topic Need some clarification with NAT on ASA in Network Security

Need some clarification with NAT on ASA

Stan Spice — Tue, 12 Mar 2019 01:30:13 GMT

Hi,

Need some clarification with NAT on ASA

Can we NAT a public IP to two internals IP's on same port

Example below
static (dmz1,outside) 4.4.4.4 192.168.1.2 netmask 255.255.255.255
static (dmz1,outside) 4.4.4.4 192.168.1.3 netmask 255.255.255.255
access-list outtoin extended permit tcp any host 4.4.4.4 eq www
access-list outtoin extended permit tcp any host 4.4.4.4 eq https

Thanks

stan

Re: Need some clarification with NAT on ASA

Jouni Forss — Wed, 17 Apr 2013 14:05:22 GMT

Hi,

Seems you are using software 8.2 or something below.

Dont think you are able to configure the above Static NAT and make it work.

Notice that if you wanted to only forward a certain port with Static PAT then the configuration would look like this

static (dmz1,outside) tcp 4.4.4.4 80 192.168.1.2 80 netmask 255.255.255.255

static (dmz1,outside) tcp 4.4.4.4 443 192.168.1.2 443 netmask 255.255.255.255

Though even in the case of the above Port Forward / Static PAT configuration I dont think the ASA will accept the configuration.

EDIT: Meaning that you cant do the above configuration for both of the Internal DMZ hosts.

On newer softwares you can forward the same ports to different hosts BUT I still think it will not work in a situation where you would want anyone to be able to connect to both of the hosts. You would have to modify the NAT rules to apply only to certain source IP addresses on the Internet.

- Jouni

Need some clarification with NAT on ASA

James Leinweber — Wed, 17 Apr 2013 14:08:36 GMT

You don't specify your ASA software version, but since you are using the old NAT syntax we'll presume it's 8.2 or lower.

> Can we NAT a public IP to two internals IP's on same port?

Yes, you can do "static PAT" to different IP's, but you must specify the protocol and ports:

static (dmz1,outside) tcp 4.4.4.4 http 192.168.1.2 http netmask 255.255.255.255

static (dmz1,outside) tcp 4.4.4.4 https 192.168.1.3 https netmask 255.255.255.255

You can also map to different destination ports if that is necessary.

-- Jim Leinweber, WI State Lab of Hygiene

Need some clarification with NAT on ASA

Stan Spice — Wed, 17 Apr 2013 20:09:06 GMT

Hi,

I am using 8.1 on asa

Thanks

Need some clarification with NAT on ASA

Stan Spice — Wed, 17 Apr 2013 20:11:00 GMT

Hi,

I am using 8.1 on asa

The requirement is use port 80 and 443 on 02 websites using same external ip

Looks liek it can be done (on this version atleast)

Thanks

Need some clarification with NAT on ASA

James Leinweber — Wed, 17 Apr 2013 20:27:39 GMT

Just to clarify, the (source IP, source port) and (destination IP, destination port) pairs do have to be unique. You can map a single source port to a different destination IP and optionally different destination port. You can map different source ports to different IP's and/or destination ports. But you can't map the single source port on a single source IP to two different destination IP's simultaneously. No double dipping with (4.4.4.4, 80) trying to go to both (192.168.1.2,80) and (192.168.1.3, 80) simultaneously; the firewall wouldn't know how to choose between them. However,

(4.4.4.4, 80) --> (192.168.1.2,80) -- change the IP, keep the port

and

(4.4.4.4, 81) --> (192.168.1.3,80) -- change the IP and change the port

would be OK.

Similarly, you can't both NAT and not NAT, e.g. if you have a NAT rule for

static (dmz1,outside) tcp 4.4.4.4 http 192.168.1.2 http netmask 255.255.255.255

then other hosts won't be able to connect to destination (192.168.1.2, 80) through other firewll interfaces. I get around that by defining secondary IP addresses on hosts where I need both local and remote access from different interfaces, one with NAT, and one without. That's usually less work than using separate ports for remote and local access.

-- Jim Leinweber, WI State Lab of Hygiene