topic NAT conversion help!? in Network Security

NAT conversion help!?

Fergal Meehan — Tue, 12 Mar 2019 01:42:31 GMT

Hi,

I've been tasked with upgrading a PIX running v6.4 to an ASA5515X running v9.0...

I've done a few previous upgrades manually (rewrite the entire config) and all good but there is a piece of static NAT that has me confused.

How should the following look in the new config... The 10.47.0.216 has to NAT the entire object group behind the 172.19.130.2 address. Not sure of how to do this conversion with the access-list in there.

name 172.19.130.2 TS-SERVER

interface GigabitEthernet0/0

description *** OUTSIDE ***

nameif outside

interface GigabitEthernet0/2

description *** DMZ ***

nameif dmz-mgmt

object-group network CUST_LA

network-object 10.45.0.125 255.255.255.255

network-object 10.64.0.176 255.255.255.255

network-object 10.33.0.29 255.255.255.255

network-object 10.51.0.26 255.255.255.255

access-list LGCSB_NAT1 permit ip host 172.19.130.2 object-group CUST_LA

static (dmz-mgmt,outside) 10.47.0.216 access-list LGCSB_NAT1 0 0

Thanks

Fergal

NAT conversion help!?

Jouni Forss — Mon, 13 May 2013 12:24:19 GMT

Hi,

The configuration should look something like this

object-group network CUST_LA

network-object host 10.45.0.125

network-object host 10.64.0.176

network-object host 10.33.0.29

network-object host 10.51.0.26

object network CUST_LA_NATIP

host 10.47.0.216

object network CUST_LA_SOURCEIP

host 172.19.130.2

nat (dmz-mgmt,outside) source static CUST_LA_SOURCEIP CUST_LA_NATIP destination static CUST_LA CUST_LA

The above basically NATs IP 172.19.130.2 to IP 10.47.0.216 WHEN the destination is ANY of the IPs configured under CUST_LA.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Ask more if needed

- Jouni

Re: NAT conversion help!?

Fergal Meehan — Mon, 13 May 2013 12:36:56 GMT

Thanks Jouni,

That makes sense... One small question I have though is:

The 'object network CUST_LA_SOURCEIP' [172.19.130.2] is already part of a one to one NAT to another public address off the 'outside' interface for other external services. Will this matter? The NAT for the query that you answered above is part of a VPN to another customer.

object network OBJ-172.19.130.2

nat (dmz-mgmt,outside) static 83.x.x.x

Regards

Re: NAT conversion help!?

Jouni Forss — Mon, 13 May 2013 12:42:23 GMT

Hi,

The above NAT configuration that I mentioned will only apply WHEN the destination IP address is some IP address from the the CUST_LA "object-group"

So when the source IP address is

172.19.130.2

and the destination IP address is one of the following

object-group network CUST_LA

network-object host 10.45.0.125

network-object host 10.64.0.176

network-object host 10.33.0.29

network-object host 10.51.0.26

THEN the NAT will be applied.

Rest of the traffic will use the Network Object NAT (Static NAT type configuration) for the traffic outbound or inbound on the interface "outside"

So this should NOT affect rest of the connections to the "outside" and therefore NOT cause problems to the Static NAT

- Jouni

Re: NAT conversion help!?

Fergal Meehan — Mon, 13 May 2013 14:16:25 GMT

Thanks for your help Jouni. Very efficient.

NAT conversion help!?

Jouni Forss — Mon, 13 May 2013 14:24:16 GMT

No problem, thank you for marking the reply as correct.

If you happen to run into some problem with NAT configurations you can always ask here and see if there is someone that can help.

I also went with the same approach to configuration conversion as you right from the start. I also do them manually because that is the way you learn the most about the NAT operation.

If you want to take a look, I made a NAT 8.3+ Document here in the Firewall/Document section. Though at this stage it only contains simple examples you probably know all already. When I have the energy and time to get more into it I will expand on the examples and the whole document.

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Re: NAT conversion help!?

Fergal Meehan — Fri, 17 May 2013 12:56:14 GMT

Hi Jouni,

I have completed what I hope is correct. If you have a chance could you throw your eye over it can point out any mistakes I may have in my manual conversion? I'm moving from a PIX v6.4 to ASA5515x v9.02 that has 3000+ lines

I've simplified the example but it covers everything and you can assume that all the Objects and ACLs with real IPs are created.

Thanks a million

#########

ORIGINAL

#########

interface gig0/0

ip address X.Y.Z.2 255.255.255.224

nameif outside

interface gig0/1

nameif dmz-mon

ip address 172.19.131.1 255.255.255.0

interface gig0/2

nameif inside2

ip address 192.168.122.248 255.255.255.0

interface gig0/3

nameif dmz-mgmt

ip address 172.19.130.1 255.255.255.0

interface gig0/4

nameif dot

ip address 1.1.1.1 255.255.255.0

interface gig0/5

nameif ext-lan

ip address 172.19.132.1 255.255.255.0

access-list nonat permit ip 172.19.130.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list nonat permit ip 172.19.130.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat-inside2 permit ip 192.168.122.0 255.255.255.0 192.168.14.0 255.255.255.0

access-list nonat-inside2 permit ip 10.98.0.0 255.255.0.0 192.168.13.0 255.255.255.0

global (outside) 1 X.Y.Z.5 netmask 255.255.255.255

nat (dmz-mon) 1 0.0.0.0 0.0.0.0 0 0

nat (inside2) 1 0.0.0.0 0.0.0.0 0 0

nat (ext-lan) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz-mgmt) 0 access-list nonat

nat (inside2) 0 access-list nonat-inside2

static (dmz-mon,outside) X.Y.Z.19 172.19.131.19 netmask 255.255.255.255 0 0

static (dmz-mon,outside) X.Y.Z.18 172.19.131.9 netmask 255.255.255.255 0 0

static (dmz-mon,outside) X.Y.Z.24 172.19.131.24 netmask 255.255.255.255 0 0

static (dmz-mon,outside) X.Y.Z.7 172.19.131.26 netmask 255.255.255.255 0 0

static (dmz-mon,outside) X.Y.Z.12 172.19.131.12 netmask 255.255.255.255 0 0

static (dmz-mon,outside) X.Y.Z.20 172.19.131.49 netmask 255.255.255.255 0 0

static (dmz-mon,outside) X.Y.Z.3 172.19.131.13 netmask 255.255.255.255 0 0

static (inside2,outside) X.Y.Z.9 192.168.122.200 netmask 255.255.255.255 0 0

static (inside2,outside) X.Y.Z.8 192.168.122.132 netmask 255.255.255.255 0 0

static (inside2,outside) X.Y.Z.6 192.168.122.1 netmask 255.255.255.255 0 0

static (dmz-mgmt,outside) X.Y.Z.4 172.19.130.2 netmask 255.255.255.255 0 0

static (dmz-mgmt,outside) 10.47.0.216 access-list CUST_LA 0 0

### UNSURE WHY THIS IS HERE ###

static (inside2,dmz-mgmt) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0

static (inside2,dmz-mgmt) 10.17.42.128 10.17.42.128 netmask 255.255.255.128 0 0

static (inside2,dmz-mgmt) 192.168.124.0 192.168.124.0 netmask 255.255.255.0 0 0

static (inside2,dmz-mgmt) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0

static (inside2,dmz-mgmt) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0

static (inside2,dot) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0

static (inside2,dot) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0

static (inside2,dot) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0

static (inside2,ext-lan) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0

static (inside2,ext-lan) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0

static (inside2,ext-lan) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0

static (inside2,dmz-mon) 10.99.0.0 10.99.0.0 netmask 255.255.0.0 0 0

### UNSURE WHY THIS IS HERE ###

###########

PROPOSED

###########

interface gig0/0

ip address X.Y.Z.2 255.255.255.224

nameif outside

interface gig0/1

nameif dmz-mon

ip address 172.19.131.1 255.255.255.0

interface gig0/2

nameif inside2

ip address 192.168.122.248 255.255.255.0

interface gig0/3

nameif dmz-mgmt

ip address 172.19.130.1 255.255.255.0

interface gig0/4

nameif dot

ip address 1.1.1.1 255.255.255.0

interface gig0/5

nameif ext-lan

ip address 172.19.132.1 255.255.255.0

nat (dmz-mgmt,outside) source static OBJ-172.19.130.2 OBJ-10.47.0.216 destination static CUST_LA CUST_LA

nat (dmz-mgmt,outside) source static OBJ-172.19.130.0 OBJ-172.19.130.0 destination static OBJ-10.1.0.0 OBJ-10.1.0.0 no-proxy-arp route-lookup

nat (dmz-mgmt,outside) source static OBJ-172.19.130.0 OBJ-172.19.130.0 destination static OBJ-10.1.1.0 OBJ-10.1.0.0 no-proxy-arp route-lookup

nat (inside2,outside) source static OBJ-192.168.122.0 OBJ-192.168.122.0 destination static OBJ-192.168.14.0 OBJ-192.168.14.0 no-proxy-arp route-lookup

nat (inside2,outside) source static OBJ-10.98.0.0 OBJ-10.98.0.0 destination static OBJ-192.168.13.0 OBJ-192.168.13.0 no-proxy-arp route-lookup

object network ANY-1

nat (dmz-mon,outside) dynamic interface

object network ANY-2

nat (inside2,outside) dynamic interface

object network ANY-3

nat (ext-lan,outside) dynamic interface

object network OBJ-172.19.131.19

nat (dmz-mon,outside) static X.Y.Z.19

object network OBJ-172.19.131.9

nat (dmz-mon,outside) static X.Y.Z.18

object network OBJ-172.19.131.24

nat (dmz-mon,outside) static X.Y.Z.24

object network OBJ-172.19.131.26

nat (dmz-mon,outside) static X.Y.Z.7

object network OBJ-172.19.131.12

nat (dmz-mon,outside) static X.Y.Z.12

object network OBJ-172.19.131.13

nat (dmz-mon,outside) static X.Y.Z.3

object network OBJ-192.168.122.1

nat (inside2,outside) static X.Y.Z.6

object network OBJ-192.168.122.132

nat (inside2,outside) static X.Y.Z.8

object network OBJ-192.168.122.200

nat (inside2,outside) static X.Y.Z.9

object network OBJ-172.19.130.2

nat (dmz-mgmt,outside) static X.Y.Z.4

NAT conversion help!?

Jouni Forss — Fri, 17 May 2013 16:10:08 GMT

Hi,

I dont really see any error in the above with a quick glance.

Here is how I prefer to configure the Default PAT for all my local interface (it can naturally be used for VPN Client Dynamic PAT towards Internet also if clients are using full tunnel)

We can for example define the source addresses within an "object-group" and use and "object network" for the PAT IP address since we are not using the "interface" IP address of "outside"

object-group network DEFAULT-PAT-SOURCE

network-object

object network PAT

host x.y.z.w

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT

If you simply want to allow "any" source address to be Dynamic PATed to the IP address then you can use this format to do it with a single "nat" configuration also (Instead of the Network Object NAT you have used above)

object network PAT

host x.y.z.w

nat (any,outside) after-auto source dynamic any PAT

With regards to the NAT configurations that arent clear to you.

### UNSURE WHY THIS IS HERE ###

static (inside2,dmz-mgmt) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0

static (inside2,dmz-mgmt) 10.17.42.128 10.17.42.128 netmask 255.255.255.128 0 0

static (inside2,dmz-mgmt) 192.168.124.0 192.168.124.0 netmask 255.255.255.0 0 0

static (inside2,dmz-mgmt) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0

static (inside2,dmz-mgmt) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0

static (inside2,dot) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0

static (inside2,dot) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0

static (inside2,dot) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0

static (inside2,ext-lan) 192.168.121.0 192.168.121.0 netmask 255.255.255.0 0 0

static (inside2,ext-lan) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 0 0

static (inside2,ext-lan) 10.98.0.0 10.98.0.0 netmask 255.255.0.0 0 0

static (inside2,dmz-mon) 10.99.0.0 10.99.0.0 netmask 255.255.0.0 0 0

### UNSURE WHY THIS IS HERE ###

To me the above seem all to be Static Identity NAT. Basically translating the network to itself. Generally there is no need for NAT between local interface. I mean interfaces like LANs, DMZs, etc.

The older software ASAs usually might have had a configuration command "nat-control" enabled. (This would be located above the first "global" command in the CLI format) Having this setting enabled means that all traffic needed NAT so the above type of configurations were typically configured to overcome the "nat-control" setting.

In all my conversions to higher software level I have ALWAYS left out these type of NAT configurations. This is because the new software doesnt have any concept of "nat-control" anymore. So if you dont have any NAT configurations between your local interfaces then all traffic will be able to flow through the ASA with their original IP addresses (provided other ASA rules allow this)

So I would say that only configure NAT between your local interface if you specifically need to NAT a local IP address to something else before the traffic heads out another interface.

Usually leaving this type of NAT configurations have quite nicely shortened the NAT configurations for the ASA after conversion.

My usualy steps when starting a conversion is to just go through the current NAT old format NAT configurations and define how its supposed to work in general.

I usually start by removing the above type Static Identity NAT configurations completely.

I might follow with collecting the Dynamic PAT configurations and all Static NAT/PAT configurations between local and "outside" interface and convert those to the new format.

Finally I look at the NAT0 and Policy NAT/PAT configurations and any other special cases. The command "packet-tracer" is a great command to confirm if some traffic would hit the correct NAT rule. Though in your case the original firewalls software level is so low that it doesnt support that command so you arent able to compare the result using that command atleast.

Hope this helps

- Jouni

Re: NAT conversion help!?

Fergal Meehan — Tue, 21 May 2013 11:53:56 GMT

Thanks again Jouni. I'll let you know how the migration works out!