topic Pat translation rules in Network Security

Pat translation rules

bgl-group — Mon, 11 Mar 2019 17:18:52 GMT

I have a strange problem with some NAT rules.

Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.2(5)

We have a machine which is connected in a DMZ and then external clients talk to the machine.

Due to historical reasons most of the clients talk to the machine on port 13002. However internally this is translated according to the source address to a different port number.

This is currently running on a watchguard firewall and works correctly.

We have tried programming this onto a cisco firewall and are coming up with some difficulties.

A static policy nat has been created using the source as the internal address of the machine, and the destination as the external addresses that we are dealing with. It translates to the REAL address of the machine and then pats to the new port number.

This works fine with the first one we put in - doing a packet trace reveals all the addresses and ports being translated correctly.

The problem occurs when we add the second set into this. For this set we just change the destination and the port number.

The firewall accepts the rule with a warning and everything looks fine.

However when you test the rule the port is always translated to the port specified in the first section and not the one requested.

The screenshot below (large) shows the rules and a packet trace to an address in the set2 group.

Any suggestions....

Giles Cooper

Re: Pat translation rules

KARUPPUCHAMY MALAIYANDI — Tue, 09 Mar 2010 11:58:55 GMT

Hi,

can you paste the ACL and NAT configuration related to this issue.

Regards

Karuppu

Re: Pat translation rules

bgl-group — Tue, 09 Mar 2010 13:16:56 GMT

Extract of config as requested.

object-group network orion_nat_15
network-object 194.216.175.247 255.255.255.255
object-group network orion_nat_17
network-object 194.216.175.248 255.255.255.255
object-group network LIVEEXAG_gocompare_set1
network-object 78.136.23.85 255.255.255.255

object-group network LIVEEXAG_gocompare_set2
description There are two sets of IPs for gocompare used on different rule sets.......
network-object 67.192.226.38 255.255.255.255

static (DMZ,External) tcp 194.216.175.247 13002 access-list DMZ_nat_static_1

access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set1 object-group orion_nat_15 eq 13002
access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set2 object-group orion_nat_15 eq 13002

access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set1 object-group orion_nat_15 eq 13202
access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set2 object-group orion_nat_15 eq 13202

access-list DMZ_nat_static_1 extended permit tcp host 172.20.0.15 eq 13102 object-group LIVEEXAG_gocompare_set1
access-list DMZ_nat_static_1 extended permit tcp host 172.20.0.15 eq 13202 object-group LIVEEXAG_gocompare_set2

Re: Pat translation rules

Kureli Sankar — Tue, 09 Mar 2010 13:44:11 GMT

This is working as designed. The warning message you saw is correct. This is overlapping.

Which ever one hits first and continues to see traffic is the one that will work. The other will break.

This is the same as doing the following: overlapping.

static (DMZ,External) tcp 194.216.175.247 13002 172.20.0.15 13102

static (DMZ,External) tcp 194.216.175.247 13002 172.20.0.15 13202

-KS