topic Please help !!! in Network Security

Please help !!!

Rohit Mangotra — Tue, 12 Mar 2019 02:32:36 GMT

We were running Cisco ASA 5520 version 5.2 at the moment, and now we are upgrading to ASA 5525 X series version 8.6. Below is the sample code that I have attached, could anyone please tell me if I am doing this right? Thank you very much.

current version 5.1

global (outside) 2 202.190.70.80

global (dmz) 2 192.168.1.59

nat (inside) 2 172.16.2.0 255.255.255.252

nat (inside) 2 172.16.5.0 255.255.255.0

nat (inside) 2 172.16.10.0 255.255.255.0

nat (inside) 2 172.16.108.0 255.255.255.192

nat (inside) 2 172.16.108.64 255.255.255.192

nat (inside) 2 172.20.1.0 255.255.255.0

nat (inside) 2 172.30.1.0 255.255.255.0

nat (inside) 2 192.168.128.0 255.255.255.252

nat (inside) 2 192.168.129.0 255.255.255.252

nat (dmz) 2 192.168.1.0 255.255.255.0

------------------------------------------------------------------------------------------------

To new ASA version 8.6

nat (inside) 2 172.16.2.0 255.255.255.252

>> object network obj-172.16.2.0

subnet 172.16.2.0 255.255.255.252

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.5.0 255.255.255.0

>> object network obj-172.16.5.0

subnet 172.16.5.0 255.255.255.0

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.10.0 255.255.255.0

>> object network obj-172.16.10.0

subnet 172.16.10.0 255.255.255.0

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.20.1.0 255.255.255.0

>> object network obj-172.20.1.0

subnet 172.20.1.0 255.255.255.0

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.30.1.0 255.255.255.0

>> object network obj-172.30.1.0

subnet 172.30.1.0 255.255.255.0

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.108.0 255.255.255.192

>> object network obj-172.16.108.0

subnet 172.16.108.0 255.255.255.192

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 172.16.108.64 255.255.255.192

>> object network obj-172.16.108.64

subnet 172.16.108.64 255.255.255.192

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 192.168.128.0 255.255.255.252

>> object network obj-192.168.128.0

subnet 192.168.128.0 255.255.255.252

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (inside) 2 192.168.129.0 255.255.255.252

>> object network obj-192.168.129.0

subnet 192.168.129.0 255.255.255.252

nat (inside,outside) dynamic 202.190.70.80

nat (inside,dmz) dynamic 192.168.1.59

nat (dmz) 2 192.168.1.0 255.255.255.0

>> object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (dmz,outside) dynamic 202.190.70.80

nat (dmz,dmz) dynamic 192.168.1.59

Please help !!!

Jouni Forss — Fri, 30 Aug 2013 07:07:45 GMT

Hi,

The first thing to notice is that you can only have a SINGLE "nat" statement under an "object network" so that configuration you propose wont work.

What you could try are the following

object-group network INSIDE-PAT-SOURCE

network-object 172.16.2.0 255.255.255.252

network-object 172.16.5.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.108.0 255.255.255.192

network-object 172.16.108.64 255.255.255.192

network-object 172.20.1.0 255.255.255.0

network-object 172.30.1.0 255.255.255.0

network-object 192.168.128.0 255.255.255.252

network-object 192.168.129.0 255.255.255.252

object network OUTSIDE-PAT-IP

host 202.190.70.80

object network DMZ-PAT-IP

host 192.168.1.59

nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE OUTSIDE-PAT-IP

nat (inside,dmz) after-auto source dynamic INSIDE-PAT-SOURCE DMZ-PAT-IP

The above configuration should handle Dynamic PAT from "inside" to "outside" and from "inside" to "dmz". Though I personally rather not configure any dynamic NAT/PAT between my local interfaces but I assume you have some reason for it, perhaps related to routing behind "dmz"

object-group network DMZ-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

nat (dmz,outside) after-auto source dynamic DMZ-PAT-SOURCE OUTSIDE-PAT-IP

The above configuration should handle Dynamic PAT from "dmz" to "outside".

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Please help !!!

Rohit Mangotra — Fri, 30 Aug 2013 07:33:18 GMT

Thanks a lot Jouni for the quick reply. Based on your suggestion that we can not use more than one NAT statement under Object Network. Can we do the following way?

nat (inside) 2 172.16.2.0 255.255.255.252

>> object network obj-172.16.2.0

subnet 172.16.2.0 255.255.255.252

nat (inside,outside) dynamic 202.190.70.80

object network obj-172.16.2.0-01

subnet 172.16.2.0 255.255.255.252

nat (inside,dmz) dynamic 192.168.1.59

Furthermore, I am not familiar with after-auto source dynamic command yet. I will do bit more reading on this one. However, the way you suggest seems straight forward and easy to follow.

Thank You,

Regards

Rohit.

Please help !!!

Jouni Forss — Fri, 30 Aug 2013 07:41:49 GMT

Hi,

Yes, you could do it in the above way but in my opinion it just generates so much more configurations that it makes the configuration messy and harder to read.

The example I gave only generates 3 actual NAT configurations along with the couple of "object-group" and "object" and achieves all the same things.

The NAT configuration format that I use are basically Manual NAT while your examples are Auto NAT.

Manual NAT is by default Section 1, which means its matched first from all the NAT configurations. With an "after-auto" parameter in the configuration its moved to Section 3 which essentially lowers it to the very bottom priority when matching NAT rules/configurations.

The Auto NAT is always Section 2 which places it to the middle in terms of priority when matching NAT rules/configurations)

One big different with Auto NAT and Manual NAT is the fact that Manual NAT can NAT both the source and the destination address. That is why you are seeing parameters like "source dynamic".

There is some more information related to the new NAT on a document I wrote here on CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Please help !!!

Rohit Mangotra — Fri, 30 Aug 2013 08:45:10 GMT

Thanks a lot Jouni for quick reply. I think I need to read a bit more on this.

Please help !!!

Rohit Mangotra — Wed, 04 Sep 2013 04:32:16 GMT

Hi Jouni,

Just one more question I want to confirm:

Currently, we have the VPN concentrator behind ASA 5.1. As mentioned, we are going to upgrade to version 8.6. Could you please have a look at the following static NAT transformation if it is correct or not.

interface GigabitEthernet0/2.31

vlan 31

nameif vpn_private

security-level 75

ip address 172.31.0.1 255.255.255.240

interface GigabitEthernet0/2.67

vlan 67

nameif vpn_public

security-level 75

ip address a.b.c.177 255.255.255.240

1) static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

2) static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

3) static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

4) static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

5) static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0

6) static (vpn_public,outside) a.b.c.176 a.b.c.176 netmask 255.255.255.240

7) static (vpn_public,inside) a.b.c.176 a.b.c.176 netmask 255.255.255.240

Change to

1) object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (dmz,vpn_private) static obj-192.168.1.0

2) object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (dmz,vpn_public) static obj-192.168.1.0

3) object network obj-172.16.0.0

subnet 172.16.0.0 255.255.0.0

nat (inside,vpn_private) static obj-172.16.0.0

4) object network obj-172.16.0.0

subnet 172.16.0.0 255.255.0.0

nat (inside,vpn_public) static obj-172.16.0.0

5) object network obj-172.31.0.0

subnet 172.31.0.0 255.255.0.0

nat (vpn_private,inside) static obj-172.31.0.0

6) object network obj-a.b.c.176

subnet a.b.c.176 255.255.255.240

nat (vpn_public,outside) static obj-a.b.c.176

7) object network obj-a.b.c.176

subnet a.b.c.176 255.255.255.240

nat (vpn_public,inside) static obj-a.b.c.176

Thanks a lot for all your help.

Kind Regards

Rohit

Re: Please help !!!

Jouni Forss — Wed, 04 Sep 2013 06:31:05 GMT

Hi,

All of those configurations would seem to be Static Identity NAT. Essentially used in the current setup to enable traffic without doing NAT to the source/destination IP address.

I usually leave out those "static" configurations completely and wont create any configurations to replace them.

Though I usually like to look at the whole setup before making decisions or leaving any configurations off the migration configuration. I am not completely sure what the "static" configurations that are between your local interfaces and the public VPN interface. Typically the VPN public interface would only have NAT configurations towards the outside interface.

- Jouni

Please help !!!

Rohit Mangotra — Thu, 05 Sep 2013 00:43:20 GMT

Thanks Jouni for your reply.