cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3272
Views
0
Helpful
9
Replies
Beginner

ASA 5506 in Routed mode with BVI - NAT statements

I'm working towards a 5506 refresh to my 5505 that we have in production. As part of that effort I'm developing a configuration migration process. The problem I am having is in the NAT statements. Example below..

 

I'm running the latest v9.9 software on the 5506

 

On the 5505 the NAT was like so...

nat (inside,outside) source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

 

But now on the 5506 we need to use the specific ifname that the host is physically connected to. Making it much more troublesome to manage.  like so.. 

 

nat (inside_4,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

 

It seems as though the BVI feature added to the 5506 as part of an approach to providing the same functionality as the 5505, thus allowing the 5506 to be a swap-out replacement for the end of life 5505 is not finished? 

Can anyone perhaps shed some light on this behaviour for me? 

Any idea when we will get an update in which we will be able to use the bvi ifname in the nat statements?

 

Thank you.

9 REPLIES 9
VIP Rising star

Re: ASA 5506 in Routed mode with BVI - NAT statements

It's just the way the BVI features works. Most of the functionalities are there it is just you have to apply the same config to every interface. For nat you can use the any keyword.

There a lot of other people annoyed and confused by the implementation:

https://supportforums.cisco.com/t5/firewalling/asa-5505-to-5506-replacement-using-the-5506-with-bridged/td-p/3075889

 

Beginner

Re: ASA 5506 in Routed mode with BVI - NAT statements

Thank's but I've tried the same statements using the any keyword. The config is accepted however the NAT doesn't work.  As soon as I switch it back to (inside_4,outside), I can connect again. 

 

nat (any,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

 

I agree if I could use the any keyword successfully that would really help me.Is there something I am doing wrong?  Thanks again.

 

Not that I would choose to use this approach as a work around but I have even gone as far to try inputting every combination possible to cover off all cases, but the subsequent statements have no impact, so unless the correct combination happens to be the first statement that approach doesn't suffice as a work around either.  Imagine 5 desktops, and with 5 separate PAT NATs and 7 interfaces. My math might be off but I believe 7x5x5 [175 statements] is the # of statements I would in theory need to configure to cover all permutations. Obviously absurd. 

 

example.. inputting these statements in this sequence results in the ASA giving a warning about overlap and when tested... no connection.

 

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

 

 

However when I enter these statements in the following order I am able to connect. 

 

nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

Beginner

Re: ASA 5506 in Routed mode with BVI - NAT statements

Thank's but I've tried the same statements using the any keyword. The config is accepted however the NAT doesn't work.  As soon as I switch it back to (inside_4,outside), I can connect again. 

 

nat (any,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

 

I agree, if I could use the any keyword successfully that would really help me.Is there something I am doing wrong?  

 

Not that I would choose to use this approach as a work around but I have even gone as far to try inputting every combination possible to cover off all cases, but the subsequent statements have no impact, so unless the correct combination happens to be the first statement that approach doesn't suffice as a work around either.  Imagine 5 desktops, and with 5 separate PAT NATs and 7 interfaces. My math might be off but I believe 7x5x5 [175 statements] is the # of statements I would in theory need to configure to cover all permutations. Obviously absurd. 

 

example.. inputting these statements in this sequence results in the ASA giving a warning about overlap and when tested... no connection.

 

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

 

 

However when I enter these statements in the following order I am able to connect. 

 

nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

VIP Rising star

Re: ASA 5506 in Routed mode with BVI - NAT statements

Ok I understand what you mean now. You are trying to reach the host connected to BVI interfaces via the public IP on the interface.

I've noticed the same behavior for static nat with bvi, but in my case the interfaces remained connected to the same devices, so it did not bother me that much. I just configured the interface where the device was connected.

I believe the reason the nat it is not working in the first example is because the asa sends the packets out the inside_1 interface instead of inside_4. This is the way the asa has been doing nat for ages, but the concept doesn't really work with bvi members.

On the bright side, you will not need to configure all those nat rules :)

Frequent Contributor

Re: ASA 5506 in Routed mode with BVI - NAT statements

Sorry for asking but CAN you post
"show nameif" output?

I am not sure what's the issue here? Can't you use the BVI nameif value for that DNAT on 3389?
Beginner

Re: ASA 5506 in Routed mode with BVI - NAT statements

That's correct.   I have to use the specific physical ifname with the correct host IP connected to that port in the DNAT. 

 

We currently to not lock down specific desktops at the remote sites to a specific physical port on the ASAs, We have it designed so that all 4 desktops are connected to the 'inside', never needed to know which specific port.

 

Further making it more complex is the fact that during the testing if I went as far to put a series of NAT statements in to cover all possible combinations for the desktops and ASA ports ( for example 4 desktops) it will not work unless the series of statements for each port are sequenced in order so that the first statement is the correct one. 

 

Very frustrating. 

 

 

Beginner

Re: ASA 5506 in Routed mode with BVI - NAT statements

Don't use a Cisco 5506, use Fortinet Fortigate instead and save yourself the hassle.

Beginner

Re: ASA 5506 in Routed mode with BVI - NAT statements

UPDATE: I've upgraded the 5506x to the latest ASA OS interim build 9.9.2-18 ,as of Nov 11th, 2018, still no change in the BVI feature set to address these issues. 

Highlighted
Beginner

Re: ASA 5506 in Routed mode with BVI - NAT statements

May i know what is purpose of this obj-tcp-9966 in your configuration. I dont know it doest work for me. 

 

nat (inside_3,outside) 1 source static obj-192.168.111.10 interface service obj-tcp-3389

I am using same version 9.8(2)