topic ASA 8.3+ NAT/ACL problem in Network Security

ASA 8.3+ NAT/ACL problem

Kooopobol — Mon, 11 Mar 2019 21:39:11 GMT

Hello,

Since the 8.3 release, addresses used in ACL have to be untranslated ones.

But it is not compatible with our configuration.

I explain :

We have 2 static NAT rules :

- (Static Policy) MyHost is converted to 2.2.2.2 when the destination is X

- (Static) MyHost is converted to 2.2.2.3 for all others destinations

In 8.2.2 we had an ACL which authorized ICMP from X to 2.2.2.2 (X for source and 2.2.2.2 for destination in Access Rule)

Now, in 8.4.2, we have to use MyHost instead of 2.2.2.2. (X for source and MyHost for destination in Access Rule)

The problem is that MyHost automatically corresponds to 2.2.2.3, not 2.2.2.2

So the ICMP is authorized from X to 2.2.2.3, not 2.2.2.2...

Is there any trick to bypass this ?

Thanks

ASA 8.3+ NAT/ACL problem

varrao — Tue, 18 Oct 2011 08:33:40 GMT

Can you post the config, we can have a look at it and will suggest you the right configuration for it.

Just make sure that the nat rule for 2.2.2.2 is above the nat rule for 2.2.2.3 in the nat order.

Varun

ASA 8.3+ NAT/ACL problem

Kooopobol — Tue, 18 Oct 2011 10:01:17 GMT

Thanks for your answer,

Rule 2.2.2.2 is above 2.2.2.3 (2.2.2.2 is NAT Rule, 2.2.2.3 is Network Object NAT Rule)

For security reasons I can't post the entire conf..

Could we use translated address in ACL, like in pre-8.3 releases ?

Thanks

ASA 8.3+ NAT/ACL problem

varrao — Tue, 18 Oct 2011 10:13:15 GMT

No in Post 8.3 configuration you only need to use real ip's rather than trranslated ip's. Could you just explauin me the complete traffic flow, like bnehind whihc interface is the soutrce from where you are pinging and behind whihc interface is the destination. If need be, I'll suggest you the natting for it.

Varun

ASA 8.3+ NAT/ACL problem

Kooopobol — Wed, 19 Oct 2011 07:59:13 GMT

There are two interfaces : Inside and outside

MyHost is a Network Object corresponding to 192.168.1.2.

We have two static NAT Rules :

- One which translates MyHost to 2.2.2.2 when the destination of the packet is X [ from inside to outside]

- One which translates MyHost to 2.2.2.3 no matter the destination [from inside to outside]

2.2.2.2 rule is above 2.2.2.3 one.

For the Access Rules :

On interface outside (inbounds connections) :

Permit ICMP from X to 2.2.2.2

Permit SSH from X to 2.2.2.2

Like I said in 8.4.2 we have to use MyHost instead of 2.2.2.2 in Access Rules, but MyHost automatically corresponds to 2.2.2.3 translated address.

ASA 8.3+ NAT/ACL problem

varrao — Wed, 19 Oct 2011 18:10:20 GMT

Hi Armand,

Try this nat statement in teh same order:

nat (outside,inside) source static X X destination static obj-2.2.2.2 MyHost

nat (outside,inside) source static any any destination static obj-2.2.2.3 MyHost

After this do:

clear local-host 192.168.1.2

and then try again.

Thanks,

Varun