topic Problem with nat? in Network Security

Problem with nat?

IT Asitis — Tue, 12 Mar 2019 00:35:20 GMT

Hi,

I have the following NAT rule:

object network HTTP_Test_80

nat (TestEnvironment,WAN1) static 88.130.50.22 service tcp www www

This allows http traffic to a testserver from the outside. An ACL is also in place and i can get to the webservice from the outside. However i can not get to this webservice from the inside network.

any ideas?

The testserver is located in one of ouur DMZ networks.

Problem with nat?

Jouni Forss — Mon, 10 Dec 2012 10:00:58 GMT

Hi,

The Static NAT to the public IP address is only done towards the WAN1 interface, not INSIDE

For Static NAT to be applied to INSIDE interface, the command would require it as a destination Interface

If you set the Static NAT destination interface as "any" it will translate the Public IP towards every other interface on the ASA

Do take notice that these changes might affect your network IF you use the server from INSIDE with local address also. In that case some sort of Policy NAT might be the solution.

- Jouni

Problem with nat?

IT Asitis — Mon, 10 Dec 2012 10:03:45 GMT

So all that is needed is to change destination to any and it should work. given that the last paragraph does not apply?

Problem with nat?

Jouni Forss — Mon, 10 Dec 2012 10:08:23 GMT

Hi,

Let me test the setup on one of my test firewalls.

I dont usually do these kind of NATs as I want to keep the setup simple (between interfaces behind Firewall). Best situation is naturally when we have a public network directly at the DMZ with our customers then NAT wont be a problem. Naturally this isnt an option for all.

But to my understanding this should work.

By the way, are you using the mentioned public IP address as shared public from some servers? Just thinking as you are using a Port Forward configuration and not a usual/normal Static NAT?

- Jouni

Problem with nat?

IT Asitis — Mon, 10 Dec 2012 10:11:38 GMT

Yes this is a shared public IP and it is not the primary of the interface either.

i have 6 other services open to this IP from the outside.

Problem with nat?

Jouni Forss — Mon, 10 Dec 2012 10:13:31 GMT

Hi,

I did a very quick test to see what the ASA says about the Static NAT (I used normal Static NAT, not Port forward)

Heres configuration in my test

object network STATIC-TEST

host 10.10.10.123

nat (inside,any) static 1.2.3.4

Packet-tracer from local DMZ

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

Packet-tracer from local OUTSIDE

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

So NAT phase seems right to me atleast

- Jouni

Problem with nat?

Jouni Forss — Mon, 10 Dec 2012 10:16:45 GMT

Changed the configuration for TCP/80 Port Forward

Heres the configuration and test

object network STATIC-TEST

host 10.10.10.123

nat (inside,any) static 1.2.3.4 service tcp www www

Packet-tracer from local DMZ

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4 service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

Packet-tracer from local OUTSIDE

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4 service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

- Jouni

Problem with nat?

IT Asitis — Mon, 10 Dec 2012 10:24:58 GMT

object network HTTP_Test_80

nat (TestEnvironment,WAN1) static 88.130.50.22 service tcp www www

Should 88.130.50.22 then be changed to any? if so how will i reach it from the outside.

or am i supposed to add new rules to be able to access those servers from the inside?

Note that im doing this in ASDM and there the destination is 88.130.50.22.

Re: Problem with nat?

Jouni Forss — Mon, 10 Dec 2012 10:33:51 GMT

Ah sorry,

I was talking about the source/destination interface which is inside "()" in the NAT command

Here is how my Test configurations seems through ASDM (I dont use ASDM myself otherwise)

The actual NAT object

Under Advanced Settings

Hope this helps

Do notice that the ASDM will remove the NAT command before inserting the new one. It will therefore teardown all connections from OUTSIDE to that server on port TCP/80 atleast

If you havent already used, you could consider previewing the commands ASDM will send to the ASA.

This can be enabled in the following place on ASDM

Tools -> Preferences -> Select "Preview Commands before sending them to the device"

This way you will see what CLI version commands are actually sent to the ASA by the ASDM BEFORE it sends them.

- Jouni

Problem with nat?

IT Asitis — Mon, 10 Dec 2012 13:51:15 GMT

Hi,

ok this works for some of our nat rules but not all of them and for those it works for im not able to access the webservices from inside the test environment. Any ideas?

Problem with nat?

Jouni Forss — Mon, 10 Dec 2012 14:00:47 GMT

Hi,

Without seeing the whole configuration its hard to tell why its not working. Might be some problem with existing NAT configuration. Also a screencapture of the ASDM log when you are attempting the connection might help (Might need logging level "Informational" atleast)

Regards to the access problem from the test environment. Are you saying that you are connecting from a host at the same network where the test server is using the public IP address? If this is the case I think it ain't supposed to work like that (the configuration I mentioned). I would have to lab this.

Also you say something is working but you can't access webservices? Can you clarify what is working? Wasnt the Web Service the only service you were trying to access. (Atleast in the original question/post)

- Jouni