Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
1
Replies

ASA Dynamic NAT with PAT, on static IP

640KB
Level 1
Level 1

‎02-03-2022 08:51 AM - edited ‎02-03-2022 10:02 AM

I have what I think is a fairly straightforward configuration, though I cannot quite seem to get it working.  I need to have a few different DMZ hosts with PAT on a specific IP (that's not the ASA interface IP), where also if one of these hosts initiates an outbound connection it uses that specific IP, not the default one. All other hosts should just use the default translation.

It seems like if I use Static NAT with PAT, it translates traffic for just those matching ports (8001-8003) but any other traffic falls back to the default translation.

Example of what I'm trying to achieve:

Inbound:

Server1:  100.1.1.2:8001 -> 192.168.1.1:8001

Server2:  100.1.1.2:8002 -> 192.168.1.2:8002

Server3:  100.1.1.2:8003 -> 192.168.1.3:8003

Outbound:

Server1 initiates any outbound connection, it should come from (translate to) 100.1.1.2 not 100.1.1.1.

What's actually happening:

An outbound connection not matching those ports XLATs to 10.1.1.1 instead of 10.1.1.2:

UDP PAT from dmz:192.168.1.1/123 to outside:100.1.1.1/123 flags ri idle 0:01:00 timeout 0:00:30

If I add the follow (see below for detail):

nat (dmz,outside) source dynamic SERVER_GROUP SERVER_IP_OUTSIDE

It does correctly translate to the correct external IP address, however the inbound PAT rules no longer work, like it's simply overriding/disabling the static PAT rules.

UDP PAT from dmz:192.168.1.1/123 to outside:100.1.1.2/123 flags ri idle 0:01:00 timeout 0:00:30

I've read through this reference document but it doesn't look like one of these examples is exactly my situation.

Relevant config:

ASA Version 9.9(2)36

interface GigabitEthernet1/1
 nameif outside
 ip address 100.1.1.1 255.255.255.0

interface GigabitEthernet1/2
 nameif dmz
 ip address 192.168.1.254 255.255.255.0

object network SERVER_IP_OUTSIDE
 host 100.1.1.2

object network SERVER1_INSIDE
 host 192.168.1.1
 nat (dmz,outside) static SERVER_IP_OUTSIDE service tcp 8001 8001

object network SERVER2_INSIDE
 host 192.168.1.2
 nat (dmz,outside) static SERVER_IP_OUTSIDE service tcp 8002 8002

object network SERVER3_INSIDE
 host 192.168.1.3
 nat (dmz,outside) static SERVER_IP_OUTSIDE service tcp 8003 8003

object-group service SERVER_SERVICE
 service-object tcp destination range 8001 8003

access-list acl_outside extended permit object-group SERVER_SERVICE any host 192.168.1.1
access-list acl_outside extended permit object-group SERVER_SERVICE any host 192.168.1.2
access-list acl_outside extended permit object-group SERVER_SERVICE any host 192.168.1.3

object network NETWORK_OUTSIDE
 subnet 0.0.0.0 0.0.0.0
 nat (dmz,outside) dynamic interface

! Tried adding this:
object-group network SERVER_GROUP
 network-object object SERVER1_INSIDE
 network-object object SERVER2_INSIDE
 network-object object SERVER3_INSIDE

nat (dmz,outside) source dynamic SERVER_GROUP SERVER_IP_OUTSIDE

This feels pretty rudimentary, but for some reason I'm just not able to make it work.  Thanks!

0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎02-04-2022 02:01 AM

This has to do with ordering of your NAT statements.  Your PAT statements are placed into the "auto-NAT" section while the dynamic NAT for 100.1.1.2 is in "manual NAT".

I would suggest placing both dynamic NAT statements into after-auto with the NAT statement for 100.1.1.2 being above the statement for 100.1.1.1.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card