topic Static NAT/PAT help in Network Security

Static NAT/PAT help

burleyman — Tue, 12 Mar 2019 01:22:44 GMT

I am still new to ASA's and learning. I have the following need and listed what I think I would need to do, how bad am I? and what would I need to change?

I have a group of ports I need NAT/PAT

Inside IP Address of 192.168.1.3

Outside IP Address of 10.10.1.3

Ports to NAT

TCP 4015

TCP 7300

TCP 10067

I want these port as a one to one NAT/PAT

192.168.1.3:4015 -----> 10.10.1.3:4015

192.168.1.3:7300 ------> 10.10.1.3:7300

192.168.1.3:10067 -------> 10.10.1.3:10067

So here is what I think I need to do….

object-group service ALLOWED_LIST_TCP tcp

port-object eq 4015

port-object eq 7300

port-object eq 10067

nat (inside,outside) source static 192.168.1.3 ALLOWED_LIST_TCP destination static 10.10.1.3 ALLOWED_LIST_TCP

access-list ACL_OUT extended permit tcp any any object-group ALLOWED_LIST_TCP

Thanks,

Mike

Re: Static NAT/PAT help

Jouni Forss — Tue, 02 Apr 2013 19:04:46 GMT

Hi Mike

I would suggest the following configuration to accomplish this

object network STATIC-PAT-TCP4015

host 192.168.1.3

nat (inside,outside) static 10.10.1.3 service tcp 4015 4015

object network STATIC-PAT-TCP7300

host 192.168.1.3

nat (inside,outside) static 10.10.1.3 service tcp 7300 7300

object network STATIC-PAT-TCP10067

host 192.168.1.3

nat (inside,outside) static 10.10.1.3 service tcp 10067 10067

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP4015 eq 4015

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP7300 eq 7300

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP10067 eq 10067

EDIT: If the IP 10.10.1.3 is actually the IP address of the "outside" interface then you can replace the "10.10.1.3" with the keyword "interface" in the NAT configuration line.

To my knowledge you cant use an "object-group service" in the new NAT configurations. So no way to handle this with a single NAT command.

I don't remember if I have linked this for you before but I made a 8.3+ NAT document on the forums which gives information on the basic NAT configuration formats. Though I dont mind going through them here on the actual forums also

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Re: Static NAT/PAT help

Jouni Forss — Tue, 02 Apr 2013 19:12:48 GMT

I think the other format to configure the same thing would be

object network SERVER

host 192.168.1.3

object network SERVER-NAT

host 10.10.1.3

object service TCP4015

service tcp source eq 4015

object service TCP7300

service tcp source eq 7300

object service TCP10067

service tcp source eq 10067

nat (inside,outside) source static SERVER SERVER-NAT service TCP4015 TCP4015

nat (inside,outside) source static SERVER SERVER-NAT service TCP7300 TCP7300

nat (inside,outside) source static SERVER SERVER-NAT service TCP10067 TCP10067

access-list OUTSIDE-IN permit tcp any object SERVER eq 4015

access-list OUTSIDE-IN permit tcp any object SERVER eq 7300

access-list OUTSIDE-IN permit tcp any object SERVER eq 10067

Though I personally prefer configuring these type of NATs with the first replys Network Object NAT (Section 2 NAT) instead of Twice NAT in this reply (Section 1 NAT or Section 3 NAT)

- Jouni

Static NAT/PAT help

burleyman — Tue, 02 Apr 2013 19:13:18 GMT

Thanks Jouni again for your help... 5+

I was hoping there was an easier way because in reality there are a ton of other ports that need to be done. Maybe they will come up with a way to do the group thing with some update.

Thanks for the link I will read it over.

Mike

Re: Static NAT/PAT help

Jouni Forss — Tue, 02 Apr 2013 19:15:34 GMT

Aaand since you talk about Static NAT in the topic

If you actually have a spare public IP address to be used only for a single LAN server then you could simply configure a 1:1 Static NAT and just open the needed ports

object network SERVER

host 192.168.1.3

nat (inside,outside) static 10.10.1.3 dns

access-list OUTSIDE-IN permit tcp any object SERVER eq 4015

access-list OUTSIDE-IN permit tcp any object SERVER eq 7300

access-list OUTSIDE-IN permit tcp any object SERVER eq 10067

- Jouni

Re: Static NAT/PAT help

Jouni Forss — Tue, 02 Apr 2013 19:22:58 GMT

To my knowledge the only way to get a smaller configuration when we are talking about Static PAT / Port Forwarding is when you are able to do it for a continuous range of ports, which is usually not possible without forwarding ports you dont really need.

This has been a question every now and then on the CSC.

EDIT: As you say I guess it would be something that the people at Cisco would have to take a look at. Modify the current "object service" and "object-group service" objects to they can be used to create a huge group of service port pairs to be used in the NAT.

If I would have to guess then I would guess currently using a "object-group service" simply wouldnt be able to pair the real and mapped ports together correctly for the NAT configuration or there would be too much room for errors in the configuration when the contents of the "object-group service" was changed.

But this would certainly be something that would help those people who only have the single public IP address from the ISP.

- Jouni

Static NAT/PAT help

burleyman — Tue, 02 Apr 2013 19:37:04 GMT

Thanks again for you help. Have a good day.

Mike