host 10.10.10.10

nat (LAN,WAN) source static HOST HOST destination DESTINATION DESTINATION

The above configure is most commonly used in situation where the host needs to be contacted from behind a VPN Client or L2L VPN Connection.

- Jouni

NAT object with destination address exclusion (ASA)

mareks-vader — Sun, 13 Oct 2013 13:04:02 GMT

Hi Jouni,

so when I have this BSD rule:

map xl2 from 192.168.1.0/24 ! to 10.50.0.0/13 -> 90.162.12.2/32

where xli1 is LAN and xl2 is WAN

it should be like this?:

object netwok HOST

subnet 192.168.1.0 255.255.255.0

object netwok EXCLUDE

subnet 10.50.0.0 255.240.0.0

nat (xl1,xl2) source static HOST destination 90.162.12.2

nat (xl1,xl2) source static HOST HOST destination EXCLUDE EXCLUDE

???

Thanks,

Marek

Re: NAT object with destination address exclusion (ASA)

Jouni Forss — Sun, 13 Oct 2013 13:16:08 GMT

Hi,

I have no idea about BSD rules myself. I guess it refers to an actual PC OS?

But if you have a Static NAT configured for a SINGLE host and want to avoid that Static NAT being applied when the host in question connects to a certain destination network/host (or even multiple different networks/hosts) then you would configure

Static NAT

This is the Static NAT configurations for the actual host that might already exists

object network STATIC

host

nat (xl1,xl2) static

NONAT / NAT0 / NAT Exempt

This configuration is the NAT configuration with which we want to avoid the above Static NAT being applied to the host when it connects to a certain network.

object network NONAT-DESTINATION

subnet

object network NONAT-SOURCE

host

nat (xl1,xl2) source static NONAT-SOURCE NONAT-SOURCE destination static NONAT-DESTINATION NONAT-DESTINATION

In the above configuration we first define Static NAT for IP address to the NAT IP address of

We also have a requirement that the above Static NAT should not apply for this when the destination is therefore we configure another NAT configuration that is on a higher priority in the ASAs NAT configurations and will therefore override the Static NAT in the cases we need.

Hope this made sense

- Jouni

NAT object with destination address exclusion (ASA)

mareks-vader — Sun, 13 Oct 2013 13:23:23 GMT

Great, this means sense to me now.

Just one question that higher priority is because that Static NAT is made inside the object STATIC and the second rule is made outside any object?

Thank you very much, appreciate your help.

Marek

Re: NAT object with destination address exclusion (ASA)

Jouni Forss — Sun, 13 Oct 2013 13:31:10 GMT

Hi,

Its a bit hard to explain

I did write a document here on the Cisco Support Community about this new NAT configuration format, even though it doesnt yet answer all the questions.

You can look at it here

https://supportforums.cisco.com/docs/DOC-31116

It explains the order of NAT configurations

But to explain the same thing here it would basically be this

There are essentially 2 type of NAT configurations in the new ASA software.

There is Auto NAT / Network Object NAT which are configured inside "object network"
There is Manual NAT / Twice NAT wich are NOT configured inside any object. They on the other hand use "object network" and "object-group network" to define the conditions to for the NAT.

There are also 3 Sections of NAT configurations

Section 1 is the highest and first matched NAT configuration and its Manual NAT / Twice NAT (like the NAT0 example above)
Section 2 is the next in priority and its configured with Auto NAT / Network Object NAT only!
Section 3 is the lowest priority and its configured with Manual NAT / Twice NAT. A Manual NAT / Twice NAT configuration is consider to be Section 3 when you add an "after-auto" parameter to the command. Otherwise the configuration is identical to the Section 1. The "after-auto" refers to the fact that these rules come after the Auto NAT
- nat (xl1,xl2) after-auto source static NONAT-SOURCE NONAT-SOURCE destination static NONAT-DESTINATION NONAT-DESTINATION (even though configuring this with so low priority wouldnt really make sense)

Hope that made sense

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

Feel free to ask more if needed though

- Jouni

NAT object with destination address exclusion (ASA)

mareks-vader — Sun, 13 Oct 2013 13:52:25 GMT

Amazing, now I understand it well and I can do some more difficult things.

I want to translate all udp and tcp traffic from 172.50.20.0/24 to 90.160.12.2 but to ports 20001-30000 is this correct after our discussion?

object netwok SOURCE

subnet 172.50.20.0 255.255.255.0

object service UDP_IN

service udp source any

object service UDP_OUT

service udp source range 20001 30000

object service TCP_IN

service tcp source any

object service TCP_OUT

service tcp source range 20001 30000

nat (inside, outside) source static SOURCE 90.160.12.2 service UDP_IN UDP_OUT

nat (inside, outside) source static SOURCE 90.160.12.2 service TCP_IN TCP_OUT

Thank you,

Marek

NAT object with destination address exclusion (ASA)

Jouni Forss — Sun, 13 Oct 2013 14:05:51 GMT

Hi,

I think again we have to clarify a bit what you want to actually do so I can give an accurate answer. If I understood you correctly you have used some other device to do NAT before Cisco firewalls so we might be talking about the same things but with a bit different terms/logic

Do you want to

Translate the SOURCE network 172.50.20.0/24 to the PAT IP address 90.160.12.2 when the SOURCE network is connecting to ports TCP/UDP 20001-30000

OR Do you want to

Translate the SOURCE network 172.50.20.0/24 to the PAT IP address 90.160.12.2 and be visible to the hosts behind "outside" interface with TCP/UDP ports 20001-30000

OR something else perhaps?

- Jouni

NAT object with destination address exclusion (ASA)

mareks-vader — Sun, 13 Oct 2013 14:10:10 GMT

Jouni,

the second one is what I actualy want to do.

Thank you,

Marek

NAT object with destination address exclusion (ASA)

Jouni Forss — Sun, 13 Oct 2013 15:33:10 GMT

Hi,

I think I have gotten this to work better with some configuration but couldnt find that post.

I would imagine this is not some configuration I would want to suggest to anyone without having doubts of its actual performance and reliability.

object service TCP-REAL-PORTS

service tcp source range 0 65535

object service TCP-MAPPED-PORTS

service tcp source range 20001 30000

object service UDP-REAL-PORTS

service udp source range 0 65535

object service UDP-MAPPED-PORTS

service udp source range 20001 30000

object netwok SOURCE

subnet 172.50.20.0 255.255.255.0

object network PUBLIC

host 90.160.12.2

nat (inside,outside) source static SOURCE PUBLIC service TCP-REAL-PORTS TCP-MAPPED-PORTS

nat (inside,outside) source static SOURCE PUBLIC service UDP-REAL-PORTS UDP-MAPPED-PORTS

When testing traffic from "inside" to "outside" with the "packet-tracer" command it seemed to operate the way you wanted but I am still not really convinced.

Will have to see if I can find the older thread/discussion where I made a similiar configuration.

- Jouni

NAT object with destination address exclusion (ASA)

mareks-vader — Sun, 13 Oct 2013 16:23:42 GMT

Jouni,

seems like you purified what I wrote above, so I think it should work now with you right and legit commands.

Thank you again.

Marek