Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
0
Helpful
3
Replies

NAT Question - what was going on?

Anthony.Herman
Level 1
Level 1

‎10-31-2013 06:51 AM - edited ‎03-11-2019 07:58 PM

Ok, so I had a scenario last night with NAT. I am going to post two configs, the first one is using static NAT and the second is using auto NAT. I'll just post the relevant portion. Can someone explain to me why the static NAT was not forwarding traffic? Packet-tracer showed the rule being picked and that it was allowed. Configs are otherwise exactly the same except for the static vs. auto nat, packet-tracer has same results for both implementations.

object network obj-10.50.1.2

host 10.50.1.2

object network obj-10.50.1.200

host 10.50.1.200

object service FACTS-SINGLE-PORTS

service tcp destination eq telnet

object service SBS-Ports

service tcp destination eq 3389

object service Service-Port-UDP-20

service udp destination eq 20

object service Service-Port-TCP-20

service tcp destination eq ftp-data

object service Service-Port-UDP-21

service udp destination eq 21

object service Service-Port-TCP-21

service tcp destination eq ftp

object service Service-Port-TCP-23

service tcp destination eq telnet

object service Service-Port-UDP-11000

service udp destination eq 11000

object service Service-Port-TCP-11000

service tcp destination eq 11000

object service Service-Port-tcp-25

service tcp destination eq smtp

object service Service-Port-tcp-47

service tcp destination eq 47

object service Service-Port-udp-47

service udp destination eq 47

object service Service-Port-tcp-80

service tcp destination eq www

object service Service-Port-tcp-110

service tcp destination eq pop3

object service Service-Port-tcp-443

service tcp destination eq https

object service Service-Port-tcp-1723

service tcp destination eq pptp

object service Service-Port-tcp-3389

service tcp destination eq 3389

object service Service-Port-tcp-143

service tcp destination eq imap4

nat (inside,outside) source static obj-10.50.1.200 interface service FACTS-UDP-RANGE FACTS-UDP-RANGE

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-UDP-20 Service-Port-UDP-20

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-20 Service-Port-TCP-20

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-UDP-21 Service-Port-UDP-21

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-21 Service-Port-TCP-21

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-UDP-11000 Service-Port-UDP-11000

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-11000 Service-Port-TCP-11000

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-110 Service-Port-tcp-110

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-443 Service-Port-tcp-443

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-1723 Service-Port-tcp-1723

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-3389 Service-Port-tcp-3389

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-143 Service-Port-tcp-143

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-25 Service-Port-tcp-25

nat (inside,outside) source static obj-10.50.1.200 interface service Service-Port-TCP-23 Service-Port-TCP-23

nat (inside,outside) source static obj-10.50.1.2 interface service Service-Port-tcp-80 Service-Port-tcp-80

object network obj_any

nat (inside,outside) dynamic interface

______________________________________________________________________________________________________________________

object network obj_any

nat (inside,outside) dynamic interface

object network 10.50.1.2_443

nat (inside,outside) static interface service tcp https https

object network 10.50.1.2_110

nat (inside,outside) static interface service tcp pop3 pop3

object network 10.50.1.2_1723

nat (inside,outside) static interface service tcp pptp pptp

object network 10.50.1.2_3389

nat (inside,outside) static interface service tcp 3389 3389

object network 10.50.1.2_143

nat (inside,outside) static interface service tcp imap4 imap4

object network 10.50.1.2_25

nat (inside,outside) static interface service tcp smtp smtp

object network 10.50.1.2_80

nat (inside,outside) static interface service tcp www www

object network 10.50.1.200_udp_20

nat (inside,outside) static interface service udp 20 20

object network 10.50.1.200_tcp_20

nat (inside,outside) static interface service tcp ftp-data ftp-data

object network 10.50.1.200_udp_21

nat (inside,outside) static interface service udp 21 21

object network 10.50.1.200_tcp_21

nat (inside,outside) static interface service tcp ftp ftp

object network 10.50.1.200_udp_11000

nat (inside,outside) static interface service udp 11000 11000

object network 10.50.1.200_tcp_11000

nat (inside,outside) static interface service tcp 11000 11000

object network 10.50.1.200_tcp_23

nat (inside,outside) static interface service tcp telnet telnet

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎10-31-2013 07:05 AM

Hi,

The first portion is Manual NAT / Twice NAT and the second portion is Auto NAT. Both of them are meant to be Static PAT (Port Forward) configurations I assume.

The problem with the first portion configuration is that the "object service" contents are wrong.

Instead of "service tcp destination" it should be "service tcp source" and then it would work.

To see the reason why the first portion of configurations is wrong we have to look at the Manual NAT / Twice NAT structure

nat (sourceinterface,destinationinterface) source static destination service

Or if we only include the parameters you used it would be (since you dont take into account any "destination" parameters)

nat (sourceinterface,destinationinterface) source static    service  

So if you compare the basic structure above to your first portion configuration you will see that you have been configuring "source" parameters for the NAT configuration. So this means you would have to configure "source" parameters with regards to the services/ports also.

So for example

This

object service FACTS-SINGLE-PORTS

service tcp destination eq telnet

Should be this

object service FACTS-SINGLE-PORTS

service tcp source eq telnet

Hope the above made any sense

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-31-2013 07:38 AM

Hi,

The after section specifies the service as UDP/21 and not TCP/21

EDIT: I guess it was edited to TCP/21 now

EDIT2: Whole reply removed it seems

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-31-2013 08:29 AM

Hi,

Did you manage to get the Manual NAT configurations working? I am just wondering as you removed your last reply?

The configurations I mentioned above should do basically the same thing as the Auto NAT.

If you are switching NAT configurations around I guess you could check that there is no old translations causing problem. Certain software levels also suffer from problem regarding Manual NAT and more specifically there has been bugs related to FTP for example.

Let us know what the situation is.

If the situation was solved with the above suggestion then please do remember to mark a reply as the correct answer.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card