topic Re: ASA - Port based NAT'ing of outside source addresses in Network Security

ASA - Port based NAT'ing of outside source addresses

cchughes — Mon, 11 Mar 2019 14:56:32 GMT

I am in the process of migrating web services from Checkpoint to ASA. Can I NAT the source address of incoming packets destined for a web server on port 80? The intent here is to be able to migrate a webserver at a time. NAT'ing of the source address would allow me to have the web server return the packet via the ASA by using a static route for that subnet on the Web server.

Re: ASA - Port based NAT'ing of outside source addresses

Jon Marshall — Tue, 24 Feb 2009 22:01:05 GMT

yes you can do this on the ASA.

nat (outside) 2 0.0.0.0 0.0.0.0 outside

global (dmz) 2 interface

this assumes that the web server is on the dmz and that you want to PAT all source addresses to the dmz interface address.

Jon

Re: ASA - Port based NAT'ing of outside source addresses

cchughes — Tue, 24 Feb 2009 22:50:22 GMT

Thats good but what I relly need is the ability to NAT based on the destination port.

I have two internet connections (A and B) on different address space (for now). I have the ASA pointing at connection B as a default. The checkpoint points at A.

There is a DMZ that both CP and ASA are connected to.

Web server is in DMZ. Heres the packet flow:

A DNS change is made that points webserver name to connection B.

Packet 1.1.1.1 comes to connection B. ASA translates src to 2.2.2.2 and routes to the webserver in the dmz.

The webserver knows to send the packet back to the ASA because it has been loaded with a static route that points the traffic bound for 2.2.2.2 to the ASA.

The ASA reverses the translated source (now a destination) to 1.1.1.1 and sends it on its way.

Without the translated source address I have no way to force the return traffic to the ASA and the legacy default gateway is CP.

I'm shooting for a phased migration based on service type and this was a potential solution. I could just migrate the server but because it hosts many services the chance of a misconfig of one or two makes me worry.

Eventually both connections (A and B) are going to be on the same network but I dont want to change the subnet and firewall at the same time.

To migrate the web server to the ASA my thought was to first config a static route on the edge rtr that points to the ASA. On the ASA I NAT all incoming traffic source addresses that are destined for my web server on port 80 to 172.16.0.1.

In the dmz (which is dual homed to both checkpoint and ASA) I configure a static route on the

Re: ASA - Port based NAT'ing of outside source addresses

Jon Marshall — Wed, 25 Feb 2009 00:43:51 GMT

You could try policy NAT altho i have never used it from outside to inside ie.

assuming web server address is 192.168.5.10

access-list web permit tcp any host 192.168.5.10 eq 80

nat (outside) 2 access-list web outside

global (dmz) 2 interface

Jon

Re: ASA - Port based NAT'ing of outside source addresses

cisco24x7 — Wed, 25 Feb 2009 01:13:25 GMT

What you described to me can be done with policy NAT something like:

access-list test permit ip any host 4.2.2.2

static(outside,dmz) 2.2.2.2 access-list test

I do not have a Pix with me to play.

Honestly, I gave up on Cisco regarding complex NAT on the ASA. It is so convoluted and difficult to implement. I think your customer is making a mistake in moving from Checkpoint to ASA when they have complex NAT requirements.

What you described can be done on a Checkpoint firewall in less than 10 seconds with a junior firewall admin.

Re: ASA - Port based NAT'ing of outside source addresses

cchughes — Wed, 25 Feb 2009 19:23:14 GMT

LOL. You mean the simle ASDM GUI isnt simple? (kidding) I hear you. I build tunnels and then go command line and read them. What a mess.