topic Re: Policy NAT / Conditional NAT in Network Security

Policy NAT / Conditional NAT

uzair syed naveed — Mon, 11 Mar 2019 18:26:35 GMT

Hi Guys,

I need your help in getting a resolution to the Natting problem mentioned below.

I have a 10.x.x.x network in place(site A). Another partner who also houses a 10.x.x.x subnet(site B) needs to access a particular server within Site A.

1. Site B has a group of 6 servers which need to communicate with the server in Site A.

2. The 6 servers at site B would be statically natted and the requests from Site B -> Site A will be unidirectional in nature. The public ip at Site A would also be Natted to permit these 6 ip's.

3. The server housed in Site A caters to requests both from Site B as well as from other sites via the same public ip.

4. A simple straightforward static nat causes every request coming to the public ip to get natted.

static (inside,outside) public_ip Server_ip netmask 255.255.255.255

5. To solve this a policy / conditional NAT has been configured as follows...

NOTE: PUBLIC_IP = public ip pointing to the Site A server; SITE_B_CLUSTER=6 servers at Site B

access-list outside-incoming extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS

access-list conditional-nat extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS

static (inside,outside) PUBLIC_IP access-list conditional-nat

6. Now when i am configuring this i am encountering the following errors...

Protocol mismatch between the static and access-list - Solved this by making my conditional-nat acl into ip based.
access-list used in static has different local addresses

I am not able to solve the 2nd error. Could someone please help?

I would also like to know what are my alternatives if i have to maintain the conditonal-nat access-list at a tcp based ACL?

I would also like some material which i could read on policy Nat & Nat Basics.

Thanking You,

Regards,

Uzair Syed Naveed

Re: Policy NAT / Conditional NAT

praprama — Tue, 17 Aug 2010 14:08:08 GMT

Hi,

Please refer to the below document for information about configuring Static policy NAT:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1074755

For information about Policy NAT in general (dynamic and static), refer to the below page:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

The error message you are seeing is because the way you are configuring Static policy NAT is incorrect. The ACL "outside-inside" is alright but the access list being used for the NAT, that is, "conditional-nat" is configured the reverse of the way it should be.

Basically, you will need an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). Once you have such an ACL ready, create the static with this ACL and the PUBLIC_IP as the translated IP.

I hope this information helps.

All the best!!

Thanks and Regards,

Prapanch

Re: Policy NAT / Conditional NAT

Jitendriya Athavale — Tue, 17 Aug 2010 14:46:46 GMT

uzair,

firstly let me start with the erro message

the second error message you are concerned about, you are getting this because what you are telling the firewall that the local ip address are on your inside and they all need to statically translated to one public ip. as you can see this does not make much sense

secondly as prapanch pointed out you have the static wrongly configured as this gives the firewall a feeling that the local hots are on your inside

lastly, i do not understand why you are concerned about using

static (inside,outside) public_ip Server_ip netmask 255.255.255.255

please note this is destination nat, which mean the destination ip is translated. this does not mean that the source ip of all the hosts from internet is translated

i hope this clears your doubt

Re: Policy NAT / Conditional NAT

uzair syed naveed — Tue, 17 Aug 2010 16:42:47 GMT

Hello Prapanch,

Thank you for your response. This clarifies things quite a bit. i do have a doubt here...

If i have an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). then how would that help, and why would it be required logically?

I mean, the requests are only unidirectional from site b -> site A and the reason we are applying the acl is to implement the condition that, only specific requests from the SITE_B_CLUSTER get translated to SITE_A_public ip.

ohh and before i forget...

THANK YOU for all your help.

you have been a big help. Ill be implementing this tomorrow morning. Ill get back in case i do have some problem here.

Regards,

Uzair Syed Naveed

Re: Policy NAT / Conditional NAT

praprama — Wed, 18 Aug 2010 00:59:03 GMT

Hi Uzair,

Well, frankly speaking, the fact is that this is the way we are supposed ot configure Policy NAT on the ASA. This is how it works practically:

static (inside,outside) PUBLIC_IP access-list conditional-nat

access-list condition-nat permit ip host SITEA-SERVER object-group SITEB_SERVERS

Now when the ASA sees a request coming in on the "outside" interface for the PUBLIC_IP and it is sourced from the one of the IP addresses in the "object-group SITEB_SERVERS", then ASA will match this against this Static policy NAT that we have configured and will untranslate the PUBLIC_IP to the real ip of the server SITEA_SERVER and route the traffic out the "inside" interface.

Now if the ASA receives a request on the "outside" interface for the PUBLIC_IP but the packet's source IP is not in the object-group SITEB_SERVERS, then the ASA will not match this packet against this STatic NAT and will try to match it against the rest of the config that we have on the ASA.

Hope this makes things clear. Let me know if there are any gray areas

Regards,
Prapanch