cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
280
Views
8
Helpful
3
Replies

ASA CLI NAT danger

jmprats
Level 4
Level 4

Yesterday I had a serious problem doing nat to a server 
I had to create a nat between inside and outside. 
The server already had an object created with a nat between inside and dmz, so I used the same object and set the nat to outside, thinking it's not a problem because they are different networks. Something like this:

object network obj-X
 nat (inside,outside) static x.x.x.x


The cli allowed me to do so but deleted the existing nat between inside and dmz without any notice.

But many things stopped working 


Now I understand I need to create a separate object for each nat, right? 


But on the other hand I think that the CLI is not robust enough because it had deleted the configuration of a nat between different networks which is quite dangerous. If the CLI delete a nat without your intervention, would not it be better that forces you to negate the previous nat ?

I think are quite dangerous to allow these configuration changes without notice.

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

The ASA does not really give any confirmation messages with regards to normal configuration commands. From my expirience it tends to only give warning/error messages when some command is not supported either because of wrong configuration mode or some other conflicting configuration present on the ASA. Naturally there are some commands for which the ASA provides a confirmation prompt on the CLI.

 

I did a quick check on a ASA Configuration Guide and did not find a specific section explaining clearly that the Network Object NAT (or Auto NAT) is generally only meant for configuring 1 NAT per object. It did atleast mention that there can only be one real/local address/subnet/range configured under the "object".

 

So in your case where you want to configure NAT towards 2 different interfaces you will have to configure separate "object" for both "nat" command. The "object" configuration only support single "host" , "subnet" or "range" configuration under it and also only one "nat" command. If already configured and you enter another command it will replace the current one.

 

There is one case where you can use a single Network Object NAT (or Auto NAT) to configure NAT towards multiple interfaces. Lets say you have a DMZ server which is NATed to a public IP address towards the Internet and you also want to do this translation towards your LAN network then you could use the "any" parameter as the destination interface of the "nat" command.

 

Like this

 

object network DMZ-SERVER
 host 10.10.10.10
 nat (dmz,any) static 1.2.3.4

 

Notice though that as long as there is no other overriding configurations present then this NAT configuration will perform NAT for the DMZ server towards ANY other interface configured on the ASA. If users behind some other interface need to access the server with the local IP address you will need additional NAT configurations to enable that or simply avoid using the above mentioned configurations and simply configure NAT for each interfaces required.

 

Hope this helps :)

 

- Jouni
 

 

Thank you very much for your answer

I understand this

But I think it's quite dangerous to override an existing nat to a different network if you introduce two nats in an object.

For me that is not admissible in a device where security is as important as a Firewall

The ASA is doing very important changes in your configuration and you don't notice

Hi,

 

I agree that the situation is not ideal. But perhaps I am too used to handling ASAs for it to be a problem. I have always found that Cisco products are not the most user friendly devices, even with GUI. Then again I don't have much expirience from other vendors so I dont really know how they handle similiar situations.

 

I have personally used CLI to configure PIX/ASA/FWSM from the start and I find that the learning process has always been trial&error in some situations. There is always something that is not either mentioned in the documentation or its not clearly stated. This is especially true with both the old and new NAT configurations. You really need to know how it behaves to avoid making configurations changes that can affect already existing configurations.

 

I think Cisco could even benefit from adding a completely separate section in their ASA Configuration Guide just to state the different common scenarios where 2 different NAT configurations might cause a conflict or simply adding a new NAT configuration might break part of the traffic flow through the firewall even though the added configuration might be otherwise valid.

 

- Jouni

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: