Solved: NAT exmption for a service/port in 8.4(3)

iakinfie1 · ‎02-13-2012

Hello,

I am trying to exempt a specific service, let's say http, from being NAT'd - i.e. i want everything going to 0.0.0.0 to be Dynamic PAT'd to the outside interface, but HTTP only to be passed with original source IP.

Although the manual states that NAT rules should take precedence over object NAT, i am seeing HTTP traffice get source NATd anyway.

Config snip below:

nat (inside,outside) source dynamic obj-192.168.1.0 interface service not-http not-http

!

object network obj-192.168.1.0

nat (any,outside) dynamic interface

any ideas? the only way i could figure out how to make this work is by a very convoluted process of creating NAT rules for tcp service object with ports 1-79 and 81-65535, but then i lose the ability to NAT anyhting except UDP and TCP.

Any advice welcome!

Thanks

ilya

luisroja · ‎02-14-2012

Hello Ilya,

In case that you want to exempt some traffic to be translated only when they are going to any destination on the outside using TCP port 80 (HTTP), you should remove the following rule and leave the regular PAT in there.

{no} nat (inside,outside) source dynamic obj-192.168.1.0 interface service not-http not-http

The following rule would be OK in order to translate the rest of the traffic that doesn't match with the HTTP port:

object network obj-192.168.1.0

nat (any,outside) dynamic interface

I would suggest to change the rule from "any" to "insde"; so it would look like this:

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

For the NAT exemption, I would suggest you to use the following rule:

object service dest-http

service tcp destination eq 80

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 service dest-http dest-http

With that rule, what the ASA is going to understand is that it is a static rule and the object obj-192.168.1.0 is not going to be translated (since the mapped object is the same) when any on that subnet is trying to go to any address on the outside with a destination TCP port of 80 (HTTP).

Let me know if that works for you.

Thanks.

View solution in original post

luisroja · ‎02-14-2012

Hello Ilya,

In case that you want to exempt some traffic to be translated only when they are going to any destination on the outside using TCP port 80 (HTTP), you should remove the following rule and leave the regular PAT in there.

{no} nat (inside,outside) source dynamic obj-192.168.1.0 interface service not-http not-http

The following rule would be OK in order to translate the rest of the traffic that doesn't match with the HTTP port:

object network obj-192.168.1.0

nat (any,outside) dynamic interface

I would suggest to change the rule from "any" to "insde"; so it would look like this:

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

For the NAT exemption, I would suggest you to use the following rule:

object service dest-http

service tcp destination eq 80

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 service dest-http dest-http

With that rule, what the ASA is going to understand is that it is a static rule and the object obj-192.168.1.0 is not going to be translated (since the mapped object is the same) when any on that subnet is trying to go to any address on the outside with a destination TCP port of 80 (HTTP).

Let me know if that works for you.

Thanks.

luisroja · ‎02-14-2012

If you issue the show nat detail command, you should see something like this:

1 (inside) to (outside) source static obj-192.168.1.0 obj-192.168.1.0 service dest-http dest-http

translate_hits = 0, untranslate_hits = 0

Source - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24

Service - Origin: tcp destination eq www , Translated: tcp destination eq www

Thanks!

iakinfie1 · ‎02-14-2012

Thank you, Luis!

That did the trick...