Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
2
Replies

Nat doubts

Go to solution
XIE YAO
Level 1
Level 1

‎07-11-2013 07:38 PM - edited ‎03-11-2019 07:11 PM

Hi Experts,

I come across this link:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml?referring_site=smartnavRD

In the scenario 1, it mentions the nat configuration is as below:

nat (inside,outside) source dynamic IPS-management IPS-management interface
 
nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

I wonder why it should be configured like this.

The first configuration seems very confusing, it's a source dynamic nat, but the real and map source ip are the same, then it also has a PAT interface fallback, why it's needed?

The second configuration make sense, it just nat the IPS interface to outside.

Thanks for your advice.

Best Regards

Xie Yao

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-12-2013 01:14 AM

Hi,

Havent had to setup an ASA5500-X series IPS myself. So there are some new things there for me too.

It seems to me that the Scenario 1 has a setup where both the "inside" and management interfaces have been connected to the same L2 switch. Management is used for IPS and "inside" as a normal Data interface. Both are in the same subnet.

I dont quite grasp the idea of the NAT configurations either.

Lets see the first one

nat (inside,outside) source dynamic IPS-management IPS-management interface

To my understanding in this command the keyword "interface" is useless. We have one real source address and one mapped source address. To my understanding the translation will always use the mapped address object for translation as we have only specified single source address for the translation. So I dont really know what the "interface" is used there for.

I would imagine though that this command should enable Internet access for the actual IPS module that is connected to the "inside" network also.

I would probably try to configure it as

nat (inside,outside) source dynamic IPS-management interface

Now the second command

nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

While I can understand the purposes of this command it seems to me to have 2 major flaws. First, its missing the "source" parameter from the command start. Second, you can use the "outside" interface IP address inside an "object network" and then use that "object" in the NAT configuration. The ASA wont accept that NAT policy

The command is supposed to enable managing the IPS from "outside" using the IP address of the "outside" interface. The public facing port is TCP/65432 and the actual real port is TCP/443

To me it seems that this configuration should be

nat (inside,outside) source static IPS-management interface service tcp 443 65432

I also wonder what the purpose of the ACL configurations in the Scenario 1 are.

Other ACL suggest that its a global ACL and allows management connections. The other ACL also suggest that its global ACL but allows EVERYTHING. Yet we are not given any "access-group" command to determine which is used.

Unless I am missing something essential, the document seems to be handing quite wrong or faulty information

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-12-2013 01:14 AM

Hi,

Havent had to setup an ASA5500-X series IPS myself. So there are some new things there for me too.

It seems to me that the Scenario 1 has a setup where both the "inside" and management interfaces have been connected to the same L2 switch. Management is used for IPS and "inside" as a normal Data interface. Both are in the same subnet.

I dont quite grasp the idea of the NAT configurations either.

Lets see the first one

nat (inside,outside) source dynamic IPS-management IPS-management interface

To my understanding in this command the keyword "interface" is useless. We have one real source address and one mapped source address. To my understanding the translation will always use the mapped address object for translation as we have only specified single source address for the translation. So I dont really know what the "interface" is used there for.

I would imagine though that this command should enable Internet access for the actual IPS module that is connected to the "inside" network also.

I would probably try to configure it as

nat (inside,outside) source dynamic IPS-management interface

Now the second command

nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432

While I can understand the purposes of this command it seems to me to have 2 major flaws. First, its missing the "source" parameter from the command start. Second, you can use the "outside" interface IP address inside an "object network" and then use that "object" in the NAT configuration. The ASA wont accept that NAT policy

The command is supposed to enable managing the IPS from "outside" using the IP address of the "outside" interface. The public facing port is TCP/65432 and the actual real port is TCP/443

To me it seems that this configuration should be

nat (inside,outside) source static IPS-management interface service tcp 443 65432

I also wonder what the purpose of the ACL configurations in the Scenario 1 are.

Other ACL suggest that its a global ACL and allows management connections. The other ACL also suggest that its global ACL but allows EVERYTHING. Yet we are not given any "access-group" command to determine which is used.

Unless I am missing something essential, the document seems to be handing quite wrong or faulty information

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

0 Helpful

Go to solution
XIE YAO
Level 1
Level 1
In response to Jouni Forss

‎07-12-2013 07:57 PM

Thanks a lot Jouni for your time, I agree with you that this Cisco should review this document, there are too many points missing and confusing.

I've already clicked "No" in the feedback of this article, hope someone will look into it.

Best regards

Xie Yao

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card