topic Re: [Cisco ASA - NAT with version 9.12] in Network Security

[Cisco ASA - NAT with version 9.12]

net buzz — Fri, 21 Feb 2020 17:22:25 GMT

Dear all,

The Cisco ASA firewall has been upgraded from version 8.2 to version 9.12 and the configuration done accordingly.

With the new configuration, the services are not working.

Thanks to advise on the solution.

Scenarios are as follows:

Inbound Mail
Web Mail
Web Server

Version 8.2 Configuration:

Inbound ACL:

access-list out_in extended permit tcp any host Mail-Server-Public-IP eq smtp
access-list out_in extended permit tcp any host Web-Mail-Public-IP eq https

access-list out_in extended permit tcp any host Web-Server-Public-IP eq https

Outbound ACL:

access-list in_out extended permit ip y.y.y.y 255.255.255.0 any

NAT:

static (dmz,outside) tcp Mail-Server-Public-IP smtp Mail-Server-IP smtp netmask 255.255.255.255
static (inside,outside) tcp Web-Mail-Public-IP https Web-Mail-IP https netmask 255.255.255.255
static (inside,outside) tcp Web-Server-Public-IP https Web-Server-IP https netmask 255.255.255.255

global (outside) 1 z.z.z.z netmask 255.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

Version 9.12 Configuration:

Objects:

object network Mail-Server-IP
host a.a.a.a
object network Mail-Server-Public-IP

host b.b.b.b

object network Web-Mail-IP
host c.c.c.c
object network Web-Mail-Public-IP

host d.d.d.d

object network Web-Server-IP
host e.e.e.e
object network Web-Server-Public-IP

host f.f.f.f

object network OBJ-Internet
host x.x.x.x

object service OBJ-TCP-https
service tcp source eq https

Inbound ACL:

access-list out_in extended permit tcp any host Mail-Server-Public-IP eq smtp
access-list out_in extended permit tcp any host Web-Mail-Public-IP eq https

access-list out_in extended permit tcp any host Web-Server-Public-IP eq https

Outbound ACL:

access-list in_out extended permit ip y.y.y.y 255.255.255.0 any

NAT:

nat (dmz,outside) source static Mail-Server-IP Mail-Server-Public-IP

nat (inside,outside) source static Web-Mail-IP Web-Mail-Public-IP service OBJ-TCP-https OBJ-TCP-https

nat (inside,outside) source static Web-Server-IP Web-Server-Public-IP service OBJ-TCP-https OBJ-TCP-https

nat (inside,outside) after-auto source dynamic any OBJ-Internet description PAT

Re: [Cisco ASA - NAT with version 9.12]

Rob Ingram — Tue, 06 Aug 2019 09:00:22 GMT

Hi,
On ASA v 9.x you need to reference the Real IP address (private IP address) in the ACLs rather than the Public (NATTED) IP address. Make the changes and if that doesn't work, please provide the output of packet-tracer.

HTH

Re: [Cisco ASA - NAT with version 9.12]

net buzz — Tue, 06 Aug 2019 09:09:01 GMT

Dear RJI,

Thanks for the update.

I will re-configure and test.

Are the NAT statements well configured?

Re: [Cisco ASA - NAT with version 9.12]

Rob Ingram — Tue, 06 Aug 2019 09:35:39 GMT

You can do it your way, or alternatively:-

object network SRV1
host 10.2.2.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80

NOTE - in this instance the nat is configured under the network object, not globally.

HTH

Re: [Cisco ASA - NAT with version 9.12]

net buzz — Tue, 13 Aug 2019 14:13:28 GMT

Dear RJI,

Are the following NAT statements correct?

For Inbound SMTP traffic:

nat (dmz,outside) source static Mail-Server-IP Mail-Server-Public-IP service obj-smtp obj-smtp

For Inbound HTTPS traffic:

nat (inside,outside) source static Web-Server-IP Web-Server-Public-IP service obj-https obj-https

For Outbound Browsing:

nat (inside,outside) after-auto source dynamic any obj-Public-IP description PAT

Re: [Cisco ASA - NAT with version 9.12]

Rob Ingram — Tue, 13 Aug 2019 17:34:32 GMT

They look ok. Are they not working?

Have you changed the access list to reflect the private IP address of the servers rather than the public IP address.