01-18-2014 09:17 AM - edited 03-11-2019 08:32 PM
So I'm trying to do a simple test in a lab environment but can't seem to understand why the syntax for NAT statements is not working in 9.x. Here is an example:
ASA: outside ip 99.99.99.99/29
inside ip 192.168.4.1/24
NAT outside ip 99.99.99.100 to inside ip 192.168.4.44 and allow ports https only?
I have done the following:
object network host-192.168.4.44
host 192.168.4.44
nat (inside,outside) static 99.99.99.100 service tcp https https
access-list outside_in extended permit tcp any host 99.99.99.100 eq https
access-group outside_in in interface outside
Packet tracer result:
ciscoasa(config)# packet-tracer input outside tcp 213.23.23.2 https 99.99.99.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network host-192.168.4.44
nat (inside,outside) static 99.99.99.100 service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 99.99.99.100/443 to 192.168.4.44/443
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static host-192.168.4.44 99.99.99.100 service tcp https https
translate_hits = 0, untranslate_hits = 1
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:192.168.4.44 443-443 to outside:99.99.99.100 443-443
flags sr idle 0:03:46 timeout 0:00:00
Let me know if I can try any other syntax or if I put something incorrectly? Thanks
Solved! Go to Solution.
01-18-2014 09:22 AM
Hi,
The NAT configuration is OK even though you are using Static PAT (Port Forward). I would suggest using Static NAT if you can spare the public IP address for this single host. You can then use the ACL to control which ports you allow to this host/server.
Your problem is in the ACL.
The big change in ASA NAT configuration format an operation happened when the 8.3 Software came. From that software upwards the ASA performs the NAT operations first and then checks the ACLs for a destination host.
So in the new software levels this essentially means you will be allowing the traffic to the actual local/real IP address even if this traffic is to be allowed from the external network.
You can actually use the "object" you created for the NAT in the ACL
access-list outside_in extended permit tcp any object host-192.168.4.44 eq 443
I personally tend to name the "object" a bit differently so it clearly mentions the servers role
Hope this helps
- Jouni
01-18-2014 09:22 AM
Hi,
The NAT configuration is OK even though you are using Static PAT (Port Forward). I would suggest using Static NAT if you can spare the public IP address for this single host. You can then use the ACL to control which ports you allow to this host/server.
Your problem is in the ACL.
The big change in ASA NAT configuration format an operation happened when the 8.3 Software came. From that software upwards the ASA performs the NAT operations first and then checks the ACLs for a destination host.
So in the new software levels this essentially means you will be allowing the traffic to the actual local/real IP address even if this traffic is to be allowed from the external network.
You can actually use the "object" you created for the NAT in the ACL
access-list outside_in extended permit tcp any object host-192.168.4.44 eq 443
I personally tend to name the "object" a bit differently so it clearly mentions the servers role
Hope this helps
- Jouni
01-18-2014 09:40 AM
Thanks for the reply Jouni. I have removed the initial ACL and added the one you provided but am still getting the same drop result. The NAT is taking place, but it's not matching the ACL. Can you lab it up quickly and see the same issue I am seeing? The only way I got forward was when using source static nat ACL. But not sure if I should use that?
01-18-2014 09:48 AM
Hi,
I would have to see the actual configuration to determine what the problem is.
Did you use the "packet-tracer" with the following format
packet-tracer input outside tcp
Most typical reasons a "packet-tracer" would fail in a situation where you are configuring a NAT for a server are
If you can share the configuration (without actual public IP addresses) then I could take a look at it and see what the problem is.
- Jouni
01-18-2014 10:23 AM
Jouni,
I verified the config and the ACL you provided above did show a positive packet tracer result. So does it matter if I use the object for NAT in the ACL or can it be just the IP address of the actual host?
Here was the packet tracer result:
ciscoasa# packet-tracer input outside tcp 213.23.23.2 https 99.99.99.100 https
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network host-192.168.4.44
nat (inside,outside) static 99.99.99.100 service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 99.99.99.100/443 to 192.168.4.44/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp any object host-192.168.4.44 eq https
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network host-192.168.4.44
nat (inside,outside) static 99.99.99.100 service tcp https https
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-18-2014 10:29 AM
Hi,
Whether you use the actual IP address in the ACL with the command "host
I guess the main thing is if you configure your Static NAT and Static PAT as Auto NAT / Network Object NAT then you have the ability to use the "object" in the ACL configurations also. The added benefit is if you were to change the local IP address of your server in the "object" configuration used for NAT then naturally this change would update to your ACL with the "object" is referenced. So would no need to confirm the ACL rules in that situation.
Naturally the above situation doesnt happen that often so its has not been that import for me personally atleast so far.
- Jouni
01-18-2014 10:36 AM
Thanks I tested both with the object and just the ip and it works for both.
One more thing, the configuration that I was using was from an 8.2 code and using the same ASA migrated it to 8.3 which migrated these NAT rules. I know a lot of people have said not to rely on the internal migration syntax that ASA does when you upgrade to version 8.3+ but why would the ACLs keep the NATTED host as destination instead of the ACTUAL IP?
01-18-2014 11:13 AM
Hi,
To my understanding it should convert them
Here is a link to a Cisco document here on the CSC that seems to indicate that too
https://supportforums.cisco.com/docs/DOC-12690#ACL_Changes
Personally I have never let the ASA do the migration automatically. I have always done it manually so I know exactly what is configured on the ASA so I can't really tell you any past expiriences about the ASA behaviour when migrating from 8.2 -> 8.3.
Here is a document I wrote about the new NAT format if you want to have a look
https://supportforums.cisco.com/docs/DOC-31116
Here is a link to another great document comparing the old and new formats with examples
https://supportforums.cisco.com/docs/DOC-9129
Naturally you can always post a question here on the forums if there is some questions about the configuration format and operation.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: