Solved: Is it possible to do NAT Exemption by port on ASA >8.3?

egibson · ‎01-13-2014

Hello,

Here is the scenario that I'm trying to solve. I have an IPSEC VPN that just strips off port 80 and 443 traffic from and internal network when the destination is the internet.

This VPN works fine until NAT gets involved. After I configured a dynamic hide NAT for the internal network then the traffic to the VPN no longer matches crypto map. This I was expecting as I know that NAT processing takes place before IPSEC. What I was not expecting is how difficult it would be to exclude my IPSEC VPN traffic from getting NATed.

The difficulty is in that the destination IP has to be ANY since it is the internet, and also that it should only be port 80 and 443 that are excluded from NAT. I do want any other traffic to still be processed by the dynamic hide.

So the traffic that I want to exclude from NAT would look like this:

internal-net --> ANY on TCP Port 80 or 443 Exclude from NAT.

It seems so simple but I cannot find any examples of someone successfully doing this, and I also do not see that it is not possible. I’ve played around with many double NAT statements but any combination that I put in results in the firewall saying, “ERROR: NAT unable to reserve ports”.

Any help on this would be greatly appreciated!

Eric

Jouni Forss · ‎01-14-2014

Hi,

I was expecting more a problem with the matching of NAT rule but it seems on your ASA it doesnt even accept the command which really seems strange.

The main couple of reasons for this I could think of would be some existing NAT configuration that is interfering with this new command.

I have also witnessed this problem randomly on my home ASA5505 (running 8.4(5) even though its not the latest) Sometimes I have simply had to reboot the firewall to get the working.

It seems that a previous configuration for example doesnt quite get deleted and when you try to configure Static PAT for the same ports it rejects it with the above ERROR message as you are seeing. I also witnessed this in another thread here on the forums several months ago where the TAC engineer confirmed that the old NAT configuration was still in the ASAs memory (or something to that direction)

First place I would start looking here would be the existing configuration.

If no clear conflict can be found I would consider reboot or perhaps a minor update but both of these might be hard to accomplish depending on where the ASA is question is deployed.

Have you tried "packet-tracer" at the moment to simulate the traffic? Or have you simply confirmed that it matches a basic Dynamic PAT configuration?

For tests sake, are you able to configure the above but for some totally random port like 8888 and see if it accepts that?

- Jouni

View solution in original post

XIE YAO · ‎01-13-2014

I may not fully understand the reason why nat exemption has to be done by port, but assuming the destination of your vpn interesting traffic is not any, then why don't just exempt all vpn interesting traffic?

Jouni Forss · ‎01-13-2014

Hi,

The general format to configure NAT0 would be

object network LAN

subnet

object network REMOTE-LAN

subnet

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

But if I understood you correctly, you want to configure NAT0 for traffic from your LAN that has destination address "any" and destination port/service of TCP/80 or TCP/443?

This would mean that you are are trying to tunnel all of this Web traffic to a remote site where it will eventually get passed to the Internet through NAT?

Have you tried the following NAT configuration yet

object network LAN

subnet

object network REMOTE-LAN

subnet

object service WWW

service tcp destination eq www

object service HTTPS

service tcp destination eq https

nat (inside,outside) source static LAN LAN service WWW WWW

nat (inside,outside) source static LAN LAN service HTTPS HTTPS

This should match any traffic with a destination port TCP/80 and TCP/443 to "any" destination network. It would also at the same time keep the source address original (NAT0 / Identity NAT)

What you have to notice with this setup that this applies to ALL this kind of traffic. If you have DMZs on the local ASA you will have to configure additional NAT configuration before these configurations so that the LAN -> DMZ WWW/HTTPS traffic is not involved or forwarded to the L2L VPN. So there are some things to take consideration

There is also another variation of the above configuration and depending on your actual software level (the different software levels after 8.3) the ASA might match the above NAT configuration differently.

Hope this helps

- Jouni

egibson · ‎01-14-2014

Thanks Jouni for your answer. You do understand what I'm trying to accomplish correctly. I actually did try what you suggested before reaching out to the forums for help, but it does not work. You would think that your answer whould be the correct configuration.

This is how the ASA responds to the command after entering it.

nat (inside,outside) source static LAN LAN service WWW WWW

ERROR: NAT unable to reserve ports.

And if you go to look for the command you find that it was not accepted into the config.

You are also correct that I would like to preserve the original client source IP all the way through the tunnel and that the destination has to be "ANY", and to do this just for ports 80 and 443.

The version of code that I'm running is Cisco ASA 8.4(4)3 and ASDM 6.4(9) although I'm not using the ASDM for this configuration. This is on a ASA5550 platform.

Thanks for your assistance, it is a configuration that I would think would be simple, but for some reason is not.

Eric

Jouni Forss · ‎01-14-2014