topic Re: Overlapping nat rule problem in Network Security

Overlapping nat rule problem

egthkaa20060417 — Mon, 11 Mar 2019 19:23:44 GMT

The following is the nat rules for my asa5510

static (LAN,WAN) tcp PCCW_Pri_SMTP ftp LAN_MS02 ftp netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP ssh LAN_MS02 ssh netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP www LAN_MS02 www netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Sec_SMTP 2525 LAN_MS02 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_Webmail https DMZ_MS01 https netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ssh DMZ_MS01 ssh netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP 27 DMZ_MS01 27 netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_FTP ftp DMZ_FTP ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (DMZ,LAN) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

When I tried to change the static rule "static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255 " to "static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255". I got the overlapping of nat error. How do I fix it? Thanks.

Re: Overlapping nat rule problem

Jennifer Halim — Fri, 17 Dec 2010 10:26:11 GMT

This line that you would like to change to:

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255

actually overlaps with the existing static NAT that you already have:

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255

You can't configure static PAT on the same ip address "DMZ_IronPort_2" on the same port (TCP/25). This is not supported.

Re: Overlapping nat rule problem

Renato Morais — Fri, 17 Dec 2010 11:57:50 GMT

The ASA 8.3 supports multiple public addresses mapped to a single internal address. For example:

object service smtp
service tcp destination eq smtp
nat (WAN,DMZ) 1 source static any any destination static PCCW_Pri_SMTP DMZ_IronPort_2 service smtp smtp unidirectional
nat (WAN,DMZ) 2 source static any any destination static PCCW_Sec_SMTP DMZ_IronPort_2 service smtp smtp unidirectional

You'd have to implement another rule to translate the outbound traffic.

Re: Overlapping nat rule problem

egthkaa20060417 — Sat, 18 Dec 2010 03:19:55 GMT

even I changed to

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_1

smtp netmask 255.255.255.255

I overlapped another rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

How to fix then?

Re: Overlapping nat rule problem

Jennifer Halim — Sat, 18 Dec 2010 03:35:09 GMT

And you please share the ip address of those names.

Need to understand/know what the ip address is exactly for all those names. Thanks.

"sh run name" output would do. Thanks.

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 01:06:13 GMT

Here is part of sh run output

asdm image disk0:/asdm521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
name xx.xx.xx.102 PCCW_Pri_Webmail

name xx.xx.xx.103 PCCW_Sec_Webmail

name xx.xx.xx.104 PCCW_Pri_SMTP

name xx.xx.yy.150 PCCW_Sec_SMTP

name 172.16.0.16 DMZ_FTP

name 172.16.0.253 DMZ_IronPort
name 172.16.0.25 DMZ_MS01

name 192.168.10.25 LAN_MS02

name 172.16.0.252 DMZ_IronPort_2

name xx.xx.yy.151 PCCW_FTP

!
interface Ethernet0/0
nameif LAN
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/1
nameif WAN
security-level 0
ip address xx.xx.xx.101 255.255.255.248
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

ftp mode passive
dns domain-lookup LAN
dns domain-lookup WAN
dns domain-lookup DMZ
dns server-group DNS
name-server 192.168.10.21
name-server 210.87.253.48
dns server-group DefaultDNS
domain-name default.domain.invalid

ip local pool VPNpool 192.168.20.1-192.168.20.10 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 192.168.10.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 172.16.0.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
static (LAN,WAN) tcp PCCW_Pri_SMTP ftp LAN_MS02 ftp netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP ssh LAN_MS02 ssh netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP 27 LAN_MS02 27 netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP domain LAN_MS02 domain netmask 255.255.255.255
static (LAN,WAN) udp PCCW_Pri_SMTP domain LAN_MS02 domain netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP www LAN_MS02 www netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Sec_SMTP 2525 LAN_MS02 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_Webmail https DMZ_MS01 https netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ssh DMZ_MS01 ssh netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP 27 DMZ_MS01 27 netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP domain DMZ_MS01 domain netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP www DMZ_MS01 www netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_FTP ftp DMZ_FTP ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (DMZ,LAN) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255
access-group LAN_access_in in interface LAN
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group DMZ_access_in in interface DMZ

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

!
!

Thanks.

Re: Overlapping nat rule problem

Jennifer Halim — Mon, 20 Dec 2010 02:45:10 GMT

Thanks for that, but I couldn't find DMZ_IronPort_1 name under the posted configuration.

You were saying that:

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_1 smtp netmask 255.255.255.255

overlapped another rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

If I convert those 2 static NAT lines to use ip address instead of name, here is what I got:

also assuming that "DMZ_IronPort_1" is "DMZ_IronPort" based on your posted configuration because i can't find "DMZ_IronPort_1"

static (DMZ,WAN) tcp xx.xx.xx.104 smtp 172.16.0.253 smtp netmask 255.255.255.255

static (LAN,WAN) xx.xx.yy.150 192.168.10.25 netmask 255.255.255.255

Those 2 static NAT shouldn't overlap as they are referring to different ip address. I would suggest that you configure the static NAT with ip address instead of name as it would be confusing sometimes with names.

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 03:00:35 GMT

Sorry for missing the info. Actually, the ip of DMZ_IronPort_1 is 172.16.0.252.

I changed the NAT rule from ADSM instead of Command Line. I still get the same problem. Thanks.

Re: Overlapping nat rule problem

Jennifer Halim — Mon, 20 Dec 2010 03:03:29 GMT

Yes, that is the issue.

Currently 172.16.0.252 has been assigned to DMZ_IronPort_2 base on your naming configuration:

name 172.16.0.252 DMZ_IronPort_2

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 03:08:02 GMT

I am sorry that. May be there is the typo. Pls replace the DMZ_IronPort_2 with DMZ_Iron_Port_1 Thanks.

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 03:08:32 GMT

DMZ_IronPort_1

Re: Overlapping nat rule problem

Jennifer Halim — Mon, 20 Dec 2010 03:10:25 GMT

Ok, it is confusing now.

You already have the following configured:

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255

and I believe this is what you are trying to configure.

It is already in your configuration.

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 03:11:38 GMT

Pls ignore the previous 2 msg

The actual comman should be this

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

overlapped another rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

After I entered it, I got the overlapping error. Thanks and sorry for making you confused.

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 03:24:51 GMT

Since there is the typo

Let me claify it

The original rule is

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I would like to change it to

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

And I got the overlapping error. Sorry for the confusing. Thanks.

Re: Overlapping nat rule problem

egthkaa20060417 — Mon, 20 Dec 2010 06:28:31 GMT

Since there is the typo

Let me claify it

The original rule is

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I would like to change it to

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

And I got the overlapping error. Sorry for the confusing. Thanks.

Re: Overlapping nat rule problem

mirober2 — Mon, 20 Dec 2010 13:58:31 GMT

Hi Steven,

This error is expected because the ASA cannot translate the same public IP and port to different internal hosts. Think about it this way:

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

If a packet enters the WAN interface destined to PCCW_Sec_SMTP on TCP port 25, what should the destination address be translated to? Those rules are saying it should be translated to *both* DMZ_IronPort and DMZ_MS01, which is not possible. It can only be translated to 1 internal host.

As an alternative, you would need to use a different public IP address or change one of the mapped ports, such as:

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (DMZ,WAN) tcp ALT_PCCW_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP 2525 DMZ_MS01 smtp netmask 255.255.255.255

Hope that helps.

-Mike

Re: Overlapping nat rule problem

egthkaa20060417 — Tue, 21 Dec 2010 00:50:30 GMT

Hi Mike,

Originally, the existing rule is this

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I want to change it to

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I got the overlapping error with the rule: "static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255"

Hope that it can clarify my problem. Thanks.

Re: Overlapping nat rule problem

Jennifer Halim — Tue, 21 Dec 2010 08:12:25 GMT

Hi Steven,

You are using overlapping public ip address. You can't use the same ip address to configure static 1:1. You can configure static port address redirection on different ports using the same public ip address.

So currently the following 2 static NAT will overlap:

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

So the 2nd line is 1:1 static NAT and you can't reuse the same public ip address after you configure the static 1:1 NAT.

However, if you change the 2nd line to be static port address redirection on other ports than smtp, then it will work.

Example:

static (LAN,WAN) tcp PCCW_Sec_SMTP 3000 LAN_MS02 3000 netmask 255.255.255.255

(port 3000 is just an example, and you would need to change it to the port that you like access on for LAN_MS02 server accordingly).

Re: Overlapping nat rule problem

egthkaa20060417 — Tue, 21 Dec 2010 08:38:28 GMT

Hi Jennifer,

Then why the other rules e.g static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255
will not cause the overlapping problem? Thanks.

Re: Overlapping nat rule problem

Jennifer Halim — Tue, 21 Dec 2010 08:48:59 GMT

Because it is static PAT, not static 1:1 NAT.

Difference is you are statically NATing 1 ip address to another ip address for static 1:1 NAT (and this means it includes all ports), while static PAT, you are NATing the ip address only base on 1 port.

The reason why it doesn't overlap with this:

static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255

is because the port is different. The above line is on port 21 (ftp), and the other one is on port 25 (smtp).