Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2724
Views
0
Helpful
6
Replies

Is it possible to do NAT Exemption by port on ASA >8.3?

Go to solution
egibson
Level 1
Level 1

‎01-13-2014 07:05 PM - edited ‎03-11-2019 08:29 PM

Hello,

Here is the scenario that I'm trying to solve. I have an IPSEC VPN that just strips off port 80 and 443 traffic from and internal network when the destination is the internet.

This VPN works fine until NAT gets involved. After I configured a dynamic hide NAT for the internal network then the traffic to the VPN no longer matches crypto map. This I was expecting as I know that NAT processing takes place before IPSEC. What I was not expecting is how difficult it would be to exclude my IPSEC VPN traffic from getting NATed.

The difficulty is in that the destination IP has to be ANY since it is the internet, and also that it should only be port 80 and 443 that are excluded from NAT. I do want any other traffic to still be processed by the dynamic hide.

So the traffic that I want to exclude from NAT would look like this:

internal-net --> ANY on TCP Port 80 or 443 Exclude from NAT.

It seems so simple but I cannot find any examples of someone successfully doing this, and I also do not see that it is not possible. I’ve played around with many double NAT statements but any combination that I put in results in the firewall saying, “ERROR: NAT unable to reserve ports”.

Any help on this would be greatly appreciated!

Eric

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to egibson

‎01-14-2014 09:44 AM

Hi,

I was expecting more a problem with the matching of NAT rule but it seems on your ASA it doesnt even accept the command which really seems strange.

The main couple of reasons for this I could think of would be some existing NAT configuration that is interfering with this new command.

I have also witnessed this problem randomly on my home ASA5505 (running 8.4(5) even though its not the latest) Sometimes I have simply had to reboot the firewall to get the working.

It seems that a previous configuration for example doesnt quite get deleted and when you try to configure Static PAT for the same ports it rejects it with the above ERROR message as you are seeing. I also witnessed this in another thread here on the forums several months ago where the TAC engineer confirmed that the old NAT configuration was still in the ASAs memory (or something to that direction)

First place I would start looking here would be the existing configuration.

If no clear conflict can be found I would consider reboot or perhaps a minor update but both of these might be hard to accomplish depending on where the ASA is question is deployed.

Have you tried "packet-tracer" at the moment to simulate the traffic? Or have you simply confirmed that it matches a basic Dynamic PAT configuration?

For tests sake, are you able to configure the above but for some totally random port like 8888 and see if it accepts that?

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
XIE YAO
Level 1
Level 1

‎01-13-2014 11:14 PM

I may not fully understand the reason why nat exemption has to be done by port, but assuming the destination of your vpn interesting traffic is not any, then why don't just exempt all vpn interesting traffic?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-13-2014 11:28 PM

Hi,

The general format to configure NAT0 would be

object network LAN

subnet

object network REMOTE-LAN

subnet

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

But if I understood you correctly, you want to configure NAT0 for traffic from your LAN that has destination address "any" and destination port/service of TCP/80 or TCP/443?

This would mean that you are are trying to tunnel all of this Web traffic to a remote site where it will eventually get passed to the Internet through NAT?

Have you tried the following NAT configuration yet

object network LAN

subnet

object network REMOTE-LAN

subnet

object service WWW

service tcp destination eq www

object service HTTPS

service tcp destination eq https

nat (inside,outside) source static LAN LAN service WWW WWW

nat (inside,outside) source static LAN LAN service HTTPS HTTPS

This should match any traffic with a destination port TCP/80 and TCP/443 to "any" destination network. It would also at the same time keep the source address original (NAT0 / Identity NAT)

What you have to notice with this setup that this applies to ALL this kind of traffic. If you have DMZs on the local ASA you will have to configure additional NAT configuration before these configurations so that the LAN -> DMZ WWW/HTTPS traffic is not involved or forwarded to the L2L VPN.  So there are some things to take consideration

There is also another variation of the above configuration and depending on your actual software level (the different software levels after 8.3) the ASA might match the above NAT configuration differently.

Hope this helps

- Jouni

0 Helpful

Go to solution
egibson
Level 1
Level 1
In response to Jouni Forss

‎01-14-2014 08:47 AM

Thanks Jouni for your answer. You do understand what I'm trying to accomplish correctly. I actually did try what you suggested before reaching out to the forums for help, but it does not work. You would think that your answer whould be the correct configuration.

This is how the ASA responds to the command after entering it.

nat (inside,outside) source static LAN LAN service WWW WWW

ERROR: NAT unable to reserve ports.


And if you go to look for the command you find that it was not accepted into the config.

You are also correct that I would like to preserve the original client source IP all the way through the tunnel and that the destination has to be "ANY", and to do this just for ports 80 and 443.

The version of code that I'm running is Cisco ASA 8.4(4)3 and ASDM 6.4(9) although I'm not using the ASDM for this configuration. This is on a ASA5550 platform.

Thanks for your assistance, it is a configuration that I would think would be simple, but for some reason is not.

Eric

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to egibson

‎01-14-2014 09:44 AM

Hi,

I was expecting more a problem with the matching of NAT rule but it seems on your ASA it doesnt even accept the command which really seems strange.

The main couple of reasons for this I could think of would be some existing NAT configuration that is interfering with this new command.

I have also witnessed this problem randomly on my home ASA5505 (running 8.4(5) even though its not the latest) Sometimes I have simply had to reboot the firewall to get the working.

It seems that a previous configuration for example doesnt quite get deleted and when you try to configure Static PAT for the same ports it rejects it with the above ERROR message as you are seeing. I also witnessed this in another thread here on the forums several months ago where the TAC engineer confirmed that the old NAT configuration was still in the ASAs memory (or something to that direction)

First place I would start looking here would be the existing configuration.

If no clear conflict can be found I would consider reboot or perhaps a minor update but both of these might be hard to accomplish depending on where the ASA is question is deployed.

Have you tried "packet-tracer" at the moment to simulate the traffic? Or have you simply confirmed that it matches a basic Dynamic PAT configuration?

For tests sake, are you able to configure the above but for some totally random port like 8888 and see if it accepts that?

- Jouni

0 Helpful

Go to solution
egibson
Level 1
Level 1
In response to Jouni Forss

‎01-14-2014 11:33 AM

Jouni,

You are a genius! After I rebooted my ASA I was able to enter the command without getting that "ERROR: NAT unable to reserve ports" message. So my whole struggle with this configuration was actually a Cisco bug it seems, related to lingering "ghost" NAT configs that were not shown in the configuration but were lingering in the system still.

What is even stranger is that it did not work still after entering the NAT command successfully and then even after another reboot. I actually had given up as I had to work on something else but then noticed that the client had connected successfully to the internet, so I tried again and everything was working?!

Something buggy going on here for sure, but you were a great help as I did not think to reboot the ASA to clear out system "ghosts of configurations past"

Thanks SO MUCH for your assistance on this!

Eric

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to egibson

‎01-14-2014 11:40 AM

Hi,

Great to hear that its working now

I have witnessed some strange bugs related to NAT. Sometimes it can be corrected with some reconfigurations and every now and then a good old reboot is in order

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card