Solved: 8.3 8.4 Policy PAT

gcave · ‎10-10-2011

We have acquired a site that has a SOHO firewall with a single GLOBAL ip address. Someone got very creative with the PAT rules and setup port address translations based on not only destination port, but source address. For example if a user was coming in on TCP 2222 with a source address of 1.1.1.1 they would get redirected to an internal address of a server running SSH. With another destination, on the same port they would go to a different internal address. Here is how it should work:

Source IP Destination PORT NAT (INSIDE) PAT PORT (INSIDE)

1.1.1.1 2.2.2.2 2222 192.168.1.5 22

5.5.5.5 2.2.2.2 2222 192.168.1.6 22

Can this be done with the ASA?

varrao · ‎10-10-2011

Hi,

This is possible with 8.3 and 8.4, with the introduction of new NAT syntax on ASA, you can define both the source and destination ip addresses in one nat statement. Here is an example for it.

outside----------------------------(ASA)-----------------------------inside

1.1.1.1 2222 2.2.2.2 22

Lets take an example where a user from outside (1.1.1.1), access the port 2222on the internal server(public ip-2.2.2.2 and private ip - 192.168.1.5) and we want to redirect that request to port 22. Then this would be the configuration:

object network outside_host

host 1.1.1.1

object network public_ip

host 2.2.2.2

object network private_ip

host 192.168.1.5

object service tcp_2222

service tcp destination eq 2222

object service tcp_22

service tcp destination eq 22

nat (outside,inside) source static outside_host outside_host destination static public_ip private_ip service tcp_2222 tcp_22

This is called Manual Nat where in you can define both the source and the destination in one nat statement.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-10-2011

Hi,

This is possible with 8.3 and 8.4, with the introduction of new NAT syntax on ASA, you can define both the source and destination ip addresses in one nat statement. Here is an example for it.

outside----------------------------(ASA)-----------------------------inside

1.1.1.1 2222 2.2.2.2 22

Lets take an example where a user from outside (1.1.1.1), access the port 2222on the internal server(public ip-2.2.2.2 and private ip - 192.168.1.5) and we want to redirect that request to port 22. Then this would be the configuration:

object network outside_host

host 1.1.1.1

object network public_ip

host 2.2.2.2

object network private_ip

host 192.168.1.5

object service tcp_2222

service tcp destination eq 2222

object service tcp_22

service tcp destination eq 22

nat (outside,inside) source static outside_host outside_host destination static public_ip private_ip service tcp_2222 tcp_22

This is called Manual Nat where in you can define both the source and the destination in one nat statement.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

gcave · ‎10-11-2011

This is exactly what I needed thanks very much. I have a couple of questions. Do I need to create a different "nat (outside,inside) source static" for each PAT that I do, or can I stack them in the "object"? Also for the "object network public_ip", I can not put the IP address of my outside interface. I tried putting "interface" instead of the object and it thought I looking for an object called "interface". What would be the syntax if I wanted to use the outside interface IP address?

nat (outside,inside) source static outside_host outside_host destination static public_ip private_ip service tcp_2222 tcp_22

varrao · ‎10-11-2011

Hi,

1st Question:

Yes absolutely, you can put them under same object-group intsead of different nat statements, but the ports should be the same. If the port cahnges from port 22 to something else you woudl need to add another nat for it.

2nd question:

You can use outside interface as well, here's the syntax:

nat (outside,inside) source static outside_host outside_host destination static interface private_ip service tcp_2222 tcp_22

Thats all you'll need.

Hope that helps.

Thanks,

Varun

Please do rate helpful posts.

Thanks,
Varun Rao