topic Re: ASA 8.4 static NAT statements. in Network Security

ASA 8.4 static NAT statements.

forman102 — Mon, 11 Mar 2019 22:49:42 GMT

Hello,

I have 2 servers with static PAT configuration in pre 8.3 ASA:

Server1 - 10.6.1.10 - PAT to 66.66.66.66 for SMTP

Server2 - 10.6.1.20 - PAT to 66.66.66.66 for IMAP4 and http/https

Pub address - 66.66.66.66

old config:

1. static (inside,outside) tcp 66.66.66.66 smtp 10.6.1.10 smtp netmask 255.255.255.255

2. static (inside,outside) tcp 66.66.66.66 www 10.6.1.20 www netmask 255.255.255.255

3. static (inside,outside) tcp 66.66.66.66 https 10.6.1.20 https netmask 255.255.255.255

4. static (inside,outside) tcp 66.66.66.66 imap4 10.6.1.20 imap4 netmask 255.255.255.255

What is the proper way of migrating above config?

object network Server1 \\\\\ this takes care of PAT statement #1.

host 10.6.1.10

nat (inside,outside) static PAT service tcp smtp smtp

object network Server2

host 10.6.1.20

object network PAT

host 66.66.66.66

How should I migrate statements 2,3 and 4?

Thank you.

forman

ASA 8.4 static NAT statements.

forman102 — Mon, 02 Apr 2012 19:05:24 GMT

I will try to answer myself

I need to create Service objects first:

object service HTTP

service tcp destination eq 80

object service HTTPS

service tcp destination eq 443

object service IMAP4

service tcp destination eq 143

then create statements:

nat (inside,outside) source static Server2 PAT service HTTP HTTP

nat (inside,outside) source static Server2 PAT service HTTPS HTTPS

nat (inside,outside) source static Server2 PAT service IMAP4 IMAP4

Correct?

ASA 8.4 static NAT statements.

Amit Rai — Mon, 02 Apr 2012 19:16:12 GMT

object service HTTP
service tcp destination eq 80

object service HTTPS
service tcp destination eq 443

object service SMTP
service tcp destination eq 25

object service IMAP4
service tcp destination eq 143

object network Server1
host 10.6.1.10

object network Server2
host 10.6.1.20

object network PAT
host 66.66.66.66

nat (inside,outside) source static Server1 PAT service SMTP SMTP
nat (inside,outside) source static Server2 PAT service HTTP HTTP
nat (inside,outside) source static Server2 PAT service HTTPS HTTPS
nat (inside,outside) source static Server2 PAT service IMAP4 IMAP4

open all the private IP's in the ACL's accordingly on outside interface.

ASA 8.4 static NAT statements.

Amit Rai — Mon, 02 Apr 2012 19:17:27 GMT

you answered yourself correctly while I was busy creating config for you

Re: ASA 8.4 static NAT statements.

forman102 — Mon, 02 Apr 2012 19:29:03 GMT

Thank you for verification .

Re: ASA 8.4 static NAT statements.

Jouni Forss — Mon, 02 Apr 2012 19:41:26 GMT

Hi,

Wouldnt the above also be achieved by the following similiar configuration. Think this is the way I have personally done them (Havent had to do it that many times to be honest)

object network PAT

host 66.66.66.66

object network Server1-SMTP

host 10.6.1.10

nat (inside,outside) static PAT service tcp smtp smtp

object network Server2-WWW

host 10.6.1.20

nat (inside,outside) static PAT service tcp www www

object network Server2-HTTPS

host 10.6.1.20

nat (inside,outside) static PAT service tcp https https

object network Server2-IMAP4

host 10.6.1.20

nat (inside,outside) static PAT service tcp imap4 imap4

- Jouni

Re: ASA 8.4 static NAT statements.

llamaw0rksE — Mon, 02 Apr 2012 23:06:21 GMT

JouniForss, I tried it on mine and go the same results.....

object network portforwarding1smpt

host 10.1.6.1

object network portforwarding1smpt

nat (main-lan,outside) static PublicIP service tcp smtp smtp

Note I avoided the use of the word PAT to delineate (title) the external public IP object people would be using. I find it confusing to read about dynamic and static and Pat rules without having the word PAT in there. 🙂

object network PublicIP

host 66.66.66.66

What I am curious about is in all my rules I use the outside interface (as I only have one public WANI). It appears for these rules one simply identifies the public IP as a host for these nat rules and can use that..............

Re: ASA 8.4 static NAT statements.

forman102 — Tue, 03 Apr 2012 16:20:48 GMT

Help please: for some reason, the traffic is being denied on the ASA, even thought I opened the ACL on outside int. Not sure why...so I can't access HTTP, HTTPS, IMAP4 to the NATted servers.

Re: ASA 8.4 static NAT statements.

llamaw0rksE — Tue, 03 Apr 2012 17:02:19 GMT

Okay I downloaded my access rules list for an example.

I created one, the last one, *** to mimic your concept of anybody as all mine narrow down external users.........

You need a particular service object identified, and the pc hosting the service identified (solely as an object no tied-nat rule for this definition)

object service imap24

service tcp destination eq 2424

object network VS-pcIP

host 192.168.24.34

access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP

***access-list outside_access_in extended permit object imap24 any object VS-pcIP

At the end of my object NAT rules are the following two items (ACL to outside general rule and routing rule)

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.225 1

If you have any other ACL rules not sure what they are doing for you. Hopefully you dont have any deny rules. they are not needed.

Re: ASA 8.4 static NAT statements.

forman102 — Tue, 03 Apr 2012 17:04:38 GMT

Hope this will save someone time...my original config from the 2nd post did NOT work. The one presented by Jouni works great thought! Thank you!

ASA 8.4 static NAT statements.

Jouni Forss — Tue, 03 Apr 2012 17:10:54 GMT

Hi,

Glad to hear it worked out.

Please rate if you found the information helpfull

- Jouni

Re: ASA 8.4 static NAT statements.

forman102 — Thu, 05 Apr 2012 13:18:17 GMT

Hey Alex,

Unfortunately, I'm not going to be able to test this until next config migration. Thank you for explaining the ACL part! Mine was wrong...

I ended up using this config:

object network PAT

host 66.66.66.66

object network Server1-SMTP

host 10.6.1.10

nat (inside,outside) static PAT service tcp smtp smtp

access-list outside line 5 extended permit tcp any object Server1-SMTP eq smtp

Can you guys explain ASA NAT mechanism...regarding that static NAT above:

My system admin states that traffic going out of the server 10.6.1.10 on port 25 in NOT being translated to 66.66.66.66:25 on the outside inteface, but translates to 66.66.66.70:25, which is my global PAT IP address for Internet traffic. Is that normal? I don't use much of ASDM, but I found and used packet tracer, which shows that my config should translate to 66.66.66.66:25, not 66.66.66.70:25. Is there something wrong with my config?

Re: ASA 8.4 static NAT statements.

Jouni Forss — Thu, 05 Apr 2012 13:27:20 GMT

Hi,

The Port Forward configuration that you did by using one public IP address only applies when you are connecting from outside to the public IP 66.66.66.66 but when the local host is initiating the connection to outside network, other NAT rules will be applied.

Think there just was a similiar post here on the forums where they had configured this kind of port forwarding for SMTP and also wanted the outgoing connections use the same public IP.

I don't remember the post now. Could try this out on my own ASA and let you know soon if I get the mentioned situation working as described above. (Good thing I have a /29 public network at my disposa for these tests)

- Jouni

Re: ASA 8.4 static NAT statements.

Jouni Forss — Thu, 05 Apr 2012 13:47:37 GMT

Hi,

I did the following test configuration on my ASA

Please notice that the output also contains some other configurations. I added these to illustrate a situation where you have rules that might in certain situation overlap the configuration you are doing. I will explain more after the configurations.

x.x.x.x = additional public IP (so NOT the outside interface IP)

object network LAN-NETWORK

subnet 10.0.0.0 255.255.255.0

object network SMTP-PORTFORWARD

host 10.0.0.50

object network SMTP-SERVER-OUTGOING-PAT-SOURCE

host 10.0.0.50

object network SMTP-PAT

host x.x.x.x

object network SMTP-PORTFORWARD

nat (LAN,WAN) static x.x.x.x service tcp smtp smtp

nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT

nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

As you can see the above configurations contain the following NATs.

Port Forward for SMTP traffic from WAN -> LAN for the extra public IP x.x.x.x
PAT configuration for the SMTP host. The public PAT address that is used is = x.x.x.x
PAT configuration for the whole LAN network (which also contains the host 10.0.0.50 ofcourse)

If you for example had the last default PAT configuration "nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface" and added the configuration "nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT" it would be inserted AFTER the default rule already created. This would mean that the SMTP host would still be showing with the WAN interface public IP and not the public IP x.x.x.x used in both port forward configurations and the new PAT configuration.

What you will have to do is add the NAT command with an additional "line number" which isnt visible in the CLI configuration.

The command would be

nat (LAN,WAN) after-auto 1 source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT
So the "1" will insert the new NAT rule as the first "after-auto" NAT rule.

But you will still have to take into account that the top most NAT rules (when issuing "show run nat" or looking from ASDM) might still override this configuration.

With the above configuration the "packet-tracer" test went through the way you would want them. Meaning SMTP host would be connected to with SMTP with the IP address x.x.x.x and it would also be visible to WAN with the public IP x.x.x.x when its initiating the connection.

Hope this helps Please rate if helpfull

Please ask if you need clarification.

- Jouni

Re: ASA 8.4 static NAT statements.

Justin Kurynny — Wed, 22 May 2013 16:38:32 GMT

Jouni,

I'm working on some static PAT config and found your post, here which is very helpful. I do have a question about something you wrote: I noticed that you said the following about the outside interface IP in your PAT configuration running on your 8.4 test ASA:

I did the following test configuration on my ASA
Please notice that the output also contains some other configurations. I added these to illustrate a situation where you have rules that might in certain situation overlap the configuration you are doing. I will explain more after the configurations.
x.x.x.x = additional public IP (so NOT the outside interface IP)
object network LAN-NETWORK
 subnet 10.0.0.0 255.255.255.0
object network SMTP-PORTFORWARD
 host 10.0.0.50
object network SMTP-SERVER-OUTGOING-PAT-SOURCE
 host 10.0.0.50
object network SMTP-PAT
 host x.x.x.x
object network SMTP-PORTFORWARD
 nat (LAN,WAN) static x.x.x.x service tcp smtp smtp
nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT
nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

My question for you is that when you say that x.x.x.x is NOT the outside interface IP, is this because using the outside interface IP to do static PATs is unsupported? I am trying to do static PAT with the outside interface IP on ASA 9.0 and am having some difficulty with it. After reading your post I am wondering if this may be one of my problems.

Justin

ASA 8.4 static NAT statements.

Jouni Forss — Wed, 22 May 2013 16:45:21 GMT

Hi Justin,

There is nothing preventing you from using the ASA "interface" IP address for Static PAT. Its quite common actually.

If it isnt working for you some reason I would suspect there might be some NAT rule that is causing the Static PAT rule to be overriden.

Easiest way to determine this would be to see the NAT configuration and/or take some "packet-tracer" command output on the ASA to determine which NAT rules is matched against certain connections.

- Jouni

ASA 8.4 static NAT statements.

Justin Kurynny — Fri, 24 May 2013 18:04:14 GMT

Jouni,

Thanks for your help. I've got it working now with your examples for object NAT and I'm successfully using the outside interface IP. As a side note, it turns out the issue I was having was unrelated to the NAT setup. Rebuilding the ACLs ended up fixing the problem. I still saved a lot of configuration time with your original correct answer to this thread, so thank you.

Justin

ASA 8.4 static NAT statements.

Jouni Forss — Fri, 24 May 2013 19:07:54 GMT

Hi,

Glad to hear everythings working

Feel free to rate any helpfull answers.

- Jouni