topic Natting in 8.4 Software ver. in Network Security

Natting in 8.4 Software ver.

Anukalp S — Tue, 12 Mar 2019 00:55:17 GMT

Hi..Can anyone please share 8.4 version config of below 8.2.

access-list www_http extended permit tcp host 192.168.183.202 any eq www
access-list www_http extended permit tcp host 192.168.183.202 any eq https
access-list www_http extended permit tcp host 192.168.183.196 any eq www
access-list www_http extended permit tcp host 192.168.183.196 any eq https

nat (inside) 3 access-list www_http

global (outside) 3 61.144.128.140 netmask 255.255.255.255

Natting in 8.4 Software ver.

mkdccie — Fri, 01 Feb 2013 16:28:07 GMT

Hi Anukalp,

First create objects:

object-group network obj-192.168.183.202

description Inside IP

network-object host 192.168.183.202

object-group network obj-61.144.128.140

description Ouside IP

network-object host 61.144.128.140

object service obj-tcp-eq-80

service tcp destination eq 80

nat (inside,outside) source static obj-192.168.183.202 obj-192.168.183.202 destination static obj-61.144.128.140

obj-61.144.128.140 service obj-tcp-eq-80 obj-tcp-eq-80

and so the same for the rest

Plz rate if this helps.

Regards,

MKD

Natting in 8.4 Software ver.

Anukalp S — Fri, 01 Feb 2013 16:41:00 GMT

Hi Mohammad,

According to your config source ip 192.168.183.202 is not natting with 61.144.128.140, but it is being destined to 61.144.128.140.

As per my config, source 192.168.183.202 destined to any should be natted with 61.144.128.140.

Natting in 8.4 Software ver.

Andrew Phirsov — Fri, 01 Feb 2013 20:08:23 GMT

The nat rule itself should look like this (using objects, Mohammed provided):

nat (inside,outside) source dynamic obj-192.168.183.202 obj-61.144.128.140 pat-pool POOL service obj-tcp-eq-80 obj-tcp-eq-80

object network POOL

host 61.144.128.140

Natting in 8.4 Software ver.

Anukalp S — Sat, 02 Feb 2013 07:14:59 GMT

Hi Andrew

Yes, there should be Dynamic NAT as per your config but have still confusion about command "pat-pool POOL". what its does? Does it use here for destination "any".

Natting in 8.4 Software ver.

Andrew Phirsov — Sat, 02 Feb 2013 08:12:58 GMT

Yes, it does.

Natting in 8.4 Software ver.

Anukalp S — Sat, 02 Feb 2013 09:22:21 GMT

Thanks Andrew for helping me out..

Could you also tell about below NATexempt commands, means difference b/w them.

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp

nat (DMZ,outside) source static obj-192.168.159.0 obj-192.168.159.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

Both NAT command are using here for NAT exemption but why there is "nat (inside,any)" and "nat (DMZ,outside)". Why there is not like same i.e.nat (DMZ,any) like as nat (inside,any)". or nat (inside,outside)" like as nat (DMZ,outside).

Natting in 8.4 Software ver.

mkdccie — Mon, 04 Feb 2013 16:07:21 GMT

Yes, i miss that one

for NO NAT, you can use (inside, any) or (inside,Interface Name here)

If (DMZ,Outside), this mean no dynamic NAT added on other interfaces (but only the outside).

Regards,

MKD

Natting in 8.4 Software ver.

Anukalp S — Mon, 04 Feb 2013 20:36:51 GMT

Hi,

My question is that..why (DMZ, any) is not using here like (inside,any) even though both nat commands are for "NO NAT".

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp

nat (DMZ,outside) source static obj-192.168.159.0 obj-192.168.159.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

Natting in 8.4 Software ver.

Jouni Forss — Mon, 04 Feb 2013 21:09:26 GMT

Hi,

I'm not sure if the configurations you are referring to are some NAT configuration that the ASA has converted from "old" software to new software.

Generally I would think the "any" keyword would be used in the NAT configurations when you want to apply certain kind of NAT towards all other interfaces on the ASA. I try to avoid it as much as I can and be more specific.The reason for this is that it might possibly cause problems and make the configuration hard to read.

If you have had NAT0 / NAT Exempt style configurations on your "old" software ASA then they are probably almost always related to VPN Client or L2L VPN connections.

I would thefore suggest always using both the source and destination interface in your configurations.

I dont get the idea of the first NAT configuration as the source and destination networks are the same. And even more so I dont get the idea when I look at the next NAT configuration that refers to the same network as the destination network and its on the "outside" (While it was the sourced from the "inside" in the previous command)

- Jouni