Solved: This is the error i get when

Mario Grozdanovic · ‎08-18-2016

Hi All,

Im having an issue creating a TCP and UDP PAT statement on the ASA 9.x code.

Im trying to translate outside TCP/UDP port 20821 to a dmz ip host (bidirectional) however, i only have a single IP address assigned to the outside interface, is that possible?

internet.any------tcp/udp------>asa.outside.int.ip------tcp/udp------->dmz.vm.ip

This is what i have current setup for TCP, how would i write the NAT statement to allow TCP and UDP port 20821?

object network VM
nat (DMZ,outside) static interface service tcp 20821 20821 (this works for tcp only, when i try to add the UDP under the object it just replaces the TCP, it does not keep both)
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface

Cristian Nilsson · ‎08-22-2016

Hello,

Try this:

object service SERVER_SOURCE_-TCP-PORT
 service tcp source eq 20821

object service SERVER_SOURCE_-UDP-PORT
 service udp source eq 20821

object network SERVER_INSIDE
 host x.x.x.x y.y.y.y

nat (DMZ,outside) 1 source static SERVER_INSIDE interface service SERVER_SOURCE_-TCP-PORT SERVER_SOURCE_-TCP-PORT

nat (DMZ,outside) 2 source static SERVER_INSIDE interface service SERVER_SOURCE_-UDP-PORT SERVER_SOURCE_-UDP-PORT

//Cristian

View solution in original post

Luke Oxley · ‎08-18-2016

[@mario.g.home],

Thanks for your post. As you are running ASA 9, the good news is that you can group multiple ports in to one NAT statement. Having only one IP address on the outside is not a problem, but be aware that no other hosts dynamically PAT'ing on this connection will be able to use that port, as any incoming traffic will just be sent to the server as per your NAT statement.

Please use the following example I've drawn up and tailor it to your environment. This should get you up and running.

1. Create an object group for the needed source ports. These will be the ports that the remote peer is trying to connect using. In my example I've just done a range of ports TCP 21-53.

object service SERVER_SOURCE_PORTS
 service tcp source range 20821
  service udp source range 20821

2. Create an object group for the translated ports. This will be the ports you wish the ASA to use to connect to the device on the inside or DMZ of your network. In my example, I've just done the same ports.

object service SERVER_PORTS_XLATE
 service tcp source range 20821
  service udp source range 20821

3. Create two object groups. One for the internal IP address of the server and one for the NAT'd address you wish to use.

object network SERVER_INSIDE
  host 1.1.1.1
object network SERVER_OUTSIDE
 host 2.2.2.2

4. Lastly, tie this all together with something similar to the following NAT statement.

nat (DMZ,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE

Let me know how you get along, I look forward to hearing back.

Kind regards,

Luke

Please rate helpful posts and mark correct answers.

Mario Grozdanovic · ‎08-18-2016

This is the error i get when using the NAT statement:

(config)# nat (DMZ,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE

ERROR: Address 174.65.167.204 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Luke Oxley · ‎08-18-2016

[@mario.g.home],

Apologies, I forgot you only have one public IP address. Easy, just amend your NAT statement so that "SERVER_OUTSIDE" reads "interface". In simpler terms, run the following commands and test again.

no object network SERVER_OUTSIDE

no nat (DMZ,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE

nat (DMZ,outside) source static SERVER_INSIDE interface service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE

clear xlate

Best regards,

Luke

Please rate helpful posts and mark correct answers.

Mario Grozdanovic · ‎08-18-2016

we are getting closer, now im getting ERROR: NAT unable to reserve ports.

In addition, my service objects can only hold either TCP or UDP, when i enter tcp it replaced the udp entry, very odd... how do i specify UDP and TCP?

This is currently in there with the nat statement:

nat (DMZ,outside) source static SERVER_INSIDE interface service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE

object service SERVER_SOURCE_PORTS
service tcp source eq 20821
object service SERVER_PORTS_XLATE
service udp source eq 20821

Luke Oxley · ‎08-19-2016

[@mario.g.home],

As I said in my first post, you'll need to tailor this to your environment, my configuration was just an example for you. To get round the NAT error, try clearing the xlate first and then adding the statement, it sounds like there might already be a translation on that port thats preventing the static PAT from being added.

To include both TCP and UDP in one object group in your version of ASA, use the below syntax. This object will automatically include both TCP and UDP protocols for port 20821 when a port object is added.

object-group service NAME tcp-udp
 port-object eq 20821

HTH.

Regards,

Luke

Please rate helpful posts and mark correct answers.

Mario Grozdanovic · ‎08-19-2016

Thanks for all the help Luke, im still running into issues now with the tcp/udp combination, i can get tcp or udp working but cant get both.

When i use the below syntax, i get the following error: "ERROR: SERVER_PORTS is not a valid service object name" it does not like the SERVER_PORTS object group for some reason. Am i missing something in the NAT statement syntax?

object-group service SERVER_PORTS tcp-udp
 port-object eq 20821
object-group service SERVER_PORTS_XLATE tcp-udp
 port-object eq 20821
nat (DMZ,outside) source static VM interface service SERVER_PORTS SERVER_PORTS_XLATE
ERROR: SERVER_PORTS is not a valid service object name

Cristian Nilsson · ‎08-22-2016

Hello,

Try this:

object service SERVER_SOURCE_-TCP-PORT
 service tcp source eq 20821

object service SERVER_SOURCE_-UDP-PORT
 service udp source eq 20821

object network SERVER_INSIDE
 host x.x.x.x y.y.y.y

nat (DMZ,outside) 1 source static SERVER_INSIDE interface service SERVER_SOURCE_-TCP-PORT SERVER_SOURCE_-TCP-PORT

nat (DMZ,outside) 2 source static SERVER_INSIDE interface service SERVER_SOURCE_-UDP-PORT SERVER_SOURCE_-UDP-PORT

//Cristian

ASA 9.x NAT/PAT rule

[@mario.g.home],

Please use the following example I've drawn up and tailor it to your environment. This should get you up and running.

1. Create an object group for the needed source ports. These will be the ports that the remote peer is trying to connect using. In my example I've just done a range of ports TCP 21-53.

2. Create an object group for the translated ports. This will be the ports you wish the ASA to use to connect to the device on the inside or DMZ of your network. In my example, I've just done the same ports.

3. Create two object groups. One for the internal IP address of the server and one for the NAT'd address you wish to use.

4. Lastly, tie this all together with something similar to the following NAT statement.

Let me know how you get along, I look forward to hearing back.

Kind regards,

Luke

Please rate helpful posts and mark correct answers.

[@mario.g.home],

Apologies, I forgot you only have one public IP address. Easy, just amend your NAT statement so that "SERVER_OUTSIDE" reads "interface". In simpler terms, run the following commands and test again.

Best regards,

Luke

Please rate helpful posts and mark correct answers.

[@mario.g.home],

To include both TCP and UDP in one object group in your version of ASA, use the below syntax. This object will automatically include both TCP and UDP protocols for port 20821 when a port object is added.

HTH.

Regards,

Luke

Please rate helpful posts and mark correct answers.