topic Re: Multi-global twice nat >8.3 in Network Security

Multi-global twice nat >8.3

jerome.bordeau — Mon, 11 Mar 2019 23:20:25 GMT

Hi all,

I try to convert a CISCO ASA 8.2 version to 8.4 BUT, I have a small or "little" problem :

On Cisco ASA 8.2.x, i have a possibility to create multi-line global with different subnet.

Example :

global (outside) 2 217.1.x.65-217.x.x.66 netmask 255.255.255.240

global (outside) 1 interface <-- Ip interface is other subnet : 217.3.x.3

global (outside) 2 217.1.x.67 netmask 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz2) 2 192.168.4.0 255.255.255.0

What is the method or solution to translate multi-global in 8.4 ?

In same idea : with static translation in 8.4 : i try to use different server in inside's zone, but not in same network on outside. In 8.2 Firmware, it's very easy to use that, but in 8.3-8.4 version, i don't have some idea to manipulate ...

interface Vlan1

description Lien vers reseau Interne Client

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.99.16 255.255.255.0

object network rdp-test

host 192.168.0.3

nat (inside,outside) static 192.168.99.17

object network rdp-test1

host 192.168.0.4

nat (inside,inside) static 192.168.98.17

It's not a filter problem, it's probably a problem between nat and arp .... but where ???

Please, help me !!!

Have a nice day

Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 13:14:40 GMT

Here is the direct conversion:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

object network obj_inside

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

For this:

global (outside) 2 217.1.x.65-217.x.x.66 netmask 255.255.255.240

global (outside) 2 217.1.x.67 netmask 255.255.255.240

nat (dmz2) 2 192.168.4.0 255.255.255.0

object network obj-217.1.x.65-217.x.x.66

range 217.1.x.65 217.x.x.66

object network obj-217.1.x.67

host 217.1.x.67

object-group network 217.1.x.6x-group

network-object object obj-217.1.x.65-217.x.x.66

network-object object obj-217.1.x.67

object network obj-192.168.4.0

subnet 192.168.4.0 255.255.255.0

nat (dmz,outside) dynamic 217.1.x.6x-group

Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 13:22:14 GMT

Thank Jenifer,

For First part, perfect ! thanks a lot, but for 2nd request : Have you a idea ??

interface Vlan1

description Lien vers reseau Interne Client

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.99.16 255.255.255.0

object network rdp-test

host 192.168.0.3

nat (inside,outside) static 192.168.99.17

object network rdp-test1

host 192.168.0.4

nat (inside,inside) static 192.168.98.17

If i try this lines, the second translation doesn't work... Have a you a idea to create static with different subnet on outside ?

Thank you

Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 13:27:31 GMT

what did you have configured before on version 8.2 and below?

BTW, do you have typo:

object network rdp-test1

host 192.168.0.4

nat (inside,inside) static 192.168.98.17

shouldn't it be "nat (inside,outside) static 192.168.98.17" ??

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 13:38:18 GMT

For test only,

I would like use on Outside zone, 2 ip on differents subnets (in my example, 192.168.99.x and 192.168.98.x).

I test with rdp server in Inside zone on ip 192.168.0.3 with nat 192.168.99.17, it's all right for this nat.

It's a error from me : nat (inside, OUTSIDE) static 192.168.98.17 (keyboard error from me...)

But with ip inside 192.168.0.4, i would like from outside, to connect on rdp server in inside by ip outside 192.168.98.17

If i used wizard to test configuration, everything looks good... but in test, ... problem...

In 8.2 version, the static command in different ip running correctly but with twice nat, i don't see the good syntax...

Thank you very much for your help and excuse me poor english

Re: Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 14:04:40 GMT

and what does your access-list say on the outside interface?

access-list from version 8.3 onwards need to refer to the real IP, not NATed IP anymore, so access-list should say:

access-list permit tcp any host 192.168.0.4 eq 3389

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 14:10:07 GMT

I have this rule exactly :

access-list permit tcp any host 192.168.0.4 eq 3389 , my rule filter is allright BUT, this translation nat (inside,outside) don't work correctly !! try if you want ? The most mistake : the access-list (for this rules) counter increase !!! but nothing after... If i try on first translation, access list counter increase too, and i have rdp connection.

I test with asa5505 and 3 pc to test this, for 3 hours, i don't have find a solution.... ?? very strange

Would you like all configuration ?

interface Vlan1

description Lien vers reseau Interne Client

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Vlan2

description Lien pppoe vers Wanadoo-Orange

nameif outside

security-level 0

ip address 192.168.99.16 255.255.255.0

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name orange.fr

same-security-traffic permit intra-interface

object network Reseau-Interne

subnet 192.168.99.0 255.255.255.0

object network rdp-test

host 192.168.0.3

object network rdp-test1

host 192.168.0.4

object network Ext-9817

host 192.168.98.17

access-list ACL_OUT extended permit tcp any object rdp-test eq 3389

access-list ACL_OUT extended permit tcp any object rdp-test1 eq 3389

access-list ACL_OUT extended permit icmp any any

access-list ACL_INT extended permit icmp any any

access-list ACL_INT extended permit tcp any any

access-list ACL_INT extended permit udp any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

object network rdp-test

nat (inside,outside) static 192.168.99.17

object network rdp-test1

nat (inside,outside) static 192.168.98.17

nat (inside,outside) after-auto source dynamic any interface

access-group ACL_INT in interface inside

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.99.1 1

Re: Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 14:12:48 GMT

yes pls, all config would be great.

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 14:13:49 GMT

ASA Version 8.4(2)

hostname ciscoasa

domain-name orange.fr

enable password Yn8Esq3NcXIHL35v encrypted

passwd Yn8Esq3NcXIHL35v encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 2

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

description Lien vers reseau Interne Client

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Vlan2

description Lien pppoe vers Wanadoo-Orange

nameif outside

security-level 0

ip address 192.168.99.16 255.255.255.0

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name orange.fr

same-security-traffic permit intra-interface

object network Reseau-Interne

subnet 192.168.99.0 255.255.255.0

object network rdp-test

host 192.168.0.3

object network rdp-test1

host 192.168.0.4

object network Ext-9817

host 192.168.98.17

access-list ACL_OUT extended permit tcp any object rdp-test eq 3389

access-list ACL_OUT extended permit tcp any object rdp-test1 eq 3389

access-list ACL_OUT extended permit icmp any any

access-list ACL_INT extended permit icmp any any

access-list ACL_INT extended permit tcp any any

access-list ACL_INT extended permit udp any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

object network rdp-test

nat (inside,outside) static 192.168.99.17

object network rdp-test1

nat (inside,outside) static 192.168.98.17

nat (inside,outside) after-auto source dynamic any interface

access-group ACL_INT in interface inside

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.99.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.99.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.99.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 14:16:07 GMT

Thank you for your help, it's very nice !

Re: Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 14:20:05 GMT

Can you please remove the following 2 lines:

nat (outside,inside) source static any any destination static Ext-9817 rdp-test1

nat (inside,outside) source static rdp-test1 Ext-9817 unidirectional inactive

Then "clear xlate"

Also, i believe that you have route for the 192.168.98.x pointing towards the ASA outside interface IP?

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 14:25:05 GMT

Sorry for me, this 2 lines are a test. I remove this 2 lines, and clear xlate, clear arp, but without success...

My network map :

Outside

192.168.99.16

192.168.99.1 (router) ------------+---------------------ASA-------------------Pc 192.168.0.3 (rdp)

| +-----Pc 192.168.0.4 (rdp1)

other PC 192.168.98.2

to test from outside rdp1.

Re: Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 14:32:25 GMT

Hmm, don't think it works like that.

On your router, configure a route for 192.168.98.0/24 to point to the ASA 192.168.99.16.

Configure a PC in the 192.168.99.x subnet with the router being the default gateway and test to access 192.168.98.17

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 15:01:28 GMT

Why ?

My opinion is a problem with ARP - Static on ASA.

In 8.2 version, this network map running correctly.

When i improve log level (debugging) on CISCO ASA, i see the request from my PC 192.168.98.2 try to join rdp server. I see SYN connection (but without sync + ack and ack...). I same time, when i try to ping from 192.168.98.2 to 192.168.98.17, i see "echo request" from CISCO ASA and "echo reply" !!! but on PC, icmp don't reply...

Have you a possibility to check this configuration on your side ?

I try to add route on router but i'm septic.

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 15:10:12 GMT

I finish the test to add new route....

And amazing... it's allright !!! it's ok !!

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list ACL_OUT; 3 elements; name hash: 0x21ec8810

access-list ACL_OUT line 1 extended permit tcp any object rdp-test eq 3389 (hitcnt=0) 0x63af37f1

access-list ACL_OUT line 1 extended permit tcp any host 192.168.0.3 eq 3389 (hitcnt=0) 0x63af37f1

access-list ACL_OUT line 2 extended permit tcp any object rdp-test1 eq 3389 (hitcnt=0) 0xc1209d8a

access-list ACL_OUT line 2 extended permit tcp any host 192.168.0.4 eq 3389 (hitcnt=1) 0xc1209d8a

access-list ACL_OUT line 3 extended permit icmp any any (hitcnt=0) 0x7ea87995

access-list ACL_INT; 3 elements; name hash: 0x88ae4fa9

access-list ACL_INT line 1 extended permit icmp any any (hitcnt=1) 0x01029607

access-list ACL_INT line 2 extended permit tcp any any (hitcnt=2) 0xe6887ad7

access-list ACL_INT line 3 extended permit udp any any (hitcnt=2) 0xba134485

ciscoasa(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static rdp-test 192.168.99.17

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static rdp-test1 192.168.98.17

translate_hits = 5, untranslate_hits = 1

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic any interface

translate_hits = 0, untranslate_hits = 0

Thank you for your help Jenifer.

But can you explain me if i put my PC 192.168.98.3 on outside, (and i don't add a route), why this don't running ? The PC and NAT translation are in same network, in this case, i don't want a route.

What do you think ?

Re: Multi-global twice nat >8.3

Jennifer Halim — Mon, 18 Jun 2012 15:10:30 GMT

There is a change in the behaviour on how ASA response to ARP, but it doesn't start until version 8.4.3, and you are running 8.4.2.

But here is the change for your reference:

https://supportforums.cisco.com/docs/DOC-24549

Re: Multi-global twice nat >8.3

jerome.bordeau — Mon, 18 Jun 2012 15:22:44 GMT

Thank a lot for this informations.

It's very shame that this function running correctly on 8.2 version and now, in 8.3, 8.4, this fonction have need to add a route in gateway.

Have a nice day