topic NAT Questions in Network Security

NAT Questions

paultribe — Mon, 11 Mar 2019 21:10:20 GMT

Can anyone help me ?

I would like to know if the following is possible on an ASA, I have tried to get this working but I am having great diffculties:

I have a three interface ASA running 8.3 and I want to have the following functionality:

1) Have some hosts on the DMZ interface use static NAT for bidirectional communications (Which is typical).

2) Have some hosts on the DMZ interface access the Internet using PAT (NAT hide). (For example hosts that are members of a load balanced group so do not need a static entry).

3) Ensure all hosts are accesible from remote access VPN clients using NAT identity (Static, NAT'd the VPN client pool address to itself).

The problem is when I have NAT identity and PAT configured at the same time only one method of access works which I believe is to do with the NAT order of operation.

Is it possible to do what I require ?

Please help .... It is difficult to send a config as the firewall I have been tasked to work on is a complete mess !!!, but I will try and put together the relevant parts and post in due course.

NAT Questions

varrao — Thu, 11 Aug 2011 16:15:07 GMT

Hi Paul,

The first two are very typical and can be done surely, but always for static nat users, if they access internet, they woudl always use the mapped ip and not pat ip.

For the 3rd, in 8.3, there is no nat prefernce, the one which is most specific, would take precedence, we just have two types of nats, auto nat and manual nat, and manual nayt atkes preference. So there is not really a nat exempt or pat preference, it depends upon the flow of traffic, the order in nat table and how specific it is.

-Thanks,

Varun

NAT Questions

paultribe — Thu, 11 Aug 2011 16:38:32 GMT

When the VPN host tries to access a host in the DMZ that does not have a static NAT I get the following message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port[(idfw_user)] dst interface_name:dst_address/dst_port[(idfw_user)] denied due to
NAT reverse path failure.

NAT Questions

varrao — Thu, 11 Aug 2011 18:24:18 GMT

Hi Paul,

In a packet flow, the packets are checvked for translations, from source to destination and vice-versa as well, if there is a nat statement, which is taking precedence over the nat statement that we are using for the return packet, thats when you see the error, or if there is no translation for the reverse flow, so this might be difficult to point out the missing chunk in your config, but would only be done after having a look at the config and understanding the flow.

-Varun

NAT Questions

paultribe — Fri, 12 Aug 2011 11:08:41 GMT

Varun (In case you are interested)

I have managed to resolve the issue now. I should have mentioned the task I am doing is also upgrading the ASA from 8.2 to 8.3.

I found that during the upgrade all original No NAT statements that let VPN clients access internal resources also did not work. I found that this was due to the upgrade procedure making the rules "unidirectional". Once I corrected this I applied the same type of No NAT rule to my new DMZ interface and everything now works.

Thanks

Paul

NAT Questions

varrao — Fri, 12 Aug 2011 11:21:41 GMT

Hey thats good, I am very much interested and yes, if you were upgarding to version 8.3, you might hit this bug

CSCti36048and as i said the unidirectional keyword restricts the traffic in only one dircetion, so that caused the error message.

-Varun