04-12-2011 02:26 PM - edited 03-11-2019 01:20 PM
I have devices on Inside interface of ASA that need to get to Internet to get ntp. Hence I want to set up dynamic pat (interface overload) which 8.3 style would be
object network obj_NTP-DEV
host 192.168.1.250
nat (INSIDE,INTERNET) dynamic interface
But I need to limit nat to only Internet destined traffic on ntp port not all ports for traffic from 192.168.1.250
I'm not using this nat set up to control outbound access - I also have incoming RA VPN tunnels to the box and traffic from these sources need to be able to get to 192.168.1.250 and the above simple set up would break that access as all traffic involving 192.168.1.250 would get nat'd
Reading the doco I've sent myself round in a loops trying to figure how you are meant to do such a " Dynamic Policy NAT (overload)" call it what you will config in 8.3
object network obj_DEV
host 192.168.1.250
object service obj_NTP
service udp destination eq ntp
object network obj_ANY
subnet 0.0.0.0 0.0.0.0
service obj_NTP
nat (INSIDE,INTERNET) source dynamic obj_DEV interface destination static obj_ANY obj_ANY service obj_NTP obj_NTP
Anyone got this type of set up to work / suggestions ?
-Sez
Solved! Go to Solution.
04-12-2011 02:49 PM
Hi Sez,
The config mentioned at the end of the post, seems correct and should work fine.
Since you mentioned you would have many devices, you could configure an object-group to include all these, object networks which describe a host, and use that object-group in the final NAT statement.
nat (INSIDE,INTERNET) source dynamic obj_DEV interface destination static obj_ANY obj_ANY service obj_NTP obj_NTP
If you get traffic sourced from Obj_dev and destined to public ip:port NTP on the Inside interface, then translate it to the outside interface, with the interface ip as source, and keep destination ip and port the same.
That sounds correct now right.
However, you would have to keep the order of NAT statements in mind.
You can check "show nat" to see if there are any other nat rules applicable to Obj_dev that come before this nat rule.
This nat rule is specific to only one destination port, and should thus be the first rule applicable to Obj_dev. Else the other rule might take preference, and won't nat according to your requirement.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-12-2011 02:49 PM
Hi Sez,
The config mentioned at the end of the post, seems correct and should work fine.
Since you mentioned you would have many devices, you could configure an object-group to include all these, object networks which describe a host, and use that object-group in the final NAT statement.
nat (INSIDE,INTERNET) source dynamic obj_DEV interface destination static obj_ANY obj_ANY service obj_NTP obj_NTP
If you get traffic sourced from Obj_dev and destined to public ip:port NTP on the Inside interface, then translate it to the outside interface, with the interface ip as source, and keep destination ip and port the same.
That sounds correct now right.
However, you would have to keep the order of NAT statements in mind.
You can check "show nat" to see if there are any other nat rules applicable to Obj_dev that come before this nat rule.
This nat rule is specific to only one destination port, and should thus be the first rule applicable to Obj_dev. Else the other rule might take preference, and won't nat according to your requirement.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-13-2011 03:15 AM
Hi Shrikant,
Thanks for the santiy check - and yes it makes more sense when described like that!
I think the 8.3 cli cmd ref guide for manual nat is the source of most of the confusion...
I didn't realise that manual nat would accept object-group, thought it limited to simpelton entry - thanks for the tip
Though I found that the manaul nat service entries only accept simpleton like below - won't accept a -group for that
Just for ref, for anyone else that gets confused by the doco - the following was the working config
object-group network obj_NTP-PEERS
network-object host 192.168.1.250
network-object host 192.168.2.250
object service obj_NTP-PORT
service udp destination eq ntp
object network obj_ANY-IP
subnet 0.0.0.0 0.0.0.0
nat (INSIDE,INTERNET) source dynamic obj_NTP-PEERS interface destination static obj_ANY-IP obj_ANY-IP service obj_NTP-PORT obj_NTP-PORT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: