topic Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration in Network Security

ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Mitchell Dyer — Fri, 21 Feb 2020 12:19:11 GMT

Hello,

I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.

I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:

"sh run object" output:

object network DrJones
host 10.81.220.90
object network LAN-10.81.220.0
subnet 10.81.220.0 255.255.255.0

"sh run nat" output:

object network DrJones
nat (inside,outside) static interface service tcp 4343 4343
object network LAN-10.81.220.0
nat (inside,outside) dynamic interface

"sh run access-list" output:

access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any interface outside eq 4343

Any help would be appreciated, if additional information is neccessary please let me know and I will post it.

Thank you in advance.

Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Shrikant Sundaresh — Mon, 18 Apr 2011 23:58:12 GMT

Hi Mitch,

There are two major changes between pre-8.3 and post-8.3.

1. NAT

2. Interface Access-list.

You've gone right at step 1, but have configured the outside_access_in access-list in the pre-8.3 format.

The correct config would be:

access-list outside_access_in extended permit icmp any any echo-reply //you can remove this and add inspect icmp to the global policy.
access-list outside_access_in extended permit tcp any host 10.81.220.90 eq 4343

In 8.3 and above, the interface access-list should have the real ip and not the translated ip.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Mitchell Dyer — Tue, 19 Apr 2011 00:11:33 GMT

Thanks Shrikant, I ended up stumbling upon this about 3 hours after I posted. Thank you for the response, I was only aware of the nat changes with 8.3, I was not aware they changed the application of accesslists.

On a side note, is there a way to configure multiple PAT entries with one statement? Or at the very least configure multiple PAT entries under a single network object? I can only seem to configure a single PAT entry per network object, which makes me think maybe this can be accomplished by a service object-group?

Thanks,

Mitch

Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Shrikant Sundaresh — Tue, 19 Apr 2011 00:42:11 GMT

Hey Mitch,

Not really sure, by what you mean by multiple pat entries, but you can only have one nat entry within the network object. (called auto nat).

However, if you are referring to something like this:

nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 209.165.201.1-209.165.201.2

OR

nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 209.165.201.1-209.165.201.7
global (outside) 1 209.165.201.8
global (outside) 1 209.165.201.9

Then you can go for the equivalent 8.3 commands:

object network obj-209.165.201.1_209.165.201.2
   range 209.165.201.1 209.165.201.2
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic obj_209.165.201.1_209.165.201.2 interface

OR

object network obj-209.165.201.1_209.165.201.7
   range 209.165.201.1 209.165.201.7
 object network obj-209.165.201.8
   host 209.165.201.8
 object network obj-209.165.201.9
   host 209.165.201.9
 object-group network nat-pat-group
   network-object object obj-209.165.201.1_209.165.201.7
   network-object object obj-209.165.201.8
   network-object object obj-209.165.201.9
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic nat-pat-group

Hope this helps. If this is not what you were looking for, then do let me know a few more details, and i will try to answer it more accurately.

-Shrikant

Do rate helpful posts. Thanks.

Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Mitchell Dyer — Tue, 19 Apr 2011 01:06:45 GMT

Hello again,

Sorry I wasn't more specific. I believe your comment about auto-nat answered my question. I needed to translate multiple ports from the outside interface to the same internal host.

For example: host 10.81.220.90 is hosting a service on tcp\4343 and tcp\8080. I was hoping I could create a service object-group containing both services to use in a single PAT entry.

I ended up doing this:

object network obj_svc4343
host 10.81.220.90

nat (inside,outside) static interface service tcp 4343 4343
object network obj_svc8080
host 10.81.220.90
nat (inside,outside) static interface service tcp 8080 8080

But was wondering is something like this is possible:

object-group service obj_incomingsvcs

service-object source tcp source 4343 destination 4343

service-object source tcp source 8080 destination 8080

object network obj_svcs_host

host 10.81.220.90

nat (inside,outside) static interface service obj_incomingsvcs obj_incomingsvcs

I hope that is a bit more clear.

Is this where "twice nat" comes in?

Thanks,

Mitch

Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Shrikant Sundaresh — Tue, 19 Apr 2011 01:19:00 GMT

Hey Mitch,

Twice NAT, or Manual NAT is configure in global config and not under an object-group.

Anyway, i think this should acheive what you are trying: (This is still auto nat)

object service obj_svc_4343

service tcp source 4343

object service obj_svc_8080

service tcp source 8080

object-group service obj_svc

service-object obj_svc_4343

service-object obj_svc_8080

object network obj_svcs_host

host 10.81.220.90

nat (inside,outside) static interface service obj_svc obj_svc

The config syntax might be wrong and you might have to play with the "?" in the CLI a bit. I tried writing it off the top off my head. Turns out i don't do so well without "?" when it comes to service objects.

Hope this helps.

-Shrikant

P.S.: Do rate helpful posts. Thanks.

Re: ASA 5505 8.41 Dynamic NAT/Static NAT configuration

Mitchell Dyer — Tue, 19 Apr 2011 01:50:17 GMT

Shrikant,

Thanks for the reply, I went down that route originally but I can't seem to find a way to apply the object-group to the network object.

I'll do some more digging around, thanks again for your help.

-Mitch