Solved: Hi Jake,

jake-savage · ‎01-11-2016

Hello guru's. I'm a voice guy so I'm a little outside my comfort zone but recently bought a 5506 to replace my outdated 5505 at home. I had older code running on the 5505 - I think it was 8.0. Anyway, things have definitely changed with the new firewall regarding NAT and these service objects. I have a couple questions...

Service Objects for NAT and ACL

Can I use the same service object for NAT and ACL statements? I'm going to assume no because from what I've read, NAT requires source port while the ACL is destination. If that's the case, what are the best practices here? Do you set up a separate service object for each? Something like:

object service NAT_PLEX_TCP
 service tcp source eq 32400
object service ACL_PLEX_TCP
 service tcp destination eq 32400

I'm looking for an clean config and my brain tells me I should be able to group things together and apply them but that doesn't seem to be the case.

NAT Config

So NAT changed a lot with 8.3+. I finally got it working with 2 different configs and had some questions about the output I'm seeing in the CLI. I have a standard NAT for inside --> outside.

object network obj_any
 subnet 0.0.0.0 0.0.0.0

object network obj_any
 nat (inside,outside) dynamic interface

I first used a similar config to get NAT working to my server:

object network SERVER1
 host 192.168.1.10
object network SERVER1
 nat (inside,outside) static interface service tcp 32400 32400

asa5506(config)# sh xlate

TCP PAT from inside:192.168.1.10 32400-32400 to outside:5.5.5.5 32400-32400
 flags sr idle 0:00:47 timeout 0:00:00

That worked but I need to have UDP configured as well. That means I'd need another network object...seems pretty dumb to me right? Well, I couldn't figure out how to use a service group in a NAT statement so I gave up but I did figure out how to use a service object. Here's where I'm questioning the config - I saw something in the "show xlate" I wasn't sure about and wanted to verify this is OK.

object network SERVER1
 host 192.168.1.10
object service NAT_PLEX_TCP
 service tcp source eq 32400
object service NAT_PLEX_TCP
 service udp source eq 32400

nat (inside,outside) source static SERVER1 interface service NAT_PLEX_TCP NAT_PLEX_TCP
nat (inside,outside) source static SERVER1 interface service NAT_PLEX_UDP NAT_PLEX_UDP

Show xlate - I'm curious why there's a 0.0.0.0 statement after each NAT with the 32400 port? Is that right?

TCP PAT from inside:192.168.1.10 32400-32400 to outside:5.5.5.5 32400-32400
 flags srT idle 0:16:58 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
 flags srIT idle 0:16:58 timeout 0:00:00

UDP PAT from inside:192.168.1.10 32400-32400 to outside:5.5.5.5 32400-32400
 flags srT idle 0:16:58 timeout 0:00:00
UDP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
 flags srIT idle 0:16:58 timeout 0:00:00

Last question - can I combine service objects into a group and apply that to a NAT statement?

Thanks for the help!

Akshay Rastogi · ‎01-11-2016

Hi Jake,

Same Service Objects can be used in both ACL and NATs. However their implementation depends upon your use. Some time you need to use ports for source ip in ACL as well then you can use service object with source in that ACL as well.

Also, usually customer uses destination based service object in Manual NAT after the Destination keyword. So it totally depends how you use the objects and where.

The below output is related to your tcp nat statement :

TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0

flags srIT idle 0:16:58 timeout 0:00:00

As your are not adding 'destination' in your manual nat statement, ASA by default consider destination as 'any' any'. Destination keyword in the NAT statement is for Destination NAT. Therefore it says, that the when the inside source would be translated to mapped ip on outside interface then the destination part which is 'any(0.0.0.0)' would translate to itself(any-0.0.0.0). That is why you see that 0.0.0.0 xlate entry.

However you won't see the same thing when you create Object/Auto NAT.

Related to service-object query, You can not call a service object-group in a nat statement.

Hope it answers your queries.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

Akshay Rastogi · ‎01-11-2016