topic Re: Problem created Policy NAT in Network Security

Problem created Policy NAT

rubens.palhoni — Mon, 11 Mar 2019 17:33:43 GMT

I need help on project my client with respect to some NAT rules that need to be created in a context of the FWSM that the client is

creating.

According to customer demand, there are two types of connections that need to be released. We conducted some tests using policy NAT but unfortunately we could not create the rules and therefore need your help.

I'll try to explain what client need according to the e-mail client below:

- Due to conflicts of IPs, we have customers that address on outside interface, the IP 192.168.8.3 and other IP 192.168.8.4 on port 3017/TCP

- The firewall should do static NAT and redirect those connections to the IP address 10.2.64.4 port 3017. configure the following NAT and static NAT policy for this situation without problems:

static (inside,outside) tcp 192.168.8.3 3017 10.2.64.4 3017 netmask 255.255.255.255

access-list NAT_3017_3017 line 1 remark ### Policy-NAT/Redirect porta 3017 para MF-SYSA:10.2.64.4 porta 3017

access-list NAT_3017_3017 line 2 extended permit tcp host 10.2.64.4 eq 3017 any

static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3017

- However, we have a situation when the source is the block 125.24.0.0/20 (client Claro GPRS) and IP address 192.168.8.4 on port 3017.

- In this case the firewall should do a static NAT / NAT Policy and redirect the connection to the IP 10.2.64.4 on port 3023/TCP.

To do this try the following, who presented the error below:

access-list NAT_3017_3023 line 1 remark ### Policy-NAT/Redirect porta 3017 para MF-SYSA:10.2.64.4 porta 3023

access-list NAT_3017_3023 line 2 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0

static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023

Error:

FWSM-SYSTEM/CONTEXT(config)# static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023

WARNING: real-address conflict with existing static

TCP inside:10.2.64.4/3023 to outside:192.168.8.3/3023 netmask 255.255.255.255

ERROR: mapped-address conflict with existing static

TCP inside:10.2.64.4/3017 to outside:192.168.8.4/3017 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

show running-config [all] static [<mapped_ip>]

clear configure static

- We also try the following configuration. Include in NAT_3017_3017 ACL (applied there in the beginning) to line 2 with the network 172.24.0.0 255.255.240.0 (source) without success:

access-list NAT_3017_3017 line 1 remark ### Policy-NAT/Redirect porta 3017 para MF-SYSA:10.2.64.4 porta 3017

access-list NAT_3017_3017 line 2 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0

access-list NAT_3017_3017 line 3 extended permit tcp host 10.2.64.4 eq 3017 any

static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3017

Error:

FWSM-SYSTEM/AUTOMACAO-COMERCIAL(config)# access-list NAT_3017_3017 line 2 exte$

ERROR: access-list used in static pat has different

local ports

ERROR: ACL is not valid for static

FWSM-SYSTEM/CONTEXT(config)#

This NAT is being migrated from a FreeBSD Firewall which works perfectly. rsssrrs.

It could take a look and give suggestions?

Thanks!!!

Re: Problem created Policy NAT

Kureli Sankar — Fri, 16 Apr 2010 11:24:58 GMT

Interesting. What FWSM code are you running? This should work.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/cfgnat_f.html#wp1042553

You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command in order, until the first match, or for regular NAT, using the best match.

See the following description about options for this command:

–access-list acl_name—Identify the real addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command (see the "Adding an Extended Access List" section on page 12-6). This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT and static NAT consider the inactive or time-range keywords and stop working when an ACE is inactive.

-KS

Re: Problem created Policy NAT

rubens.palhoni — Fri, 16 Apr 2010 12:48:59 GMT

Hi Kusankar,

I'm using IOS 4.0.7 in FWSM.

The strange thing is that even creating a NAT policy to match the source IP can not create the rule.

Att,

Rubens

Re: Problem created Policy NAT

Kureli Sankar — Fri, 16 Apr 2010 13:38:45 GMT

Could you pls. copy and paste the following:

sh run static

sh run access-list

that are tied to the static.

-KS

Re: Problem created Policy NAT

Kureli Sankar — Fri, 16 Apr 2010 14:19:41 GMT

Alright I have tried this out and this is not supported.

static (inside,out) tcp 44.44.44.44 3701 access-list net1
static (inside,out) tcp 44.44.44.44 3702 access-list net2

access-list net1 extended permit tcp host 1.1.1.1 eq 3701 host 100.100.100.1 eq 3701

access-list net2 extended permit tcp host 1.1.1.2 eq 3702 host 100.100.100.100 eq 3702

worked perfectly.

-KS

Re: Problem created Policy NAT

rubens.palhoni — Fri, 16 Apr 2010 14:48:46 GMT

Hi Kusankar,

Take a look at setting that could be applied and tests we performed:

#### With this setup worked perfectly applied traffic: #####

access-list NAT_3017_3023 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0

static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023

#### With this set up NAT also worked perfectly: ####

static (inside,outside) tcp 192.168.8.3 3017 10.2.64.4 3017 netmask 255.255.255.255

#### Now, this rule could set up without problems, but the NAT is not being mounted. What I realized when creating the static NAT with nat policy without informing the protocol (TCP or UDP) and port access, the firewall does not mount the NAT. If the static is created with the protocol and port configuration have a conflict with the first rule created:

access-list NAT_3017_3017 extended permit tcp host 10.2.64.4 eq 3017 any range eq 1 65535

static (inside,outside) 192.168.8.4 access-list NAT_3017_3017

Any suggestions? Actually you can play this setup?

The setting range of port created in the ACL, it is necessary because when the connection is established by any outside source, the source IP uses random port. Therefore it was necessary to set up this way.

Att,

Rubens