Nat doubts

XIE YAO — Tue, 12 Mar 2019 02:11:15 GMT

Hi Experts,

I come across this link:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml?referring_site=smartnavRD

In the scenario 1, it mentions the nat configuration is as below:

nat (inside,outside) source dynamic IPS-management IPS-management interface
 
nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

I wonder why it should be configured like this.

The first configuration seems very confusing, it's a source dynamic nat, but the real and map source ip are the same, then it also has a PAT interface fallback, why it's needed?

The second configuration make sense, it just nat the IPS interface to outside.

Thanks for your advice.

Best Regards

Xie Yao

Re: Nat doubts

Jouni Forss — Fri, 12 Jul 2013 08:14:08 GMT

Hi,

Havent had to setup an ASA5500-X series IPS myself. So there are some new things there for me too.

It seems to me that the Scenario 1 has a setup where both the "inside" and management interfaces have been connected to the same L2 switch. Management is used for IPS and "inside" as a normal Data interface. Both are in the same subnet.

I dont quite grasp the idea of the NAT configurations either.

Lets see the first one

nat (inside,outside) source dynamic IPS-management IPS-management interface

To my understanding in this command the keyword "interface" is useless. We have one real source address and one mapped source address. To my understanding the translation will always use the mapped address object for translation as we have only specified single source address for the translation. So I dont really know what the "interface" is used there for.

I would imagine though that this command should enable Internet access for the actual IPS module that is connected to the "inside" network also.

I would probably try to configure it as

nat (inside,outside) source dynamic IPS-management interface

Now the second command

nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

While I can understand the purposes of this command it seems to me to have 2 major flaws. First, its missing the "source" parameter from the command start. Second, you can use the "outside" interface IP address inside an "object network" and then use that "object" in the NAT configuration. The ASA wont accept that NAT policy

The command is supposed to enable managing the IPS from "outside" using the IP address of the "outside" interface. The public facing port is TCP/65432 and the actual real port is TCP/443

To me it seems that this configuration should be

nat (inside,outside) source static IPS-management interface service tcp 443 65432

I also wonder what the purpose of the ACL configurations in the Scenario 1 are.

Other ACL suggest that its a global ACL and allows management connections. The other ACL also suggest that its global ACL but allows EVERYTHING. Yet we are not given any "access-group" command to determine which is used.

Unless I am missing something essential, the document seems to be handing quite wrong or faulty information

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Re: Nat doubts

XIE YAO — Sat, 13 Jul 2013 02:57:57 GMT

Thanks a lot Jouni for your time, I agree with you that this Cisco should review this document, there are too many points missing and confusing.

I've already clicked "No" in the feedback of this article, hope someone will look into it.

Best regards

Xie Yao

topic Nat doubts in Network Security

Nat doubts

Re: Nat doubts

Re: Nat doubts