Hi Vibhor,Below is my mgmt

amardram123 · ‎09-09-2015

Hi All,

NAT is very confusing for me in 8.3 and later :-(. I guess i would have more time to study and understand completely.

I just got requirement to allow and internal host behind mgmt interface to access internet/https to juniper sites to get some updates.

I noticed no inbound acl on mgmt so i just need to add a NAT rule in my ASA running 9.2, but not sure if my NAT rule will work so wanted to check here.

I also noticed below rule is already there to allow internal host to internet via dynamic NAT:

nat (inside,Outside) source dynamic any interface

Now i have to allow host behind mgmt interface to access internet and here is my solution:

==========Planning to add this rule to allow 10.255.x.x to access https on internet=================

object network Juniper_STRM
host 10.255.x.x
nat (management,Outside) source dynamic Juniper_STRM interface

=====================================================

Will my solution cause any impact to existing interface NAT ? i hope not and my solution will work !!

Thanks Amar

Vikram Sonawane · ‎09-09-2015

By default Management interface is dedicated only for management traffic.But, i read somewhere we can change the default behavior in some models and pass through traffic.

Vibhor Amrodia · ‎09-09-2015

Hi,

Yes that is correct. On the Saleen devices , we cannot use the management interface for data traffic. It is only supposed to be used for the Management of the module(CX , IPS , Sourcefire)

You can however try to get another Layer 3 devices and use that as the next hop to get the management subnet devices out to the internet.

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

amardram123 · ‎09-10-2015

Hi Vibhor,

Below is my mgmt config which says only for mgmt use..

interface Management0/0
management-only
nameif management
security-level 100
ip address 10.255.x.29 255.255.255.xxx standby 10.255.x.30

The host(10.255.x.44) trying to access internet is reachable via mgmt interface..

route management 10.255.x.32 255.255.255.240 10.255.x.17 1

I guess, since mgmt interface is configured as "mgmt only" hence it will not allow host traffic to go out to internet and we can route host traffic via inside interface rather then mgmt interface.. I agree this.I will have to change the route on mgmt interafce as well in that case.

My main concern is how the NAT config will be for below requirment..

Host(inside) wants to access internet (outside) on https port..

If it is prior to 8.2, i would have used a Dynamic Policy nat to do this, since new NAT only have two types Manual & object NAT. what should i choose and what will be config ?

let's say host is 10.255.1.1/32 and need to be natted with outside interface IP.

Thanks,

Amar

Vibhor Amrodia · ‎09-10-2015

Hi,

I think if the requirement is to allow the internal host to access the internet for port 443 , you only need Dynamic NAT configured on the ASA device.

Ports you can filter using an Inbound ACL on the ASA device inside interface to only allow 443 port.

So , I would recommend you to use the Auto NAT for this.

Thanks and Regards,

Vibhor Amrodia

ASA 9.2 // NAT rule