Solved: With object NAT only one

fogemarttt · ‎11-05-2015

Hello All,

I am migrating a PIX Firewall configuration to ASA 5500X configuration. I am facing NAT ISSUES and I want to understand some lines.

PIX configuration

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 80 // exempts address in this group from NAT
nat (inside) 1 158.29.152.160 255.255.255.240 0 0
nat (inside) 1 158.29.152.128 255.255.255.224 0 0
nat (inside) 1 158.29.152.192 255.255.255.224 0 0

nat (inside) 1 10.237.106.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.128 255.255.255.128 0 0
nat (inside) 1 158.29.152.0 255.255.255.128 0 0
nat (inside) 1 10.237.102.0 255.255.255.0 0 0
nat (inside) 1 158.29.107.0 255.255.255.0 0 0

nat (dmz) 0 access-list dmz_nat0_outbound //Exempt this ACL from translation

nat (dmz) 1 192.168.237.0 255.255.255.0 0 0

In my understanding, I will apply Nat in the inside interface like nat (inside, outside) dynamic .......

I don't know how to translate the global (dmz) command 1 interface and the nat (dmz) 0 and nat (dmz) 1 command.

is it nat(dmz,outside) or nat(inside,dmz)???

Any helps please.

Joel · ‎11-06-2015

With object NAT only one subnet per object. So you're likely to have to do something like the below and repeat many times if you don't want to do subnet 0.0.0.0 0.0.0.0

object network obj-158.29.152.160
subnet 158.29.152.160 255.255.255.240
nat (inside,outside) dynamic interface

I would use an object-group

OBJECT-GROUP NETWORK INSIDE-NET
network-object 158.29.152.160 255.255.255.240
network-object 158.29.152.128 255.255.255.224
network-object 158.29.152.192 255.255.255.224
network-object 10.237.106.0 255.255.255.128
network-object 158.29.140.0 255.255.255.128
network-object 158.29.140.128 255.255.255.128
network-object 158.29.152.0 255.255.255.128
network-object 10.237.102.0 255.255.255.0
network-object 158.29.107.0 255.255.255.0

nat (inside,outside) after-source source dynamic INSIDE-NET interface

nat (inside,dmz) after-source source dynamic INSIDE-NET interface

Test using packet-tracer

i.e. packet-tracer input inside tcp 10.237.106.2 1024 x.x.x.x 80

With NAT0, one subnet per object

object network suba
subnet 158.29.107.0 255.255.255.0

object network suba1
subnet 158.29.108.0 255.255.255.0

object Network SubB
host 10.237.102.22

object Network SubB1
host 10.237.102.24

object network WanA
subnet 158.29.106.0 255.255.255.0

object network Srv1
host 172.29.180.48

nat (inside,outside) source static Suba Suba destination static WanA WanA
nat (inside,outside) source static Suba1 Suba1 destination static WanA WanA

nat (inside,outside) source static SubB SubB destination static Srv1 Srv1
nat (inside,outside) source static SubB1 SubB1 destination static Srv1 Srv1

Lastly

object network dmzA

subnet 192.168.237.0 255.255.255.0

object network DmzSA

subnet 192.168.180.0 255.255.255.0

object network DmzSA1
subnet 192.168.190.0 255.255.255.0

nat (dmz,outside) source static dmzA dmzA destination static dmzSA dmzSA
nat (dmz,outside) source static dmzA dmzA destination static dmzSA1 dmzSA1

Hopefully no typo's

Joel

View solution in original post

Joel · ‎11-05-2015

nat (inside,outside) for instance means the location of host you want to NAT too is located i.e. inside. Static NAT example to nat from public interface to 10.10.10.10:80

object network OBJ-STATIC-XYZ
host 10.10.10.10
nat (inside,outside) static interface service tcp 80 80

Outbound PAT/NAT

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Also for DMZ
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,dmz) dynamic interface

If you wish to restrict the subnet to one of your ranges do the following:

object network obj_***
   subnet 158.29.152.160 255.255.255.240
   nat (inside,dmz) dynamic interface

For NAT excemption (NAT 0) look at identity NAT

object network LAN

subnet x.x.x.x x.x.x.x.

object network remote

subnet x.x.x.x x.x.x.x

nat (inside,outside) source static LAN LAN destination static remote remote

Useful link
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps.

Joel

fogemarttt · ‎11-05-2015

Thanks Joel,

I Know these steps. I am confuse. If you take a look at this configuration, it is a configuration of PIX firewall, I want to translate these configuration to my ASA. It's deprecated. But I want to understand the line in BOLD.

I have global outside.

I have Global dmz. What does that mean ?

I can input my translation to ASA firewall if you want.

Regards,

Joel · ‎11-05-2015

For PIX and ASA 8.2 and below (been a while)

global (outside) 1 interface defines the address to NAT to from anything with the pool number 1.
global (DMZ) 1 interface    

Anything coming into the inside interface matching the NAT statement and going out the "outside" or "DMZ" interface will be NAT'd to interface address

Example
global (outside) 1 interface 

global (dmz) 1 interface
nat (inside) 1 158.29.152.160 255.255.255.240 0 0

If your outside interface address is 1.1.1.1 and DMZ 2.2.2.2 anything from the inside such as 158.29.152.161 will match the NAT statement if going to OUTSIDE or DMZ and will NAT to either 1.1.1.1 or 2.2.2.2 accordingly.

Please send your translations.

Joel

fogemarttt · ‎11-06-2015

Thanks you Joel for your answer.

Let me give you my translation step by step.

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 80 // exempts address in this group from NAT
nat (inside) 1 158.29.152.160 255.255.255.240 0 0
nat (inside) 1 158.29.152.128 255.255.255.224 0 0
nat (inside) 1 158.29.152.192 255.255.255.224 0 0

nat (inside) 1 10.237.106.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.0 255.255.255.128 0 0
nat (inside) 1 158.29.140.128 255.255.255.128 0 0
nat (inside) 1 158.29.152.0 255.255.255.128 0 0
nat (inside) 1 10.237.102.0 255.255.255.0 0 0
nat (inside) 1 158.29.107.0 255.255.255.0 0 0

nat (dmz) 0 access-list dmz_nat0_outbound //Exempt this ACL from translation

nat (dmz) 1 192.168.237.0 255.255.255.0 0 0

these first lines correspond in 8.3 to these lines except the line in red because it is NAT O.

object network inside-net
subnet 158.29.152.160 255.255.255.240
subnet 158.29.152.128 255.255.255.224
subnet 158.29.152.192 255.255.255.224
subnet 10.237.106.0 255.255.255.128
subnet 158.29.140.0 255.255.255.128
subnet 158.29.140.128 255.255.255.128
subnet 158.29.152.0 255.255.255.128
subnet 10.237.102.0 255.255.255.0
subnet 158.29.107.0 255.255.255.0
nat (inside,outside) dynamic interface

nat (inside,dmz) dynamic interface

Translation of NAT O. That means nat (inside) 0 access-list 80

that are rules for ACL 80.

access-list 80 extended permit ip 158.29.107.0 255.255.255.0 158.29.106.0 255.255.255.0
access-list 80 extended permit ip 158.29.108.0 255.255.255.0 158.29.106.0 255.255.255.0
access-list 80 extended permit ip host 10.237.102.22 host 172.29.180.48
access-list 80 extended permit ip host 10.237.102.24 host 172.29.180.48
CREATION OF NAT O in ASA 8.3 or LATER

object network SubA
subnet 158.29.107.0 255.255.255.0
subnet 158.29.108.0 255.255.255.0

object Network SubB

host 10.237.102.22

host 10.237.102.24

object network WanA
subnet 158.29.106.0 255.255.255.0

object network Srv1
host 172.29.180.48

nat (inside,outside) source static SubA SubA destination static WanA WanA

nat (inside,outside) source static SubB SubB destination static Srv1 Srv1

TRANSLATING NAT DMZ 0 acl Dmz_nat0

nat (dmz) 0 access-list dmz_nat0_outbound //Exempt this ACL from translation

RULE IN 8.3 OR LATER

acl dmz_nat0

access-list dmz_nat0_outbound permit ip 192.168.237.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list dmz_nat0_outbound permit ip 192.168.237.0 255.255.255.0 192.168.190.0 255.255.255.0

object network dmzA

subnet 192.168.237.0 255.255.255.0

object network DmzSA

subnet 192.168.180.0 255.255.255.0

subnet 192.168.190.0 255.255.255.0

nat (dmz,outside) source static dmzA dmzA destination static dmzSA dmzSA

TRANSLATING last line : nat (dmz) 1 192.168.237.0 255.255.255.0 0 0

object group dmzA

nat (dmz,outside) dynamic interface

That is my understanding of migrating these commands from pix to ASA 8.3 or later.

if I am correct, let me know, if not explain it to me.

Regards,

Joel · ‎11-06-2015

With object NAT only one subnet per object. So you're likely to have to do something like the below and repeat many times if you don't want to do subnet 0.0.0.0 0.0.0.0

object network obj-158.29.152.160
subnet 158.29.152.160 255.255.255.240
nat (inside,outside) dynamic interface

I would use an object-group

OBJECT-GROUP NETWORK INSIDE-NET
network-object 158.29.152.160 255.255.255.240
network-object 158.29.152.128 255.255.255.224
network-object 158.29.152.192 255.255.255.224
network-object 10.237.106.0 255.255.255.128
network-object 158.29.140.0 255.255.255.128
network-object 158.29.140.128 255.255.255.128
network-object 158.29.152.0 255.255.255.128
network-object 10.237.102.0 255.255.255.0
network-object 158.29.107.0 255.255.255.0

nat (inside,outside) after-source source dynamic INSIDE-NET interface

nat (inside,dmz) after-source source dynamic INSIDE-NET interface

Test using packet-tracer

i.e. packet-tracer input inside tcp 10.237.106.2 1024 x.x.x.x 80

With NAT0, one subnet per object

object network suba
subnet 158.29.107.0 255.255.255.0

object network suba1
subnet 158.29.108.0 255.255.255.0

object Network SubB
host 10.237.102.22

object Network SubB1
host 10.237.102.24

object network WanA
subnet 158.29.106.0 255.255.255.0

object network Srv1
host 172.29.180.48

nat (inside,outside) source static Suba Suba destination static WanA WanA
nat (inside,outside) source static Suba1 Suba1 destination static WanA WanA

nat (inside,outside) source static SubB SubB destination static Srv1 Srv1
nat (inside,outside) source static SubB1 SubB1 destination static Srv1 Srv1

Lastly

object network dmzA

subnet 192.168.237.0 255.255.255.0

object network DmzSA

subnet 192.168.180.0 255.255.255.0

object network DmzSA1
subnet 192.168.190.0 255.255.255.0

nat (dmz,outside) source static dmzA dmzA destination static dmzSA dmzSA
nat (dmz,outside) source static dmzA dmzA destination static dmzSA1 dmzSA1

Hopefully no typo's

Joel

MIGRATING FROM PIX TO ASA 9.2 m