Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
2
Replies

ASA 8.3 Dynamic Policy NAT

Go to solution
sez sharp
Level 1
Level 1

‎04-12-2011 02:26 PM - edited ‎03-11-2019 01:20 PM

I have devices on Inside interface of ASA that need to get to Internet to get ntp. Hence I want to set up dynamic pat (interface overload) which 8.3 style would be

object network obj_NTP-DEV

host 192.168.1.250

nat (INSIDE,INTERNET) dynamic interface

But I need to limit nat to only Internet destined traffic on ntp port not all ports for traffic from 192.168.1.250

I'm not using this nat set up to control outbound access - I also have incoming RA VPN tunnels to the box and traffic from these sources need to be able to get to 192.168.1.250 and the above simple set up would break that access as all traffic involving 192.168.1.250 would get nat'd

Reading the doco I've sent myself round in a loops trying to figure how you are meant to do such a  " Dynamic Policy NAT (overload)" call it what you will config in 8.3

I think I need something like following but it does not seem right / intuitive

object network obj_DEV

host 192.168.1.250

object service obj_NTP

  service udp destination eq ntp

object network obj_ANY

   subnet 0.0.0.0 0.0.0.0

service obj_NTP

   service udp destination eq ntp

nat (INSIDE,INTERNET) source dynamic obj_DEV interface destination static obj_ANY obj_ANY service obj_NTP obj_NTP

Anyone got this type of set up to work / suggestions ?

-Sez

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-12-2011 02:49 PM

Hi Sez,

The config mentioned at the end of the post, seems correct and should work fine.

Since you mentioned you would have many devices, you could configure an object-group to include all these, object networks which describe a host, and use that object-group in the final NAT statement.

nat (INSIDE,INTERNET) source dynamic obj_DEV interface destination static obj_ANY obj_ANY service obj_NTP obj_NTP

If you get traffic sourced from Obj_dev and destined to public ip:port NTP on the Inside interface, then translate it to the outside interface, with the interface ip as source, and keep destination ip and port the same.

That sounds correct now right.

However, you would have to keep the order of NAT statements in mind.

You can check "show nat" to see if there are any other nat rules applicable to Obj_dev that come before this nat rule.

This nat rule is specific to only one destination port, and should thus be the first rule applicable to Obj_dev. Else the other rule might take preference, and won't nat according to your requirement.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-12-2011 02:49 PM

Hi Sez,

The config mentioned at the end of the post, seems correct and should work fine.

Since you mentioned you would have many devices, you could configure an object-group to include all these, object networks which describe a host, and use that object-group in the final NAT statement.

nat (INSIDE,INTERNET) source dynamic obj_DEV interface destination static obj_ANY obj_ANY service obj_NTP obj_NTP

If you get traffic sourced from Obj_dev and destined to public ip:port NTP on the Inside interface, then translate it to the outside interface, with the interface ip as source, and keep destination ip and port the same.

That sounds correct now right.

However, you would have to keep the order of NAT statements in mind.

You can check "show nat" to see if there are any other nat rules applicable to Obj_dev that come before this nat rule.

This nat rule is specific to only one destination port, and should thus be the first rule applicable to Obj_dev. Else the other rule might take preference, and won't nat according to your requirement.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful

Go to solution
sez sharp
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-13-2011 03:15 AM

Hi Shrikant,

Thanks for the santiy check - and yes it makes more sense when described like that!

I think the 8.3 cli cmd ref guide for manual nat is the source of most of the confusion...

I didn't realise that manual nat would accept object-group, thought it limited to simpelton entry - thanks for the tip

Though I found that the manaul nat service entries only accept simpleton like below - won't accept a -group for that

Just for ref, for anyone else that gets confused by the doco - the following was the working config

object-group network obj_NTP-PEERS

network-object host 192.168.1.250

network-object host 192.168.2.250

object service obj_NTP-PORT

  service udp destination eq ntp

object network obj_ANY-IP

   subnet 0.0.0.0 0.0.0.0

nat (INSIDE,INTERNET) source dynamic obj_NTP-PEERS interface destination static obj_ANY-IP obj_ANY-IP service obj_NTP-PORT obj_NTP-PORT

-Sez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card