topic Re: NAT for group of objects - how to? in Network Security

NAT for group of objects - how to?

orhan.tagizade — Mon, 11 Mar 2019 18:50:11 GMT

Hi everyone!

My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.

We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.

We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.

The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses.

All other hosts should use PAT through x.x.x.13.

Thanks a lot in advance.

Re: NAT for group of objects - how to?

Rudresh Veerappaji — Tue, 05 Oct 2010 06:19:28 GMT

Hi Orhan,

I did not quite understand your exact requirement, is the below mentioned requirement? :

y.y.y.146 --------> x.x.x.10

y.y.y.70 --------> .x.x.x.11

If the above is the requirement, you need the following config:

 object network obj-y.y.y.146
   host y.y.y.146 

   nat (inside,outside) static x.x.x.10

 object network obj-y.y.y.70
   host y.y.y.70

   nat (inside,outside) static x.x.x.11

More info on comparision of pre-8.3 nat to 8.3 for your reference: https://cisco-support.hosted.jivesoftware.com/docs/DOC-9129

Let me know if this helps,

Cheers,

Rudresh V

Re: NAT for group of objects - how to?

Namit Agarwal — Tue, 05 Oct 2010 06:32:50 GMT

Hi ,

You can configure NAT as follows :

object network obj-x.x.x.10 
   host x.x.x.10 
   nat (inside,outside) static y.y.y.146  
 
 
 object network obj-x.x.x.11 
   host x.x.x.11 
   nat (inside,outside) static y.y.y.70.

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13
Regards,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Tue, 05 Oct 2010 07:05:28 GMT

Hi, everyone!

Thank you for your answers.

My idea actually was as follows:

Create a group , consisting of 2 internal hosts y.y.y.146 and y.y.y.70.

Allow this group to use 1 external address ( for example x.x.x.10) through NAT.

Internal hosts will not connect to the internet simultaneously, so I think 1 external address is enough.

May be it can be done using ACL? (not quite sure about this).

Re: NAT for group of objects - how to?

Namit Agarwal — Tue, 05 Oct 2010 09:24:06 GMT

Hi,

So what we are trying to achieve here is

internal host y.y.y.146 > translated to public IP x.x.x.10

internal host y.y.y.70 > translated to public IP x.x.x.11

and other internal hosts translated to public IP x.x.x.13

Please correct me if I am wrong.

Thanks,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Tue, 05 Oct 2010 09:27:29 GMT

Hi, Namit!

Yes you are completely right.

Just a quick comment: is it possible to make a group of internal hosts use 1 public ip?

Appreciate your help.

Re: NAT for group of objects - how to?

Namit Agarwal — Tue, 05 Oct 2010 09:34:51 GMT

Hi,

We can definitely do that. We can use the following config

object network obj-y.y.y.0
   subnet y.y.y.0 255.255.255.0
   nat (inside,outside) dynamic x.x.x.10

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13

The first part means the subnet y.y.y.0/24 will be translated to the IP address x.x.x.10

The second part means rest all the traffic will be translated to the IP address x.x.x.13

Cheers,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Tue, 05 Oct 2010 09:39:45 GMT

Namit,

thanks for the answer.

We have got only one internal subnet: y.y.y.0/24

I need the following:

host y.y.y.146 and host y.y.y.70 to be included into group and translated into x.x.x.10 or x.x.x.11.

rest of the hosts from y.y.y.0/24 subnet will be translated dynamically to x.x.x.13

Re: NAT for group of objects - how to?

orhan.tagizade — Tue, 05 Oct 2010 09:55:17 GMT

Forgot to add: connection must be initiated only from inside hosts. No

inbound connection from addresses behind the outside interface (exce

pt 1 specific address) should be allowed.

Re: NAT for group of objects - how to?

Namit Agarwal — Tue, 05 Oct 2010 10:05:24 GMT

Hi ,

Yes we can make the following changes

object network obj-y.y.y.146
  host y.y.y.146
  nat (inside,outside) dynamic x.x.x.10

object network obj-y.y.y.70

host y.y.y.70

nat (inside,outside) dynamic x.x.x.10

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13

We cannot put both the y.y.y.146 and y.y.y.70 under one object. But we can NAT them to the same IP x.x.x.10

Cheers,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Tue, 05 Oct 2010 12:49:56 GMT

Thanks for the advise, everything set up as advised and hosts requests are translated correctly.

The problem is, as I described a few days ago in https://supportforums.cisco.com/thread/2044300

There is a Cisco VPN Client installed on both of the hosts (y.y.y.146 and y.y.y.70) and there is a IPsec VPN connection to external host 95.86.133.30 set up.

VPN Client establishes the connection and the a website is opened (you can see topology in thread which I gave link to above) https://172.23.19.5:7777/accr/ in internet explorer. But, unfortunately, IE shows "cannot display the webpage" error. When the connection is done using direct internet connection (using ADSL Modem or by using public IP on the provider switch (again as I have written in the thread referenced above) everything works ok.

Syslog is attached. I think some ACL must be created, but due to lack of knowledge, I cannot determine what rule to create to solve the issue.

Thanks in advance!

Re: NAT for group of objects - how to?

Namit Agarwal — Tue, 05 Oct 2010 13:12:40 GMT

Hi ,

Glad that the NAT worked out fine. Regarding the other problem I see that the other thread is marked as answered. Did you enable NAT-T as suggested there or use a Static IP ?

Thanks,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Tue, 05 Oct 2010 14:00:35 GMT

Hey Namit,

Unfortunately, NAT-T is disabled on the other side and taking into account that we are unable to alter the configuration on the PIX Firewall (other side) I used the suggestion which was provided in the other thread to use a static NAT. That was actually the reason I started this thread.

Have you reviewed the syslog I attached to my previous post? Probably, the reason for the whole set up not working (Static NAT works, Cisco VPN client on the client machine is able to connect to the remote PIX, but we are not able to open the website which is behind the PIX firewall) can be seen in the syslog.

As I have written in my previous post I think that some sort of ACL must implemented.

Please advise after you see the syslog.

Many thanks.

Re: NAT for group of objects - how to?

Namit Agarwal — Tue, 05 Oct 2010 14:08:36 GMT

Hi ,

Please add the following entry in the ACL on the outside interface and try once again.

access-list outside_access_in extended permit ip host 95.86.133.30 any

access-list outside_access_in extended permit esp host 95.86.133.30 any

access-group outside_access_in in interface outside

Thanks,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Wed, 06 Oct 2010 12:46:20 GMT

Namit,

I applied rules and attached them to the interface "outside"

But again, I was not able to open the website after a connection was made with cisco vpn client.

Please see syslog attached.

Thanks in advance

Re: NAT for group of objects - how to?

orhan.tagizade — Thu, 07 Oct 2010 10:52:32 GMT

Any news so far?

Re: NAT for group of objects - how to?

Namit Agarwal — Thu, 07 Oct 2010 14:29:56 GMT

Hi ,

Could you please provide the config on the ASA ?

Also please provide the output of the following command

capture cap type asp-drop all

sh cap | in 95.86.133.30

Thanks,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Fri, 08 Oct 2010 10:33:44 GMT

Dear Namit,

Configuration and capture files are attached.

Btw,

command

sh cap | in 95.86.133.30

gave no response, thus i've downloaded capture file from ASA itself.

Thanks a lot!

PS: can it be somehow related to MSS?

PS2: i was searching through other forums and someone advised to check vpn pass-through. Don't know if it's somehow related to my problem, just wanted to share the information I acquired.

Re: NAT for group of objects - how to?

Namit Agarwal — Fri, 08 Oct 2010 10:59:27 GMT

Hi,

Please change the following in the config

From

object network mdo0003

nat (inside,outside) static 81.21.95.10

object network mdo0005

nat (inside,outside) static 81.21.95.10

object network mdo0003

nat (inside,outside) dynamic 81.21.95.10

object network mdo0005

nat (inside,outside) dynamic 81.21.95.10

Since we want both the IPs to be translated to 81.21.95.10

Let me know if this helps

Thanks,

Namit

Re: NAT for group of objects - how to?

orhan.tagizade — Fri, 08 Oct 2010 14:40:22 GMT

Hi, Namit!

I tried to change the configuration as you advised. Look what happened:

I configured dynamic NAT rule for network object mdo0003.

When I was trying to do the same for the network object mdo0005, ASA gave me the following error message:

pb-gw2(config-network-object)# nat (inside,outside) dynamic 81.21.95.10
WARNING: Pool (81.21.95.10) overlap with existing pool

Please see attached altered config. file.

After I made the changes, Cisco VPN client is not connecting to the remote host 95.86.133.30 at all, providing the error message 433 (see attached screenshot).

I also did a packet trace in ASDM (see screenshot attached)

I f you need syslog let me know.

Thanks in advance.