topic Re: ASA5505 with software 8.3(1) NAT/PAT in Network Security

ASA5505 with software 8.3(1) NAT/PAT

Rodrigo Gurriti — Mon, 11 Mar 2019 17:49:32 GMT

Hello

I have the following scenario:

ASA5505 connected to a DSL modem, and behind this ASA i have a Linux machine that people need to access via SSH. I have it mapped to my outside interface doing PAT

static (inside,outside) tcp interface ssh linux ssh

I had running on 8.2(2) with no problems but I had to mess with fire and I installed the 8.3(1).

Here is my config for PAT on 8.3(1)

object service linux-ports
service tcp source eq ssh

nat (inside,outside) source static linux interface service linux-ports linux-ports

1st question does anyone know a way to read this nat command above ?

The old one was easy ... use the outside interface IP and port ssh to map the linux IP port ssh inside

2nd I understand that now we only going to use object statments to do NAT.

Should my object service be destination not source ? Think about .. I want to map a destination port on my interface not the source ... I've tried doing source doesn't work

3rd Why cisco doesnt have documentation ready ? Cisco docs' have different comands for instance:

nat (inside,outside) source static linux interface service linux-ports linux-ports ---> command on my ASA

nat (inside,outside) static linux interface service linux-ports linux-ports ---> Cisco docs'

Re: ASA5505 with software 8.3(1) NAT/PAT

Jennifer Halim — Sun, 23 May 2010 23:23:22 GMT

1st - nat (inside,outside) source static linux interface service linux-ports linux-ports

When the old static statement (8.2 and below version) is normally static (inside,outside) outside-address inside-address,

the new (8.3 version) static statement is to be read as follows: nat (inside,outside) inside outside

So from your example, it would be nat (inside,outside) linux-private-ip outside-interface-ip

2nd - you can know NAT both source and destination service. But as far as your nat statement is concern:

nat (inside,outside) source static linux interface service linux-ports linux-ports

it has been correctly configured.

One thing that you would like to double check that could be the issue is the outside ACL. On the pre 8.3 version, on the outside ACL, you would need to specifcy the public (prior to NAT ip address), and after 8.3 version, the outside ACL needs to be configured with the private ip address.

Example:

Server ip is 10.1.1.1 --> NAT to 200.1.1.1

Version 8.2:

access-list outside-acl permit tcp any host 200.1.1.1 eq 22

access-group outside-acl in interface outside

Version 8.3:

access-list outside-acl permit tcp any host 10.1.1.1 eq 22

access-group outside-acl in interface outside

3rd - There are 2 different NAT statements that you can configure as per your example:

nat (inside,outside) source static linux interface service linux-ports linux-ports ---> is called twice NAT/manual NAT

nat (inside,outside) static linux interface service linux-ports linux-ports ---> is called network object NAT/auto NAT

Here is the NAT order of operation in version 8.3 for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

Hope the above explaination helps.

Re: ASA5505 with software 8.3(1) NAT/PAT

Rodrigo Gurriti — Mon, 24 May 2010 00:07:41 GMT

halijenn,

Thanks for your reply...

I dont know if its because its 5505 or what but i don't have the option:

nat (inside,outside) static

I only have

nat (inside,outside) source static

I'm reading the documentation you posted !

Thank you

Re: ASA5505 with software 8.3(1) NAT/PAT

Jennifer Halim — Mon, 24 May 2010 00:12:36 GMT

For this: nat (inside,outside) static

Here is how you would configure it:

object network obj-linux
host linux
nat (inside,outside) static interface service tcp 22 22

Re: ASA5505 with software 8.3(1) NAT/PAT

Rodrigo Gurriti — Mon, 24 May 2010 00:35:01 GMT

Hooo I see very good ... now it make sense

one more question ... lets say i need to do a NAT 0 because a VPN how does it work ? Can I also do in object ?

Thank you !

Re: ASA5505 with software 8.3(1) NAT/PAT

Jennifer Halim — Mon, 24 May 2010 00:48:25 GMT

No, with NAT exemption for VPN, you would need to use the NAT statement (Twice NAT).

Rule of thumb: anything basic NAT, you can configure using the object NAT (auto NAT), anything slightly more specific, ie: ACL (NAT exemption or policy NAT), you would need to use the NAT statement (Twice NAT).

Here is an example for you for NAT exemption (in VPN scenario):

Local LAN: 10.1.1.0/24

Remote LAN: 192.168.1.0/24

object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0

object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

Unfortunately there are more steps to be configured compared to the NAT 0 with ACL on the previous version. However, it provides more flexibility in a more complicated scenario which sometimes is not supported in the old version.

Re: ASA5505 with software 8.3(1) NAT/PAT

Rodrigo Gurriti — Mon, 24 May 2010 01:00:45 GMT

That is what i think confuses:

nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

It repeats itself, and the IOS ? doesn't explain how you need to configure. how do you read the above rule ?

An other think I saw is that you cannot do 2 NAT statment's on the same object

Re: ASA5505 with software 8.3(1) NAT/PAT

Jennifer Halim — Mon, 24 May 2010 01:07:10 GMT

With this statement:

nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

First obj-10.1.1.0 means pre-NAT

Second obj-10.1.1.0 means post-NAT (what you would like to NAT it to), and in this case, because you want NAT exemption, it will be the same object.

First obj-192.168.1.0 means pre-NAT for the destination subnet

Second obj-192.168.1.0 means post-NAT for the destination subnet, and since you also don't want to NAT the destination subnet, it will be the same object.

Say for example you would like to NAT 10.1.1.0/24 subnet to 172.16.1.0/24 subnet when traffic is destined to 192.168.1.0/24:

object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0

object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0

object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static obj-10.1.1.0 obj-172.16.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

Hopefully it makes a bit more sense now.

Re: ASA5505 with software 8.3(1) NAT/PAT

Rodrigo Gurriti — Mon, 24 May 2010 01:14:05 GMT

Thanks ! you really helped me !

Re: ASA5505 with software 8.3(1) NAT/PAT

Jennifer Halim — Mon, 24 May 2010 01:28:15 GMT

Glad to help, and thanks for the ratings.