01-11-2016 05:26 AM - edited 03-12-2019 12:07 AM
Hello guru's. I'm a voice guy so I'm a little outside my comfort zone but recently bought a 5506 to replace my outdated 5505 at home. I had older code running on the 5505 - I think it was 8.0. Anyway, things have definitely changed with the new firewall regarding NAT and these service objects. I have a couple questions...
Service Objects for NAT and ACL
Can I use the same service object for NAT and ACL statements? I'm going to assume no because from what I've read, NAT requires source port while the ACL is destination. If that's the case, what are the best practices here? Do you set up a separate service object for each? Something like:
object service NAT_PLEX_TCP
service tcp source eq 32400
object service ACL_PLEX_TCP
service tcp destination eq 32400
I'm looking for an clean config and my brain tells me I should be able to group things together and apply them but that doesn't seem to be the case.
NAT Config
So NAT changed a lot with 8.3+. I finally got it working with 2 different configs and had some questions about the output I'm seeing in the CLI. I have a standard NAT for inside --> outside.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
I first used a similar config to get NAT working to my server:
object network SERVER1
host 192.168.1.10
object network SERVER1
nat (inside,outside) static interface service tcp 32400 32400
asa5506(config)# sh xlate
TCP PAT from inside:192.168.1.10 32400-32400 to outside:5.5.5.5 32400-32400
flags sr idle 0:00:47 timeout 0:00:00
That worked but I need to have UDP configured as well. That means I'd need another network object...seems pretty dumb to me right? Well, I couldn't figure out how to use a service group in a NAT statement so I gave up but I did figure out how to use a service object. Here's where I'm questioning the config - I saw something in the "show xlate" I wasn't sure about and wanted to verify this is OK.
object network SERVER1
host 192.168.1.10
object service NAT_PLEX_TCP
service tcp source eq 32400
object service NAT_PLEX_TCP
service udp source eq 32400
nat (inside,outside) source static SERVER1 interface service NAT_PLEX_TCP NAT_PLEX_TCP
nat (inside,outside) source static SERVER1 interface service NAT_PLEX_UDP NAT_PLEX_UDP
Show xlate - I'm curious why there's a 0.0.0.0 statement after each NAT with the 32400 port? Is that right?
TCP PAT from inside:192.168.1.10 32400-32400 to outside:5.5.5.5 32400-32400
flags srT idle 0:16:58 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 0:16:58 timeout 0:00:00
UDP PAT from inside:192.168.1.10 32400-32400 to outside:5.5.5.5 32400-32400
flags srT idle 0:16:58 timeout 0:00:00
UDP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 0:16:58 timeout 0:00:00
Last question - can I combine service objects into a group and apply that to a NAT statement?
Thanks for the help!
Solved! Go to Solution.
01-11-2016 08:01 AM
Hi Jake,
Same Service Objects can be used in both ACL and NATs. However their implementation depends upon your use. Some time you need to use ports for source ip in ACL as well then you can use service object with source in that ACL as well.
Also, usually customer uses destination based service object in Manual NAT after the Destination keyword. So it totally depends how you use the objects and where.
The below output is related to your tcp nat statement :
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 0:16:58 timeout 0:00:00
As your are not adding 'destination' in your manual nat statement, ASA by default consider destination as 'any' any'. Destination keyword in the NAT statement is for Destination NAT. Therefore it says, that the when the inside source would be translated to mapped ip on outside interface then the destination part which is 'any(0.0.0.0)' would translate to itself(any-0.0.0.0). That is why you see that 0.0.0.0 xlate entry.
However you won't see the same thing when you create Object/Auto NAT.
Related to service-object query, You can not call a service object-group in a nat statement.
Hope it answers your queries.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
01-11-2016 08:01 AM
Hi Jake,
Same Service Objects can be used in both ACL and NATs. However their implementation depends upon your use. Some time you need to use ports for source ip in ACL as well then you can use service object with source in that ACL as well.
Also, usually customer uses destination based service object in Manual NAT after the Destination keyword. So it totally depends how you use the objects and where.
The below output is related to your tcp nat statement :
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 0:16:58 timeout 0:00:00
As your are not adding 'destination' in your manual nat statement, ASA by default consider destination as 'any' any'. Destination keyword in the NAT statement is for Destination NAT. Therefore it says, that the when the inside source would be translated to mapped ip on outside interface then the destination part which is 'any(0.0.0.0)' would translate to itself(any-0.0.0.0). That is why you see that 0.0.0.0 xlate entry.
However you won't see the same thing when you create Object/Auto NAT.
Related to service-object query, You can not call a service object-group in a nat statement.
Hope it answers your queries.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
01-11-2016 02:22 PM
Thanks - very good explanation. I think I need to read up a bit more on my end and try to get a better grasp of the technology.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide