topic Re: ASA 5510 with Static NAT in Network Security

ASA 5510 with Static NAT

psaravanan — Mon, 11 Mar 2019 16:48:53 GMT

Hi friends,

I am saravanan from Bangalore. In one of our customer require to put static IP to access from outside (internet).

Inside ------------------------> ASA 5510 -----------------> 1800 router ------> outside

192.168.10.0/24 .254 10.1.1.253/30 .254/30 218.X.X.177

Actually here In router we configured the static nat translation, but i want to configure in ASA 5510, so i tried to configure in static nat but i can't able to configure. Please check the config.

then i want to allow FTP, Telnet, Remote desktop, http, https also.

static (inside, outside) tcp 218.X.X.180 192.168.10.200 netmask 255.255.255.255

i want to access 192.168.10.200, 201, 202, 203, 204 IP address to access outside 218.X.X.180, 181, 182, 183.

Router config

interface FastEthernet0/0
ip address 218.X.X.177 255.255.255.240
ip access-group 102 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.252
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 218.X.X.178
ip route 192.168.10.0 255.255.255.0 10.1.1.253
!
no ip http server
ip nat pool INTERNET 218.X.X.180 218.X.X.180 netmask 255.255.255.240
ip nat inside source list 101 pool INTERNET overload
ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.0.0 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 127.0.0.0 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip 169.254.0.0 0.0.255.255 any
access-list 102 deny   ip 192.0.2.0 0.0.0.255 any
access-list 102 deny   ip 204.152.64.0 0.0.0.1 any
access-list 102 deny   ip 224.0.0.0 31.255.255.255 any
access-list 102 deny   icmp any any
access-list 102 deny   tcp any any eq ident
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 447
access-list 102 deny   tcp any any eq 81
access-list 102 deny   tcp any any eq 135
access-list 102 deny   tcp any any eq 444
access-list 102 deny   tcp any any eq 445
access-list 102 permit ip any any

ASA Config

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.1.1.253 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
ftp mode passive
access-list BROWSING extended permit ip 192.168.10.0 255.255.255.0 any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group INTERNET in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.254 1
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5

Re: ASA 5510 with Static NAT

Kureli Sankar — Tue, 15 Dec 2009 18:31:39 GMT

On the ASA do the following:

1. add nat exemption with an ACL. Deny this one host 192.168.10.200 going any where and permit the rest in the acl.

2. remove the identity static line

static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

and

3. add this static line static (inside, outside) 218.X.X.180 192.168.10.200 netmask 255.255.255.255 or as static pat

static (inside, outside) tcp 218.X.X.180 21 192.168.10.200 21 netmask 255.255.255.255

static (inside, outside) tcp 218.X.X.180 23 192.168.10.200 23 netmask 255.255.255.255

static (inside, outside) tcp 218.X.X.180 3389 192.168.10.200 3389 netmask 255.255.255.255

static (inside, outside) tcp 218.X.X.180 443 192.168.10.200 443 netmask 255.255.255.255

4. On the router remove 218.X.X.180 from the pool.

Honestly I would either move all the translation onto the ASA or leave it on the Router. You are trying to leave dynamic NAT on the router and move the static NAT onto the ASA.

-KS

Re: ASA 5510 with Static NAT

psaravanan — Tue, 15 Dec 2009 18:42:02 GMT

thanks for your reply,

I already tried to remove the 218.X.X.180 pool from the router, then the internet connection is not reach to my ASA.

then I tried the following command in the router.

ip nat inside 192.168.10.0 255.255.255.0

ip global outside interface.

This command also not working in the router (not able to connect the internet).

Re: ASA 5510 with Static NAT

Kureli Sankar — Tue, 15 Dec 2009 19:11:25 GMT

Saravanan,

Pls. let us know once you complete all the steps that I listed.

You need to overload it to the outside interface IP address if that is the only address in the pool

ip nat inside source list 101 interface FastEthernet0/0 overload

Once done, get the output of "sh xlate debug | i 192.168.1.200 and make sure the ASA is translating the address properly.

-KS

Re: ASA 5510 with Static NAT

keisikka — Wed, 16 Dec 2009 07:20:19 GMT

Hi Buddy,

Please take care your routing information.

THX

Keisikka

Re: ASA 5510 with Static NAT

psaravanan — Sat, 02 Jan 2010 18:00:29 GMT

hi frnds,

I already tried the below configuration, but it's not working.

Router config:

i removed the pool, then put fastethernet with overload

ip nat inside source list 101 interface fastethernet 0/1 overload

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Then in ASA 5510 side

I create static NAT,

static(inside,outside) 218.X.X.181 tcp 21 192.168.10.111 tcp 21 netmask 255.255.255.255

static(inside,outside) 218.X.X.181 tcp 23 192.168.10.111 tcp 23 netmask 255.255.255.255

static(inside,outside) 218.X.X.181 tcp http 192.168.10.111 tcp http netmask 255.255.255.255

static(inside,outside) 218.X.X.181 tcp https 192.168.10.111 tcp https netmask 255.255.255.255

static(inside,outside) 218.X.X.182 192.168.10.112 netmask 255.255.255.255

even though i can't able to connect from outside.

pls help me ya.

Re: ASA 5510 with Static NAT

psaravanan — Sun, 03 Jan 2010 11:54:08 GMT

hi frnds,

tell the right solution, i want to enable the particular outside ip to permit in my router, is it ok or not

Re: ASA 5510 with Static NAT

YANGCCIE4 — Sun, 03 Jan 2010 17:48:35 GMT

Hi ,

I saw so many ACLs in the 1800 routers, it seems performing the firewall function. and also you have asa. I am thinking is the architecture appropriate ?

Regards,

Yang

Re: ASA 5510 with Static NAT

Kureli Sankar — Sun, 03 Jan 2010 23:53:55 GMT

Saravanan,

If I remember right you were going to remove the IP from the pool on the router and use the interface to PAT and do static translation on the ASA.

You need to verify the following.

1. static pat tranlation is working on the ASA. "sh xlate debug | i 192.168.10.200"

2. The router will send packets to the ASA for this particular IP address.

3. Collect captures on the ASA to see if packets are arriving.

4. check the logs on the ASA to see what they may be revealing.

5. most of all the acl applied on the outside interface of the ASA is allowing this traffic.

Pls. remember to verify the following for all flows through the firewall.

Route

Translation

Permission

-KS

Re: ASA 5510 with Static NAT

Kent Heide — Mon, 04 Jan 2010 00:33:14 GMT

How do you expect the ASA to do statics for the outside IP's when they exists infront of the 1800? No packets will reach the ASA with destination containing those addresses. The traffic will stop in your router because it is doing NAT. Why don't you just put the router and the ASA on the same segment. I don't see any reason to why you're doing it like you're doing.

Re: ASA 5510 with Static NAT

Kureli Sankar — Mon, 04 Jan 2010 13:33:48 GMT

It is very much possible to do what Saravanan is trying to accomplish provided he configures the ASA and router properly.

Pls. also make sure that this traffic (static pat) is exempted in the nat overload list that you have added on the router. You need a deny before the permit.

-KS

Re: ASA 5510 with Static NAT

francisco_1 — Mon, 04 Jan 2010 13:44:33 GMT

saravanan,

Why dont you simplify your configuration by letting the ASA taking care of destination NAT translations instead. You dont need NAT enable on your internet router when you have a firewall that can handle NAT. By having NAT on both router & ASA you are adding more complexity!

Here is a simple design that will work for you http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t5

Re: ASA 5510 with Static NAT

Kureli Sankar — Mon, 04 Jan 2010 14:11:16 GMT

Exactly. I had suggested that the first time I responded to his query.

-KS

Re: ASA 5510 with Static NAT

Kent Heide — Mon, 04 Jan 2010 15:44:20 GMT

And doing that requires he changed his ip addressing schema and gets rid of NAT. So basically a completely new setup.

Re: ASA 5510 with Static NAT

keisikka — Tue, 05 Jan 2010 03:44:11 GMT

SOSo Dear Guys:

I think there will be 2 ways.

1.Disable NAT control on ASA, and put all NAT on router.

2.Divide public IP to 2 segments. The first on route outside, the second on route inside and ASA outside.So the NAT can reside on ASA and router.

THX

Keisikka

Re: ASA 5510 with Static NAT

francisco_1 — Tue, 05 Jan 2010 13:42:12 GMT

psaravanan,

Sounds like there is few things you need to take in to consideration based on what others have commented.

Question
=========
Is your internet router managed by your or ISP?

If you plan to have the NAT on the ASA since you are introducing the ASA in to your LAN (option i would go for) then you need to get ISP to allocate you a public IP's for connection between ASA->Router. This will require a small IP changes on your web tier between the ASA->Router and remove all NAT entries on the router and enable on ASA (simple config change). Looking at your configs you dont have a lot to change so you might be able to do it all in one go.

Or we try to get your existing design working.

I will build your existing config in the lab hopefully tonight test. will get back to you

Francisco..

Re: ASA 5510 with Static NAT

francisco_1 — Wed, 06 Jan 2010 00:54:59 GMT

OK I got Psaravanan setup working with Internet Router doing NAT and configured ASA with no nat-control enable. The ASA is only routing with NAT disable.

In the lab i setup 3 routers 1 ASA as:

ISP Router - > WAN Router - This is ISP to Client router connectivity

WAN Router - > ASA FW- This is Client Internet Router to Client Firewall

ASA FW - Core Router - This is Client Firewall to Private Core switch

I used the Core router as client to test telnet connectivity by enabling NAT on WAN Router and enable ACL and routing on ASA to forward NATed telnet traffic to Core for telnet traffic from ISP Router.

See attachment for configs inc testing result..

Hope that makes sense...

Psaravanan,

To get your config going just use the config i have attached as an example to configure your ASA and static source NAT on your router. The config is very simple. If you decided to enable the NAT on the ASA then just follow URL i mentioned above.

Good luck..

Francisco

Re: ASA 5510 with Static NAT

keisikka — Wed, 06 Jan 2010 05:24:43 GMT

Dear:

The third way is removing the router.

THX

Keisikka

Re: ASA 5510 with Static NAT

psaravanan — Wed, 06 Jan 2010 16:42:36 GMT

Thanks mr. Francisco,

My exciting setup is like this only, I already used static NAT in Router, but that router has hang after 20 minutes while using from outside. So i want to change the Static NAT in to ASA.

Then i configured Static NAT in ASA, but it's not working properly.

Re: ASA 5510 with Static NAT

francisco_1 — Wed, 06 Jan 2010 17:26:38 GMT

To enable NAT on the ASA for public connections then you gonna have to change IP's on interface between Your ISP router and ASA and make some changes to remove NAT on router and enable it on ASA.

Before going down that path try the steps below on your current setup and let us know outcome.

On the Router
#############

ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185

interface FastEthernet0/0
no ip access-group 102 in (No need for this as your ASA is now taking care of this)

ON ASA
########

no Nat-Control
access-list INTERNET extended permit tcp host 218.X.X.184 host 192.168.10.114 eq [your traffic port] log
access-list INTERNET extended permit tcp host 218.X.X.185 host 192.168.10.115 eq [your traffic port] log

no static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
no access-list INTERNET extended permit ip any any
no access-list INTERNET extended permit icmp any any

For example if you server is listening on http

access-list INTERNET extended permit tcp host 218.X.X.184 host 192.168.10.114 eq http log

Testing
########

Test by connecting to 218.X.X.184 on whatever port you are allowed on ASA (server inside should be listening on port)

Look at "SH ip nat translations" on your router - post the output

And debug flow on ASA and post the output