Re: ASA 5506 in Routed mode with BVI - NAT statements

stephensuley · ‎03-22-2018

I'm working towards a 5506 refresh to my 5505 that we have in production. As part of that effort I'm developing a configuration migration process. The problem I am having is in the NAT statements. Example below..

I'm running the latest v9.9 software on the 5506

On the 5505 the NAT was like so...

nat (inside,outside) source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

But now on the 5506 we need to use the specific ifname that the host is physically connected to. Making it much more troublesome to manage. like so..

nat (inside_4,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

It seems as though the BVI feature added to the 5506 as part of an approach to providing the same functionality as the 5505, thus allowing the 5506 to be a swap-out replacement for the end of life 5505 is not finished?

Can anyone perhaps shed some light on this behaviour for me?

Any idea when we will get an update in which we will be able to use the bvi ifname in the nat statements?

Thank you.

Bogdan Nita · ‎03-22-2018

It's just the way the BVI features works. Most of the functionalities are there it is just you have to apply the same config to every interface. For nat you can use the any keyword.

There a lot of other people annoyed and confused by the implementation:

https://supportforums.cisco.com/t5/firewalling/asa-5505-to-5506-replacement-using-the-5506-with-bridged/td-p/3075889

stephensuley · ‎03-22-2018

Thank's but I've tried the same statements using the any keyword. The config is accepted however the NAT doesn't work. As soon as I switch it back to (inside_4,outside), I can connect again.

nat (any,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

I agree if I could use the any keyword successfully that would really help me.Is there something I am doing wrong? Thanks again.

Not that I would choose to use this approach as a work around but I have even gone as far to try inputting every combination possible to cover off all cases, but the subsequent statements have no impact, so unless the correct combination happens to be the first statement that approach doesn't suffice as a work around either. Imagine 5 desktops, and with 5 separate PAT NATs and 7 interfaces. My math might be off but I believe 7x5x5 [175 statements] is the # of statements I would in theory need to configure to cover all permutations. Obviously absurd.

example.. inputting these statements in this sequence results in the ASA giving a warning about overlap and when tested... no connection.

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

However when I enter these statements in the following order I am able to connect.

nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

stephensuley · ‎03-22-2018

Thank's but I've tried the same statements using the any keyword. The config is accepted however the NAT doesn't work. As soon as I switch it back to (inside_4,outside), I can connect again.

nat (any,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

I agree, if I could use the any keyword successfully that would really help me.Is there something I am doing wrong?

Not that I would choose to use this approach as a work around but I have even gone as far to try inputting every combination possible to cover off all cases, but the subsequent statements have no impact, so unless the correct combination happens to be the first statement that approach doesn't suffice as a work around either. Imagine 5 desktops, and with 5 separate PAT NATs and 7 interfaces. My math might be off but I believe 7x5x5 [175 statements] is the # of statements I would in theory need to configure to cover all permutations. Obviously absurd.

example.. inputting these statements in this sequence results in the ASA giving a warning about overlap and when tested... no connection.

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

However when I enter these statements in the following order I am able to connect.

nat (inside_4,outside) 4 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966 <--Correct statement

nat (inside_1,outside) 1 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_2,outside) 2 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_3,outside) 3 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_5,outside) 5 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_6,outside) 6 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966
nat (inside_7,outside) 7 source static obj-192.168.1.5 interface service obj-tcp-3389 obj-tcp-9966

Bogdan Nita · ‎03-23-2018

Ok I understand what you mean now. You are trying to reach the host connected to BVI interfaces via the public IP on the interface.

I've noticed the same behavior for static nat with bvi, but in my case the interfaces remained connected to the same devices, so it did not bother me that much. I just configured the interface where the device was connected.

I believe the reason the nat it is not working in the first example is because the asa sends the packets out the inside_1 interface instead of inside_4. This is the way the asa has been doing nat for ages, but the concept doesn't really work with bvi members.

On the bright side, you will not need to configure all those nat rules :)

Florin Barhala · ‎03-23-2018

Sorry for asking but CAN you post
"show nameif" output?

I am not sure what's the issue here? Can't you use the BVI nameif value for that DNAT on 3389?

stephensuley · ‎04-03-2018

That's correct. I have to use the specific physical ifname with the correct host IP connected to that port in the DNAT.

We currently to not lock down specific desktops at the remote sites to a specific physical port on the ASAs, We have it designed so that all 4 desktops are connected to the 'inside', never needed to know which specific port.

Further making it more complex is the fact that during the testing if I went as far to put a series of NAT statements in to cover all possible combinations for the desktops and ASA ports ( for example 4 desktops) it will not work unless the series of statements for each port are sequenced in order so that the first statement is the correct one.

Very frustrating.

stephensuley · ‎11-12-2018

UPDATE: I've upgraded the 5506x to the latest ASA OS interim build 9.9.2-18 ,as of Nov 11th, 2018, still no change in the BVI feature set to address these issues.

91da49851 · ‎08-27-2019

I have heard that the ASA 5506 is missing some rather important features that the ASAS 5505 has: The 5506 doesn't have 8 switched ports but 8 L3 routed ports, and you will need an additional L2 switch like the 2960 to get all the same features as the ASA 5505.

PS I was very to to buying an ASA 5506 but that fact kept me from doing that.

So I'll stick to my good old 5505 until Cisco starts producing a full ASA 5505 replacement in that price category.

stephensuley · ‎08-27-2019

Sadly it seems the 5506 will never get those features. Looks like the next gen to the 5506x the Firepower 1000 will be the one to wait for.

I should note since posting this thread I have been able to get the 5506x to act as a 5506 swap out. You just have to use some different commands in the config and also a slightly altered approach to static NAT statements.

Cheers.

sarterburn1 · ‎10-21-2019

I was looking at FortiGate Rugged but they dont have enough ports. The Palo Alto PA-220 does and it comes with VLANS and many crypto standards that Cisco makes you pay for.

I even got a tech on and still cant get my ports properly NATd. Oh well.

sohailmtm · ‎03-18-2019

May i know what is purpose of this obj-tcp-9966 in your configuration. I dont know it doest work for me.

nat (inside_3,outside) 1 source static obj-192.168.111.10 interface service obj-tcp-3389

I am using same version 9.8(2)

Florin Barhala · ‎08-27-2019

obj-tcp-9966 indicates the services that are to be mapped during the NAT translation.
Let's say you want to map your HTTPS server which sites behind "inside_3" interface and you will use the public ip assigned to the outside interface. You are to use this line:
nat (inside_3,outside) 1 source static obj-192.168.111.10 interface service https

Now let's say you also want to forward http port and ftp port; you end up with three services: http, https and ftp. At this moment you can have 3 nat config lines one for each service, or you can create a service group containing the three services and call it: obj-tcp-mysrv and obviously use that service group on only one NAT statement.

me19562 · ‎09-01-2019

First, the Cisco 5506 are been replaced by the new Cisco Firepower 1000
series and it uses Bridge group to provide Ethernet switching. Depending on
the requirements it may require a Cisco Firepower Management Center. If you
are looking fro a good replacement for an ASA5505 look at Fortinet
Fortigate 60E or 80E. The Cisco Firepower software is overly complicated,
obscure, incomplete/buggy cli, only basic documentation and the gui is very
slow to work with. Fortinet FortiOS gui is intuive, cli takes some time to
get use it but is good and the documentation is good and accessible.

steeda · ‎10-15-2019

100% - Firepower in FDM management cannot even do DHCP options. Good grief, a 5505 can do this.