topic 8.4 PAT/NAT question in Network Security

8.4 PAT/NAT question

RussDraper — Tue, 12 Mar 2019 00:48:07 GMT

I am pulling my hair out trying to get this to work! I have other NAT/PAT entries for different IP addresses that work fine (DNS/WEB/SSH) but when I try to visit a website they show the IP of the outside interface, so it doesn't appear to be a static NAT.

I have a scrubbed example (using 1.2.3.x as public IPs) below.

I am trying to get crashplan (uses tcp port 4242) to work from the outside, but right now it thinks its public IP is 1.2.3.6 in my example. I have basically 2 options:

option 1) 1-to-1 NAT using the 1.2.3.9 public IP

option 2) Port 4242 PAT on the interface IP of the ASA (1.2.3.6)

The other PAT entries for server2 (ssh/web/dns) work fine, however server2 does think it has a public IP of 1.2.3.6 and not the 1.2.3.8 that it should have. I don't know why I can't just get a 1-to-1 NAT for this server. I am just visiting www.whatismyip.com to verify outgoing traffic.

I am able to telnet to port 4242 from inside (to 172.16.1.5) and it does respond, so I know the box should work. I have the box named backup in the examples below, and I checked the ACL does show the hitcounts going up.

Relevant config items:

interface Ethernet0/0

description outside

switchport access vlan 999

interface Ethernet0/1

description inside

switchport access vlan 101

interface Vlan101

nameif inside

security-level 100

ip address 172.16.1.254 255.255.255.0

interface Vlan999

nameif outside

security-level 0

ip address 1.2.3.6 255.255.255.0

same-security-traffic permit intra-interface

object service ssh

service tcp source eq ssh

object network server2-inside

host 172.16.1.1

object network server2-outside

host 1.2.3.8

object network server2

host 172.16.1.1

object network luigi

host 172.16.1.10

object network inside-network-vpn

subnet 172.16.1.0 255.255.0.0

object network home-network-vpn

subnet 172.16.0.0 255.255.0.0

object service web

service tcp destination eq www

object service dns

service udp destination eq domain

object service crashplan

service tcp destination eq 4242

object network backup-inside

host 172.16.1.5

object network backup-outside

host 1.2.3.9

object-group network inside-network

network-object 172.16.1.0 255.255.255.0

object-group network remote-vpn-network

network-object 10.1.10.0 255.255.255.0

object-group network internal-vpn-allowed

network-object 172.16.1.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

access-list in_outside extended permit tcp 173.166.71.40 255.255.255.248 any eq 3389

access-list in_outside extended permit icmp any any echo-reply

access-list in_outside extended permit icmp any any echo

access-list in_outside extended permit tcp any host 172.16.1.1 eq www

access-list in_outside extended permit tcp any host 172.16.1.1 eq ssh

access-list in_outside extended permit tcp any host 172.16.1.1 eq https

access-list in_outside extended permit udp any host 172.16.1.1 eq domain

access-list in_outside extended permit tcp any object backup-inside eq 4242

access-list in_outside extended permit tcp any object backup-outside eq 4242

access-list in_outside extended permit tcp any any eq 4242

access-list in_inside extended permit ip any any

access-list in_inside extended permit icmp any any

access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 10.1.10.0 255.255.255.0

access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 10.0.10.0 255.255.255.0

access-list vpn_acl extended permit ip object inside-network-vpn object home-network-vpn

pager lines 24

logging enable

logging timestamp

logging console debugging

logging monitor debugging

mtu management 1500

mtu inside 1500

mtu outside 1500

arp timeout 14400

nat (inside,outside) source static inside-network-vpn inside-network-vpn destination static home-network-vpn home-network-vpn

nat (inside,outside) source static server2-inside server2-outside service ssh ssh

nat (inside,outside) source static server2-inside server2-outside service web web

nat (inside,outside) source static server2-inside server2-outside service dns dns

nat (inside,outside) source static internal-vpn-allowed internal-vpn-allowed destination static remote-vpn-network remote-vpn-network

! I tried this as well, changing order of the final dynamic line also

! nat (inside,outside) source static backup-inside backup-outside service crashplan crashplan

nat (inside,outside) source dynamic any interface

object network server2

nat (inside,outside) static 1.2.3.8 dns

object network luigi

nat (inside,outside) static 1.2.3.7

object network backup-inside

nat (inside,outside) static interface service tcp 4242 4242

access-group in_inside in interface inside

access-group in_outside in interface outside

8.4 PAT/NAT question

Julio Carvajal — Wed, 16 Jan 2013 19:28:39 GMT

Hello Russell,

Lets work together on this one,

Start by changing the configuration to this:

object service crashplan

no service tcp destination eq 4242

service tcp source eq 4242

Then add the following command:

nat (inside,outside) 2 source static backup-inside server2-outside service crashplan crashplan

Copy and paste that as requested and let me know the result

Regards

Julio

8.4 PAT/NAT question

RussDraper — Wed, 16 Jan 2013 20:25:58 GMT

Hi Julio,

Thank you for your response!

I actually did this:

object service crashplan

no service tcp destination eq 4242

service tcp source eq 4242

nat (inside,outside) 2 source static backup-inside backup-outside service crashplan crashplan

And now I can telnet to port 4242 on the backup-outside public IP and get a response. But the server itself is going out as the IP of the firewall still.

The problem is that crashplan tells some central service what IP it is using, and since it is using the IP of the interface it failes. I then tried this:

no nat (inside,outside) source static backup-inside backup-outside service crashplan crashplan

object network backup-inside

no nat (inside,outside) static interface service tcp 4242 4242

nat (inside,outside) 2 source static backup-inside interface service crashplan crashplan

And now it seems I can connect to the IP of the firewall-outside interface on port 4242 and get data.

So it seems it is now working for my original option 2, how can I make it go out using a different IP from the interface?

8.4 PAT/NAT question

Julio Carvajal — Wed, 16 Jan 2013 20:58:51 GMT

Hello,

If you want to see that server on the outside using the other IP you must do a one to one translation and not a Port-forwarding.

With port-forwarding only inbound packets will trigger that UN-NAT translation....

A static one to one is the solution;

nat (inside,outside) 2 source static backup-inside backup-outside

8.4 PAT/NAT question

RussDraper — Fri, 18 Jan 2013 20:30:03 GMT

Yes I know, I had tried that before and it didn't work. It may have been related to the Verizon FIOS ONT router problem I had before and not actually the ASA.

Now for whatever reason (whether that line is there or not) it is going out the correct public IP address, whether that static line is there or not! I tried clearing xlate and arp but that doesn't seem to reset it to before (going out interface IP).

For now this solves my issue so I consider this resolved. Thank you!

8.4 PAT/NAT question

Julio Carvajal — Sun, 20 Jan 2013 15:14:55 GMT

hello Rusell,

My pleasure to help, please mark the question as answered so future users can learn from this,

Julio