cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1861
Views
10
Helpful
4
Replies

ASA 8.4 - port based NAT to specific URL's

Ashwin Shaji
Level 1
Level 1

Hi,

I have a requirement to NAT an internal server to access specific public URL's on port 80 & 443 only.

I was able to achieve this using IP (not URL) on the 8.2 - using extended access-list and dynamic interface NAT.

To be more clear the requirement is to allow the server to access only www.xyz.com on ports 80 & 443 only.

And since xyz.com is mapped with multiple public ip's I cannot add NAT based on ip's.

Any help would be greatly appreciated.



Sent from Cisco Technical Support iPad App

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I am not sure if I completely understand what you were doing in the old software. Are you saying that you used NAT to control for which destination IP addresses the servers actually had a translation for an other destination IP addresses connections would not even be translated and therefore the servers connection to those would fail?

If you were previously controlling server access to external networks with NAT then I would not really suggest it. You can simply use the interface ACLs for this. Cisco also suggest not to rely on NAT configuration to limit/allow your hosts connectivity.

In the newer software you do have the option to configure DNS Lookups on the ASA itself and then use FQDN as parameters of ACLs. So instead of IP address you have a FQDN and the ASA determines the IP addresses according to that which it will insert to the ACL

A rough example configuration could be

dns domain-lookup outside

dns server-group DefaultDNS

    name-server 8.8.8.8

object network GOOGLE

fqdn www.google.com

access-list INSIDE-IN permit tcp any object GOOGLE eq www

access-list INSIDE-IN permit tcp any object GOOGLE eq https

- Jouni

Hi Jouni,

Thank you and appreciate your quick response.

Below is what I had in my old config

access-list NAT-PORT extended permit tcp host 10.10.10.1 host 74.X.X.X eq https

global (outside) 1 interface
nat (inside) 1 access-list NAT-PORT

So this denied all other internet access for the server and allowed only https to 74.X

But currently in 8.4 I have to allow the server to access specific URL say google.com on port 80 &443 and block all other internet access.

I do have the DNS lookups and FQDN object configured. However I tried applying the FQDN on the NAT command and it failed as FQDN could not be applied on NAT. :) realised then

Also if you are suggesting to use ACL's how do I ensure that I don't disrupt any existing connectivities as I have a big network behind the ASA and also no ACL's applied on the inside interface.

Sent from Cisco Technical Support iPad App

Hi,

Ok, so you are basically doing Dynamic Policy PAT for specific connections no other connections have translations.

Naturally you can configure exactly the same NAT configuration on the new software too if you use the destination IP address rather than name. As you noticed, you are not able to use the FQDN in the NAT configurations.

Just for examples sake, if you wanted to simulate the above NAT configuration in the new format it would be this

object network HOST-74.x.x.x

host 74.x.x.x

object network HOST-10.10.10.1

host 10.10.10.1

object service HTTPS

service tcp destination eq https

nat (inside,outside) after-auto source dynamic HOST-10.10.10.1 interface destination static HOST-74.x.x.x service HTTPS HTTPS

The above "object" are named like that for examples sake. They could be something else also. The above configuration should do Dynamic Policy PAT and essentially only translate the source IP address when its connecting to the specific destination IP address with the specific service/port.

If you are not using interface ACLs at all and wanted to start using them then I think you would first need to go through the current configurations and confirm where the hosts behind this interface are allowed to connect to and where they should not be able to connect to and build the ACL based on this and later attach it to the interface.

I imagine that if you have multiple local interfaces on the firewall then the "security-level" value on your current firewall defines towards which interfaces networks the traffic is allowed from behind this source interface. I would also imagine that you are not doing any NAT between the local interfaces (other than Identity NAT perhaps) so that should not control the local traffic.

In addition to the above I imagine that you would have to go through the external translations to see what is allowed for the hosts since you are using these NAT configurations to control access.

To be honest it would just simply require work to go through the setup and how it works for you to be able to determine the contents of the ACL needed to achieve same results as with the current NAT or "security-level" settings.

- Jouni

Thank you Jouni. You have been kind enough to detail every aspect.

Your explanation resolves the NAT using IP. I mentioned it earlier because that was what I had on the older version.

But currently the requirement is to use the URL instead of the IP since the URL is mapped with multiple ip's and it's not possible to define exact ip's. So we have to define a xyz.com and enable the NAT in a way that only when the server tries to communicate to xyz.com over port 80/443 it should be translated and allowed to go out.

Can we accomplish this ?



Sent from Cisco Technical Support iPad App

Review Cisco Networking for a $25 gift card