Solved: Re: Twice nat on ASA 8.4

Florin Barhala · ‎11-18-2013

Hi guys,

I read docs both from this site and also from Cisco official documentation.

I would like to do port forward to an AP behind ASA. Additionally this AP does not have a default gateway so I also have to change the source address of the incoming packets.

Scenario:

External_IP --> outside_ASA_IP (((ASA 5505))) inside_ASA_IP --> server_IP (no_default_gateway)

Configuration:

object network AP_real

host 10.10.0.10

object network AP_Mapped

host 10.10.0.1

object network AP_External

host 80.82.A.B

object service web_80

service tcp destination eq www

object service web_8080

service tcp destination eq 8080

show ip

Interface Name IP address Subnet mask Method

Vlan2 outside 80.82.A.B 255.255.255.252 CONFIG

Vlan5 home 10.10.0.1 255.255.255.0 CONFIG

When entering the command:

nat (outside,home) source dynamic any AP_Mapped destination static AP_External AP_real service web_80 web_8080

I receive this:

ERROR: Address 80.82.A.B overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Any thoughts? I mention that object AP_External uses the same IP as the outside interface. I don't have any other IP free as ISP gives us /30 on that location.

Thanks in advance!

Jouni Forss · ‎11-18-2013

Hi,

Is this some NEM Client? Just see wierd NAT configurations at the highest priority.

You might want to remove the new NAT configuration you did and insert it with a new format like this

no nat (outside,home) source dynamic any interface destination static interface AP_10 service web_80 web_8080

nat (outside,home) 1 source dynamic any interface destination static interface AP_10 service web_80 web_8080

That is, if the ASA even accepts it since the other Section 1 NAT seem to be generated by the ASA itself but not shown in the actual CLI configuration

Also the capture doesnt show any data captured but the capture ACL shows hits. I wonder if it has anything to do with "packet-tracer" command. Have you used it?

- Jouni

View solution in original post

Jouni Forss · ‎11-18-2013

Hi,

Seems for the most part fine to me.

You should only need to change one parameter and its the one the ASA is giving the ERROR message about. I am not sure why it doesnt let you use the public IP address inside an "object"

Try the command in this way

nat (outside,home) source dynamic any AP_Mapped destination static interface AP_real service web_80 web_8080

We only replace the "object" with the keyword/parameter "interface"

The following format might also do if the interface "home" is in the same network as the AP

nat (outside,home) source dynamic any interface destination static interface AP_real service web_80 web_8080

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Florin Barhala · ‎11-18-2013

Hi Jouni,

Thanks for the input. I tried before with "interface", ASA agreed with the command but no luck on the translation rule:

show nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static _vpnc_nem_internal_net _vpnc_nem_internal_net no-proxy-arp route-lookup

translate_hits = 570379, untranslate_hits = 16252

2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_nat_exempt

translate_hits = 0, untranslate_hits = 0

3 (outside) to (home) source dynamic any interface destination static interface AP_real service web_80 web_8080

translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (home) to (outside) source dynamic obj_home interface

translate_hits = 187810, untranslate_hits = 53728

Here is the config:

show run nat

nat (outside,home) source dynamic any interface destination static interface AP_10 service web_80 web_8080

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj_home

nat (home,outside) dynamic interface

I started a capture, but it matches no packet:

show capture

capture cap1 type raw-data access-list test interface home [Capturing - 0 bytes]

access-list test line 1 extended permit ip any host 10.10.0.10 (hitcnt=3) 0xd1861e38

access-list test line 2 extended permit ip host 10.10.0.10 any (hitcnt=0) 0x9571683f

I also applied an ACL on the outside interface allowing any traffic from my External_IP

show run access-group

access-group outside_access_in in interface outside

5505-01# show access-l outside_access_in

access-list outside_access_in; 1 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit ip host external_IP any (hitcnt=1) 0xdd2a3668

Any thoughts?

Jouni Forss · ‎11-18-2013

Hi,

Is this some NEM Client? Just see wierd NAT configurations at the highest priority.

You might want to remove the new NAT configuration you did and insert it with a new format like this

no nat (outside,home) source dynamic any interface destination static interface AP_10 service web_80 web_8080

nat (outside,home) 1 source dynamic any interface destination static interface AP_10 service web_80 web_8080

That is, if the ASA even accepts it since the other Section 1 NAT seem to be generated by the ASA itself but not shown in the actual CLI configuration

Also the capture doesnt show any data captured but the capture ACL shows hits. I wonder if it has anything to do with "packet-tracer" command. Have you used it?

- Jouni

Florin Barhala · ‎11-18-2013

Yes, this ASA is used as EasyVPN Client:

vpnclient server EASY_VPN_SERVER_IP

vpnclient mode network-extension-mode

vpnclient vpngroup VPN_GROUP password *****

vpnclient username 5505-01 password *****

vpnclient management clear

vpnclient enable

Using nat () 1 will move it on the 1st position in show nat output? Am I to affect in any way the VPN service?

About the ACL hit, this is old as I tried first with only a static nat configuration, and all worked well except the lack of def_gw for the AP; then I moved on for the twice nat and here we are.

Jouni Forss · ‎11-18-2013

Hi,

I have not tried such configurations on a NEM Client before. Also, the NEM Clients I have used have been running older software version.

I am not sure if the ASA will even accept the command considering the other NAT configurations are generated by the ASA. We usually host all external services on the actual ASA acting as the VPN server.

- Jouni

Florin Barhala · ‎11-18-2013

Ok, so finally it works. The trouble was caused by the ports; let's have a look if possible:

5505-01(config)# $stination static interface AP_10 service ?

configure mode commands/options:

WORD Specify object name for real service

any All service objects

From this contextual help I thought real service is linked with the private IP, the IP address from the home interface....

So I rewrote the command:

nat (outside,home) 1 source dynamic any interface destination static interface AP_10 service web_8080 web_80

and it works perfectly. What is to be learn from here: the service syntax is directly related to the interface order from the brackets.

Back in the old days, this port-forward command was using a mirror efect on the syntax, right?

Jouni Forss · ‎11-18-2013

Hi,

The only thing I checked regarding to the "object service" were that you were using the "destination" rather than the "source". This is because were doing the "nat" configuration from the perspective that the LAN network is the "destination" (outside -> home). Therefore the Static PAT configurations are in the "nat" commands "destination" section and the "object service" also refer to the "destination".

I guess I could have guessed that you would rather want to map a mapped port of TCP/80 to real port TCP/8080 rather than the other way around. Saves you from typing the port in addition to the IP address when connecting from outside the network.

In general the new "nat" format is

nat (sourceint,destint) source destination static service

The old format regarding Static PAT was

static (sourceint,destint) netmask 255.255.255.255

- Jouni

Florin Barhala · ‎11-19-2013

Thank you Jouni, nice walkthrough on this problem!