06-11-2019 04:30 PM - edited 02-21-2020 09:12 AM
Hi,
We have 2 pairs of ASA firewalls at work. Main firewall we use to out for general and internet traffic, I have configured static one to one NAT configured and this is used for both direction. However on the 2nd pair of firewall, I am going to add some config for first time since I have started work. This has couple of NAT statements which I have not used before and I am a bit confused about them:
nat (outside,inside) after-auto source static any any destination static obj_outside_ip obj_inside_ip unidirectional no-proxy-arp
nat (outside,inside) after-auto source dynamic any interface destination static remote_ip_range remote_ip_range
I have tested the connectivity from remote site to access the server which is statically NAT'd and this works successfully and as expected when this server goes out it does not get NAT'd statically due to unidirectional keyword in the NAT statement.
Would someone be able to let me know, why this NAT statement be used or what is the benefit of this NAT and would it be okay for me to use one to one NAT within the object (static auto NAT)?
PS. I had tried to create a test manual (inside,outside) NAT and this gave me a warning in ASDM about the NAT already being defined in the pool?
06-12-2019 12:28 AM
I hope you will understand this. so here we go :)
nat (outside,inside) after-auto source static any any destination static obj_outside_ip obj_inside_ip unidirectional no-proxy-arp
nat (outside,inside) after-auto source static real mapped destination static mapped real unidirectional no-proxy-arp
this above nat rule is called a policy nat, it can only configured in section 1 or section 3.
This above nat rules say, if traffic is from outside with destination nat any (mean in coming from outside interface address is "any" For example, google ip/yahoo ip/cisco ip etc) mapped to "any" with destination static obj_outside_ip (mapped) obj_inside_ip (real). I see this above rule as more security protective. see the rule "destination static obj_outside_ip obj_inside_ip"
where you could have a no existing ip address which does not exist in your INSIDE network.
!
object network obj_outside_ip
host 172.16.1.1 (this address does not exist in your inside network either in any of your network, so you married this object to (obj_outside_ip=obj_inside_ip)
!
object network obj_inside_ip
host 192.168.1.1 (this address exists in your inside network)
remember this rule of traffic flow in regards to NAT.
Inside,Outside = always source nat
outside,Inside = always destination nat
06-12-2019 03:37 PM
Thanks for your reply Sheraz.
I will try to explain the network below:
192.168.0.0/16 inside ----<ASA>172.16.1.1/29 (outside)-----------172.16.0.0/21(remote cloud network)
I have been trying to workout if there is any particular need of this nat configuration. I am wondering if I change the NAT configuration to one of the following:
object network obj_inside_ip
host 192.168.1.1
nat (inside,outside) static 172.16.1.1
or
object network obj_outside_ip
host 172.16.1.1
nat (outside,inside) static 192.168.1.1
By configuring one of the above statement, nat will be bidirectional and not unidirectional like the already configured one.and if I change the configuration of nat to any of above one, would it work and what could be the security issues?
06-13-2019 03:43 AM
I have no idea what is the network lay out in your network. both rule set are correct but you need to make the decision which one you want to implement. better do it in change control window so you can revert back if some thing does not work or if you break some think.
Are you doing a dynamic nat in section 2. as you wrote the rule this will come in place under section 2 of nat rules. I suggest you to move them in section 1.
!
object network obj_inside_ip
host 192.168.1.1
nat (inside,outside) static 172.16.1.1
!
this above rule means the ip address 192.168.1.1/32 going outside will be translate to 172.16.1.1 and this above rule will be bi-directional. now if you connected to cloud server and have a connectivity to firewall outside link if you (for example, ssh/http/https/telnet you need to connect to address 172.16.1.1)
!
object network obj_outside_ip
host 172.16.1.1
nat (outside,inside) static 192.168.1.1
this above rule means the ip address 172.16.1.1/32 going outside will be translate to192.168.1.1 and this above rule will be bi-directional. now if you connected to cloud server and have a connectivity to firewall outside link if you (for example, ssh/http/https/telnet you need to connect to address 192.168.1.1 this also mean that you have a routing in place to reach this.)
if you keen to implement the rule as uni-directional than you need to implement the service objects.
06-13-2019 08:29 AM
Dynamic nat has been defined in the section 3, actually all Manual nat is in section 3 at the moment (same as i posted above)
nat (outside,inside) after-auto source static any any destination static obj_outside_ip obj_inside_ip unidirectional no-proxy-arp
nat (outside,inside) after-auto source dynamic any interface destination static remote_ip_range remote_ip_range
And yes you are correct, I have tested following rule this morning, and this falls under section 2. However this worked as expected.
object network obj_inside_ip
host 192.168.1.1
nat (inside,outside) static 172.16.1.1
I was able to connect to internal server from remote server via 172.16.1.1 and when I connected to from internal server (192.168.1.1) to remote, this was seen IP address as 172.16.1.1. Again as expected.
I was watching Real time logs of firewall via ASDM loggin and I could not see any logs for my test connection, I had searched using all 3 IP addresses in question:
Internal server: 192.168.1.1
Translated IP of internal server: 172.16.1.1
Cloud/Remote server: 172.16.5.100
I have some questions if you don't mind answering please:
Why do I have to move Auto NAT (static 1:1, bidirectional nat) to Section 1?
You had mention in previous reply "I see this above rule as more security protective" would you please explain what this is and what is disadvantage of using Auto NAT?
What could be the reason that Real time logs viewer is not capturing this information?
Many thank for your time in advance.
06-13-2019 09:45 AM
Why do I have to move Auto NAT (static 1:1, bidirectional nat) to Section 1?
i have not seen your configuration of all nat rules that is why i suggested to move your rule to section 1. as section one have a more priority than section 2 and section 2 has more priority to section 3. as long as you are comfortable and the rules are working and you are happy that fine. no need for change.
You had mention in previous reply "I see this above rule as more security protective" would you please explain what this is and what is disadvantage of using Auto NAT?
What could be the reason that Real time logs viewer is not capturing this information?
let walk though on this nat rule.
"nat (outside,inside) after-auto source static any any destination static obj_outside_ip obj_inside_ip unidirectional no-proxy-arp"
section 3 nat rule, A packet from outside network with source address ip (real) any is going to (mapped) address any ip at inside network with destination static inside network (mapped) to outside network.
for example, to double check issue a command show nat detail it will give you a more detail of this rule.
with this above rule if you fine tune it for example instead of "any" use the nameif would be more beneficial. have a look on this link
07-03-2019 02:27 AM
Sorry I couldn't reply earlier as I was away...
However, thanks for putting me towards right direction, I am sure I have understood correctly as below:
nat (outside,inside) after-auto source static any any destination static obj_outside_ip obj_inside_ip unidirectional no-proxy-arp
nat (outside,inside)
source static any any
destination static obj_outside_ip obj_inside_ip
When traffic on the outside matches:
a source of any
a destination of obj_outside_ip
Send it to the inside and translate...
.. the source using a static translation to any
.. the destination using a static translation to obj_inside_ip
Obviously due to unidirectional, this NAT statement will not work when request is initiated from inside (obj_inside_ip)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide