topic Re: PAT on ASA 5510 in Network Security

PAT on ASA 5510

IT_-_Department — Mon, 11 Mar 2019 23:46:19 GMT

The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like

static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255

Plus an extended ACL to allow the traffic.

I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.

Can anyone help me with the syntax for this?

PAT on ASA 5510

Julio Carvajal — Fri, 24 Aug 2012 23:29:52 GMT

Hello Eric,

object service Random_port

service tcp source eq 14033

object service Specific_port

service tcp source eq 1433

object network INTERNAL_HOST

host 192.168.12.2

object network Outside_Ip

host 4.1.1.1

nat (inside,outside) source static INTERNAL_HOST Outside_Ip service tcp Specific_port Random_port

access-list outside_in permit tcp host 209.114.146.122 host 192.168.12.2 eq 1433

access-group outside_in in interface outside

That should do it

Rate all the helpful posts

Julio

Re: PAT on ASA 5510

IT_-_Department — Mon, 27 Aug 2012 16:50:47 GMT

Hello Julio,

Thank you for y our reply. It got me closer, but i am still missing something. I have played around with the code suggestions that you made, and am not getting traction. It is possible that I did not explain my project completely, or I just misused your suggested code. I am including much of my ASA config, and will try to restate what I hope to accomplish.

I have clients that hit our FW from their outside IP hitting out IP on port 15003 say. I want to take any traffic hitting our IP on 15003 and translate that to port 1433 on an internal private IP.

What I have so far is:

interface Ethernet0/0

nameif External

security-level 0

ip address 66.112.199.133 255.255.255.224

interface Ethernet0/2

nameif Internal

security-level 100

ip address 10.187.10.1 255.255.255.0

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone GMT 0

dns server-group DefaultDNS

domain-name informz.net

object network Pod3_SQL

host 10.187.10.230

object network Outside_IP

host 66.112.199.133

object service D3000_Pod3

service tcp source eq 15003

object service SQL_SVR

service tcp source eq 1433

object-group network DM_INLINE_NETWORK_1

nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3

network-object object Outside_IP

network-object object Pod3_SQL

access-list Pod3_In extended permit tcp any eq 15003 host 10.187.10.230 eq 1433

access-group Pod3_In in interface External

I have tried specific address (or network object) and "Any" in the Access-List. Neither seems to let me through. I do not get any hit count on the ACL so I do not believe that teh traffic gets even that far. The available debug commands for NAT do not appear to be as robust as for IPSec. i was hoping to see real time (or even old logs) of the NAT activities to see where it is breaking down.

Do you see where it is breaking?

Thanx for your help!!

Re: PAT on ASA 5510

Julio Carvajal — Mon, 27 Aug 2012 19:12:32 GMT

Hello Eric,

Yeah you did not follow my instructions but that's okay that is why we are here

Copy and paste what I am going to place in here:

no nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3

nat (Internal,External) 1 source static Pod3_SQL Outside_IP service SQL_SVR D3000_Pod3

no access-list Pod3_In extended permit tcp any eq 15003 host 10.187.10.230 eq 1433

access-list Pod3_In line 1 permit tcp any host 10.187.10.230 eq 1433

Please do that and let me know, do not do something different with the comands just place them the way they are

Rate all the helpful posts

Julio

Re: PAT on ASA 5510

IT_-_Department — Tue, 28 Aug 2012 14:09:38 GMT

Hey Julio,

Thank you for your persistence and assistance.

I made one slight change in your suggested config as you will note from the attached code. I reversed the source destination, as the ASA would not take it as initially persented. NAT statement should be reversed, from what I Understand. I got errors entering it in the order that you suggested.

I still get no translation. Most NAT config examples are for out bound translation. Since I am coming in should it be nat (external,internal) 1 source static .......?

Also, just so you know how my lab is currently set, I have a PC with 66.192.199.129 on it attempting connection to 66.192.199.133 on 15003 and have a SQL box at 10.187.10.230 listening on 1433.

Is there something similar to isakmp and ipsec debugs that I can run to see either in real time or log where this traffic is going and where it is dying?

interface Ethernet0/0

nameif External

security-level 0

ip address 66.192.199.133 255.255.255.224

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/2

nameif Internal

security-level 100

ip address 10.187.10.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

object network Pod3_SQL

host 10.187.10.230

object network Outside_IP

host 66.192.199.133

object service D3000_Pod3

service tcp source eq 15003

object service SQL_SVR

service tcp source eq 1433

object-group network DM_INLINE_NETWORK_1

network-object object Outside_IP

network-object object Pod3_SQL

access-list Pod3_In extended permit tcp any host 10.187.10.230 eq 1433

nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3

access-group Pod3_In in interface External

Thanx again for you help!

Re: PAT on ASA 5510

Julio Carvajal — Tue, 28 Aug 2012 18:37:00 GMT

Hello Eric,

"I still get no translation. Most NAT config examples are for out bound translation. Since I am coming in should it be nat (external,internal) 1 source static .......?"

Not at all, the translation rule is being made from the inside to the outside world, that is why it should follow the order I sent you

"nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3"

My friend if you keep setting the rule like this it will not work

It needs to be

nat (internal,external) source static Pod3_SQL Outside_IP service D3000_Pod3 SQL_SVR

At least the ACL is right now

Copy/paste and let me know

You can rate as many posts as you want my friend

Julio

Re: PAT on ASA 5510

IT_-_Department — Tue, 28 Aug 2012 19:29:06 GMT

Julio,

I do really appreciate that you are trying to help here. What I do not think that you understand is that I have tried the code exactly as you have suggested and I get an error message. If I reverse the "real source" and the "mapped source" the ASA takes it. It still does not work, but it takes the entry . If I present it as you have suggested I get "Address 66.192.199.133 overlaps with External interface address". I will sent you a screen shot if you do not believe me. I have tried straight cut/paste and I have manually entered this repeatedly and it will not take as it currently is....

That said, everything I have been able to find and read says that the statement (despite being counter intuitive) must reverse the two sources. In fact, when I enter it one statement at a time followed by "?", the first source is supposed to be the "Real" and the second the "Mapped". Is Outside_IP not the Real and Pod3_SQL the mapped?

Is it that I cannot use a local external interface as the source, as ultimately (when I take it out of lab and want to use in Production) I will want to be using the IP of the users I want to enter and access the Server via this mapping? I have added a Router in front of the ASA with my test PC outside of that to try to test this theory, but still have no joy.

Doesn't the ACL get checked before any translation occurs? I am not seeing any hits on the ACL, which is part of my curiosity as to where this is breaking down.

Re: PAT on ASA 5510

Julio Carvajal — Tue, 28 Aug 2012 20:00:04 GMT

Hello,

Since 8.3 the order of operations of the ASA changed, nat goes first, then ACL's.

It's not that I don't believe you is that I do it like that everyday

Okay, I see what you mean by overlaps.

nat (internal,external) source static Pod3_SQL interface service D3000_Pod3 SQL_SVR

Try it like that and let me know

Remember to rate all the helpful posts, that is as important for us as a thanks

Regards,

Re: PAT on ASA 5510

IT_-_Department — Wed, 29 Aug 2012 13:09:58 GMT

Hello Julio,

I tried your latest proposed code, and I still get nada on the translation. If you are correct in the order of processing, it is the Translation that is failing, as I still do not get hit counts on the ACL.

I do truly appreciate your persistence and patience with this issue. I think that I am going to open a TAC ticket and see if I can get a tech from Cisco to take a look at it. If they are able to resolve my NAT issue, I will post the config that they dream up here.

Again, thank you for your help!

Re: PAT on ASA 5510

Oliver Laue — Wed, 29 Aug 2012 14:02:38 GMT

can you try the following

object network Pod3_SQL

nat (Internal,External) static interface service SQL_SVR D3000_Pod3

with the acceslist you already got in your code it should work

Re: PAT on ASA 5510

szumbado — Wed, 29 Aug 2012 15:02:43 GMT

Customer came to TAC and the configuration was fine since the begininng.

nat (Internal,External) source static Pod3_SQL interface service SQL_SVR D3000_Pod3

Cheers,

Re: PAT on ASA 5510

Julio Carvajal — Wed, 29 Aug 2012 15:29:19 GMT

Hello Eric,

As we already know the problem was not with the NAT configuration could you mark the question as answered.

Regards.

Julio