topic Static NAT in 8.4.2 in Network Security

Static NAT in 8.4.2

k.dimitrovski — Mon, 11 Mar 2019 22:46:01 GMT

I'm trying to do Object NAT in 8.4.2 for a mail server and I'm now seeing that the rule is working only from outside->inside. Whenever the mail server sends a message it is translated with the default Dynamic NAT defined in the rules.

I cannot understand why the twice nat isn't working in both directions.

I've attached screenshot of the rule and Packet Tracer test in the direction in which the problem occurs.

Just to clarify the server in the inside->outside direction has to be NATed with X.X.123.147 (ExchangePublic IP) but instead it is NATed woth X.X.123.146 (default dynamic NAT address).

Any suggestions?

Static NAT in 8.4.2

Jouni Forss — Fri, 23 Mar 2012 06:33:07 GMT

Hi,

Seems pretty strange to me.

Looking at the configuration in the packet-tracer input it seems that the default Dynamic NAT/PAT configuration should be one of the last NATs that the ASA would check if it didnt find a rule from the previous ones.

Can you please show how you configured the static NAT?

Should be something like this I think

object network EXCHANGE-STATIC

host x.x.x.x

nat (Inside,outside) static y.y.y.y dns

for example this should always NAT the servers traffic to the same public address when connecting outside.

And to my understanding that should already overwrite the rule show in the packet-tracer.

Have you checked what "show xlate" shows for your active translations on the firewall?

- Jouni

Static NAT in 8.4.2

k.dimitrovski — Fri, 23 Mar 2012 08:08:23 GMT

Here is the configuration from GUI:

These are the NAT rules from CLI:

object network Exchange

nat (Inside,outside) static ExchangePublic service tcp smtp smtp

nat (Inside,outside) after-auto source static NETWORK_OBJ_192.168.0.0_23 NETWORK_OBJ_192.168.0.0_23 destination static NETWORK_OBJ_10.10.0.0_26 NETWORK_OBJ_10.10.0.0_26 no-proxy-arp route-lookup

nat (outside,any) after-auto source static any any destination static interface Web.Form service Web.Form.8888 Web.Form.8888

nat (outside,any) after-auto source static any any destination static interface Web.Form service http http

nat (outside,Inside) after-auto source static any any destination static ExchangePublic Exchange service HTTPS HTTPS

nat (Inside,outside) after-auto source dynamic Company_LAN interface dns

Here's the xlate:

Result of the command: "show xlate local 192.168.1.13"

1043 in use, 2889 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from Inside:192.168.1.13 25-25 to outside:X.X.123.147 25-25

flags sr idle 0:03:18 timeout 0:00:00

TCP PAT from Inside:192.168.1.13 443-443 to outside:X.X.123.147 443-443

flags srT idle 0:11:38 timeout 0:00:00

I did clear xlate serveral times but nothing changed...

Re: Static NAT in 8.4.2

Jouni Forss — Fri, 23 Mar 2012 09:07:37 GMT

Hi,

Sorry I only use the CLI when configuring ASA

The first thing that caught my eye is the fact that you are doing NAT from outside to inside also?

nat (outside,Inside) after-auto source static any any destination static ExchangePublic Exchange service HTTPS HTTPS

Also theres this configuration

object network Exchange

host 192.168.1.13 (added this myself)

nat (Inside,outside) static ExchangePublic service tcp smtp smtp

It seems like you have done 2 separate configurations just to allow outside users to reach port TCP/443 and TCP/25 on your inside exchange server?

If the public IP address x.x.123.147 is reserved only for the Exchange server you dont really need these configurations

You could simply do the configuration I mentioned earlier, which is:

object network EXCHANGE-STATIC

host 192.168.1.13

nat (Inside,outside) static y.y.123.147 dns

And now you could reach the server from outside with its public IP address (provided your outside ACL allowed these connections). A connection coming to port TCP/25 would go trough to the servers actual IP address with port TCP/25. Same would apply to connections from outside to port TCP/443.

Also every connection from the server to outside would always use the public address of x.x.123.147 (unless you had some twice NAT / Policy NAT overriding it regarding some connections)

- Jouni

Static NAT in 8.4.2

k.dimitrovski — Mon, 02 Apr 2012 10:05:49 GMT

Unfortunately we cannot use this public IP address only for this server. We have to share it with some other services on other servers.

So I have to use port forwarding and I managed to get it working only with configuring two NAT rules (one incoming, one outgoing). Maybe Cisco had this in mind when they named it "Twice" NAT! 😄

I now have:

nat (Inside,outside) after-auto source static Exchange ExchangePublic service SMTP SMTP

nat (outside,Inside) after-auto source static any any destination static ExchangePublic Exchange service SMTP SMTP

Thanks for the answers JouniForss!

If anybody knows how can I enable the use of the "Twice NAT" so I can use only one rule for both directions please be kind enough and reply 🙂

Re: Static NAT in 8.4.2

Jouni Forss — Mon, 02 Apr 2012 10:36:01 GMT

Hi,

I just created some configurations on our ASA running in multiple context mode to test this out.

This context is at its very basic settings and heres the most essential configurations:

LAN and WAN interface:

interface TenGigabitEthernet0/8.251

description PAT

nameif outside

security-level 0

ip address 1.2.3.4 255.255.252.0

interface TenGigabitEthernet0/9.1251

description LAN

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

All NAT configurations

object network SERVER-LOCAL

host 10.10.10.100

nat (inside,outside) static interface service tcp smtp smtp

nat (inside,outside) after-auto source dynamic any interface

access-list OUTSIDE-IN remark Permit SMTP

access-list OUTSIDE-IN extended permit tcp any object SERVER-LOCAL eq smtp

So basically the above configurations state that all traffic from LAN to WAN is PATed to the outside interface IP

It also tells that connections coming from WAN towards outside interface IP with port TCP/25 will get forwarded to local host 10.10.10.100 on port TCP/25

Heres packet-tracer output for LAN -> WAN and WAN -> LAN (SMTP) traffic

outside interface IP address has been changed in the output and commands.

LAN -> WAN

packet-tracer input inside tcp 10.10.10.100 1025 55.66.77.88 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE-IN in interface inside

access-list INSIDE-IN extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) after-auto source dynamic any interface

Additional Information:

Dynamic translate 10.10.10.100/1025 to 1.2.3.4/23119

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 602888186, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

WAN -> LAN (SMTP port forwardng traffic)

packet-tracer input outside tcp 55.66.77.88 1025 1.2.3.4 25

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network SERVER-LOCAL

nat (inside,outside) static interface service tcp smtp smtp

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/25 to 10.10.10.100/25

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE-IN in interface outside

access-list OUTSIDE-IN extended permit tcp any object SERVER-LOCAL eq smtp

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network SERVER-LOCAL

nat (inside,outside) static interface service tcp smtp smtp

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 602901393, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

EDIT

When trying another type of NAT I got it working with this:

object network SERVER-LOCAL

host 10.10.10.100

object service SMTP-OUT

service tcp source eq smtp

nat (inside,outside) source static SERVER-LOCAL interface service SMTP-OUT SMTP-OUT

nat (inside,outside) after-auto source dynamic any interface

packet-tracer input outside tcp 55.66.77.88 1025 1.2.3.4 25

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SERVER-LOCAL interface service SMTP-OUT SMTP-OUT

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/25 to 10.10.10.100/25

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE-IN in interface outside

access-list OUTSIDE-IN extended permit tcp any object SERVER-LOCAL eq smtp

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SERVER-LOCAL interface service SMTP-OUT SMTP-OUT

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 603208853, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Please rate if it helps

- Jouni

Re: Static NAT in 8.4.2

k.dimitrovski — Mon, 02 Apr 2012 11:45:07 GMT

I don't know whether I've mentioned, but for this NAT I'm not using the Outside interface IP. I'm using another IP that is routed from the ISP towards the Outside interface. Maybe this has something with the problem I have or maybe not.

You're getting the correct NAT because the LAN-> WAN translation is done by:

nat (inside,outside) after-auto source dynamic any interface

and not by the port forward NAT.

I'm getting the same result but in my case the Dynamic NAT IP and the ExchangeWAN IPs are different.

Re: Static NAT in 8.4.2

llamaw0rksE — Mon, 02 Apr 2012 12:14:39 GMT

Let me understand what is being attempted here........

A. you have a mail server which needs to be reached by external users via port 25.

Does email only come in from external users on 123.146 or on 123.147, or both??

B. sometimes unsoliticed the mail server sends email messages to external users but has to use .123.137 to do this.

(could be an automatic mailing or someone within the corporation, behind the router sends an email outbound)??

C. you have a dynamic pat rule which sends out host traffic on 123.146.

( This is an excellent manual nat example which needs much better documentation with gui pics in the documentation, plug for my earlier post 🙂 )

With a nat object rule in place email from the outside users should get to the mail server and be sent back the way it came. I think thats what your saying is that the static nat rule is working. Presuming all this mail is coming in on the 123.147 outside interface IP. BUT you have C, which is a dynamic pat rule for users behind the router to reach the internet etc and that is set for 123.146. Unfortunately this affects your mail server sending out email messages unsolicited (originating behind the router) or users sending out email from within the LAN. Due to the dynamic rule these are going out the wrong 123.146 interface.

The discussion above should clearly delineate requirements and the issues before delving into snippets of potential solutions. One of my beefs on this forum in that discussions should be much more education focussed with concepts, requirements analysis and then solutions. Okay only because I am cisco illiterate and need my hand held. 🙂

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

The embedded NAT rule in the first post looks right for a standard port forwarding to a mail server. Apparently, because I have never done one (and thus my interest) you need a way to also handle email originating within the router (twice or manual NAT). The bane of my existence.

Questions:

1. Can a manual nat rule for email originating within the router overrule a dynamic pat rule for hosts to use a specific wanIP??

2. Can you have more than one dynamic pat rules and specifically a second dynamic pat rule for a specifc host (email server) to use 123.147?

3. It appears that order of NAT rules will probably be important (especially in 2.)

Re: Static NAT in 8.4.2

Jouni Forss — Mon, 02 Apr 2012 12:35:04 GMT

Hi,

Think I'm already starting to mix up all the different posts I've been answering.

So you have the ASA outside interface IP for PAT use

Also you have a addiotional public IP (that can't be used for the one server alone)

I guess in your original setup the port forward worked fine, but when the server is sending traffic from LAN it wont match the NAT statement on your firewall.

I guess your addiotional NAT statement above now handles that direction and it doesnt fall to the default PAT anymore?

To be honest I don't run into similiar situations much since we require to have a public IP for a server and we dont do portforwarding unless its a small environment and even then not without a good reason. It needlesly complicates the setup when considering configurations and maintanance.

- Jouni

Re: Static NAT in 8.4.2

llamaw0rksE — Mon, 02 Apr 2012 12:38:46 GMT

Okay, I have a simple ASA 5505 without the luxury of a second WANIP so this is not as helpful as I would like it to be.

I created a NAT rule from nat rules (vice embedded nat object). I note that the asdm placed this nat rule before the dynamic pat rules!!!

asdm history enable

arp timeout 14400

nat (main-lan,outside) source static mailserver interface service exchangetraffic exchangetraffic !

object network obj_any_main-lan

nat (main-lan,outside) dynamic interface

object network obj_any-admin-dmz

nat (admin-dmz,outside) dynamic interface

object network NAT4OM3

nat (main-lan,outside) static interface service tcp https https

(my manual static nat rule, followed by my two dynamic pat rules (for inside and dmz) and the first of a few embedded NAT object rules). By the way packet tracing worked fine.

Jpegs to follow

Re: Static NAT in 8.4.2

llamaw0rksE — Mon, 02 Apr 2012 12:47:07 GMT

Jounifoss, the questions appear to be,,,,,,,,

How to setup the cisco so that outgoing mail traffic goes out 123.147, when there is a general dyamic pat rule guiding oubtound traffic out 123.146.

Is this more do to with routing rules then! Where the router needs to know a route to 123.147 exists??

Please discuss and answer the relationship here between, dyanamic pat, routing, and manual static rules (and embedded Nat objects if need be). I think ACLs is probably the least of worries most straightforward.

As for mixups of course, without discerning the underlying requirements fully, its like urinating into the wind. 🙂