09-19-2014 12:59 AM - edited 03-11-2019 09:46 PM
Yesterday I had a serious problem doing nat to a server
I had to create a nat between inside and outside.
The server already had an object created with a nat between inside and dmz, so I used the same object and set the nat to outside, thinking it's not a problem because they are different networks. Something like this:
object network obj-X
nat (inside,outside) static x.x.x.x
The cli allowed me to do so but deleted the existing nat between inside and dmz without any notice.
But many things stopped working
Now I understand I need to create a separate object for each nat, right?
But on the other hand I think that the CLI is not robust enough because it had deleted the configuration of a nat between different networks which is quite dangerous. If the CLI delete a nat without your intervention, would not it be better that forces you to negate the previous nat ?
I think are quite dangerous to allow these configuration changes without notice.
09-19-2014 01:25 AM
Hi,
The ASA does not really give any confirmation messages with regards to normal configuration commands. From my expirience it tends to only give warning/error messages when some command is not supported either because of wrong configuration mode or some other conflicting configuration present on the ASA. Naturally there are some commands for which the ASA provides a confirmation prompt on the CLI.
I did a quick check on a ASA Configuration Guide and did not find a specific section explaining clearly that the Network Object NAT (or Auto NAT) is generally only meant for configuring 1 NAT per object. It did atleast mention that there can only be one real/local address/subnet/range configured under the "object".
So in your case where you want to configure NAT towards 2 different interfaces you will have to configure separate "object" for both "nat" command. The "object" configuration only support single "host" , "subnet" or "range" configuration under it and also only one "nat" command. If already configured and you enter another command it will replace the current one.
There is one case where you can use a single Network Object NAT (or Auto NAT) to configure NAT towards multiple interfaces. Lets say you have a DMZ server which is NATed to a public IP address towards the Internet and you also want to do this translation towards your LAN network then you could use the "any" parameter as the destination interface of the "nat" command.
Like this
object network DMZ-SERVER
host 10.10.10.10
nat (dmz,any) static 1.2.3.4
Notice though that as long as there is no other overriding configurations present then this NAT configuration will perform NAT for the DMZ server towards ANY other interface configured on the ASA. If users behind some other interface need to access the server with the local IP address you will need additional NAT configurations to enable that or simply avoid using the above mentioned configurations and simply configure NAT for each interfaces required.
Hope this helps :)
- Jouni
09-19-2014 01:35 AM
Thank you very much for your answer
I understand this
But I think it's quite dangerous to override an existing nat to a different network if you introduce two nats in an object.
For me that is not admissible in a device where security is as important as a Firewall
The ASA is doing very important changes in your configuration and you don't notice
09-19-2014 02:21 AM
Hi,
I agree that the situation is not ideal. But perhaps I am too used to handling ASAs for it to be a problem. I have always found that Cisco products are not the most user friendly devices, even with GUI. Then again I don't have much expirience from other vendors so I dont really know how they handle similiar situations.
I have personally used CLI to configure PIX/ASA/FWSM from the start and I find that the learning process has always been trial&error in some situations. There is always something that is not either mentioned in the documentation or its not clearly stated. This is especially true with both the old and new NAT configurations. You really need to know how it behaves to avoid making configurations changes that can affect already existing configurations.
I think Cisco could even benefit from adding a completely separate section in their ASA Configuration Guide just to state the different common scenarios where 2 different NAT configurations might cause a conflict or simply adding a new NAT configuration might break part of the traffic flow through the firewall even though the added configuration might be otherwise valid.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide