08-16-2011 09:43 PM - edited 03-11-2019 02:12 PM
Ok, I am at a loss on configuring a new ASA5505 for multiple static port translations.
I would have expected to simply add several service command to a network object to complete the task, however, the service command overrides the previous and replaces rather than adds to the translations.
My thought process was I could do...
object network Inside-Network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network obj-MyServer
host 192.168.1.100
nat (inside,outside) source static interface service tcp 8080 8080
nat (inside,outside) source static interface service tcp 8443 8443
However, if entered in that order the 8443 overwrites the 8080 static translation.
What is the correct procedure to establish multiple translations?
If someone could also provide the "old" style for pre 8.2 release, I'd like to compare because I thought I used to do this with an access-list somewhere.
Thanks for any assistance.
08-16-2011 10:45 PM
Hi,
Well thats right behavior that you see, because what you are trying to do is called object nat or auto nat.
In object nat, an object can bind to only one nat statement, so you would not be able to create multiple nat statements for the same object.
Solution:
Create multiple object networks for the same host or network and then apply the nat statements for each, like,
object network obj-MyServer
host 192.168.1.100
nat (inside,outside) source static interface service tcp 8080 8080
object network obj-MyServer2
host 192,168.1.100
nat (inside,outside) source static interface service tcp 8443 8443
and this will resolve it.
08-16-2011 10:49 PM
Sorry there is a solution no.2 as well:
Use manual nat or twice nat.
In manual nat you can use the same objects in multiple nat statements without any issues, beacuse natting is not done in the object but in the config mode.
object network obj-MyServer
host 192.168.1.100
object service tcp_8080
service tcp destination eq 8080
object service tcp_8443
service tcp destination eq 8443
nat (outside,inside) source static any any destination static interface obj-MyServer service tcp_8080 tcp_8080
nat (outside,inside) source static any any destination static interface obj-MyServer service tcp_8443 tcp_8443
Hope this helps you in understanding the new natting better
-Varun
08-17-2011 08:03 PM
Thanks for clarifying I was not crazy.
I was aware of the technique to get it working with twice nat, however, I like the "object nat" concept because it is much easier to read when viewing the config.
I still do not fully understand why Cisco cannot add the ability for multiple translations even with object nat and just have it function like multiple twice nat statements behind the scenes.
Since I am ranting...
I also do not understand why Cisco can allow twice NAT to specify a service object, but not a service object group.
It would also be cleaner if the same configuration could be specified with:
object-group service obj-Server-Services tcp
port-object eq 8080
port-object eq 8443
nat (inside,outside) source static any any dest static interface obj-MyServer service obj-Server-Services
^^^
maybe different keyword like service-group here
Same to apply to object nat
why no...
object obj-MyServer
nat (inside,outside) static interface service obj-Server-Services
if they only want to allow one command there?
Anyway, wanted to fully complete rant in case you actually work for Cisco or have any friends in there that answer the questions and/or change how it works :-).
08-17-2011 10:21 PM
Hi,
Fair enough, the new nat system might seem difficult to understand, but the more you get down into it, it is actually quite good and helpful. And thats based on my personal experience on this forum as well as at work.
First Question:
Well there might be an issue with specifying a service object in the nat statement, then it might not do the one to one port translations, that means, if you specify a port object for ftp,http,smtp and want those ports to be translated to 2121,8443,2525 respectively on your internal server, then if we have service object applied, then it would pick any port in the translated group, which means if request for ftp comes on mapped ip, it might translate port 21 to 8443, whihc is not my requirement. Hence only service objects are used for one to one mapping.
Second Question:
Network-Object nat not supporting mulitple nat statement.
Well the nat statement is just a parameter of the network object, and you cannot have different parameter for the same network object.
All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which can be a single IP address, a range of addresses, or a subnet.
After you configure the network object, you can then identify the mapped address for that object, either as an inline address or as another network object or network object group.
hesitate
When a packet enters the ASA, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.
Because the rules are never paired, you cannot specify that sourceA/destinationA should have a different translation than sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule).
I hope this helps you somewhat.
And no offence taken and yes, I am a TAC engineer, but if you have any things or product feedback to share, please do not hesitate
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide