03-26-2010 06:50 AM - edited 03-11-2019 10:26 AM
Hello all,
I have a case open with the TAC already on this, but I thought I would throw this on the community forums (this is my first post) since there might be others experiencing a similar issue.
I've come to expect being able to translate the source of packets coming from the outside interface towards an inbound host. I've usually had to do that when migrating firewalls, for instance, when the internal host's default gateway was pointed somewhere else than the ASA from which the trafic was coming from. This would effectively hide the external/vpn/etc.. address, and replace it with, e.g. the ASA's inside interface IP. The following is sample code which would achieve this previously:
Remote IPSEC tunnel subnet: 192.168.90.0/23
Local server: 20.20.20.5
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0
access-list outside_nat_outbound extended permit ip 192.168.90.0 255.255.254.0 host 20.20.20.5
access-list inside_nat0_outbound extended permit ip any 192.168.90.0 255.255.254.0
global (outside) 1 interface
global (inside) 2 interface
nat (outside) 2 access-list outside_nat_outbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp-data 20.20.20.5 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 20.20.20.5 ftp netmask 255.255.255.255
This would effectively change the source of trafic from 192.168.90.0/23 to 20.20.20.5 to the inside interface IP: 20.20.20.1. This config works wonderfully in 8.2, yet upgrading that config to 8.3 yields a broken configuration that doesn't end up changing the source address, and instead leaves it intact.
So far I've had no workaround from the TAC. Either the new NAT engine results in some loss of flexibility, or I can't wrap my head around the solution.
I've already heard "why are you doing this" and "you should instead fix the routing problem". Fact is: this works in 8.2, and so far it doesnt in 8.3. I'm looking for a straight answer whether or not 8.3 simply won't support this configuration any longer.
03-26-2010 07:21 AM
Hi,
In 8.3, NAT commands have changed. Check whether all the 8.2 nat configs have been migrated in the 8.3 config.
Here are some limitations of migration to 8.3
- Dynamic identity NAT (the nat 0 command) will not be migrated.
- The dns option in static PAT and policy NAT commands will be ignored.
- Connection Settings in old NAT commands—Options such as conn-max, emb-limit, norandomseq, or nailed will be moved to service policies.
For detailed information on the changed NAT commands,check this link
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60047
03-26-2010 07:25 AM
Hi,
I'm well aware that there have been changes, and I can't find a replacement configuration that works in my scenario. Hence this post.
07-23-2010 10:54 AM
I've had to do the exact same thing... when someone installs a remote machine and makes a typo in the default gateway. Without hands-on, this is a way to gain remote access to the machine to correct the typo (then take out the nat commands, in my case).
Here's my take on getting the inbound traffic translated:
object network obj-192.168.90.0
subnet 192.168.90.0 255.255.255.0
object network obj-20.20.20.5
host 20.20.20.5
nat (any,inside) source dynamic obj-192.168.90.0 interface dest static obj-20.20.20.5 obj-20.20.20.5
07-23-2010 12:30 PM
I was looking over this page, and think that it may have the solution.
https://supportforums.cisco.com/docs/DOC-9129
object service ftpPorts
service tcp destination range ftp-data ftp
object network obj-20.20.20.5
host 20.20.20.5
nat (inside,outside) static interface service tcp ftpPorts ftpPorts
object network obj-192.168.90.0
subnet 192.168.90.0 255.255.254.0
nat (outside,inside) source dynamic obj-192.168.90.0 interface destination static obj-20.20.20.5 obj-20.20.20.5
I added this to my ASA and it took, but I am not able to test at this point, thus you may want to wait for a window if you are working with a production box.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide