NAT in ASA 5505 version 8.3

Ange OKOBET · ‎03-14-2011

Hi

I need to fullfill the below configuration which is working fine on my actual D-Link Netdefend firewall.

We have a range of IP assign by our ISP : 194.250.47.128/29

194.250.47.129 is the firewall IP and 134 the isp gateway.

We have 4 interfaces

- The local user interface: lan =192.168.170.1/24

- The servers interface : dmz =192.168.171.1/24

- The database interface : oracle=192.168.169.1/24

- The internet interface : wan=194.250.47.129/24

so i duplicate the configuration on the asa 5505

- Inside

- dmz

- oracle

- outside

on the dmz we have servers running http and ftp at the same time

so to fullfil the config on D-Link the publish on the wan interface all our public ips using arp proxy feature.

then we can make sat from the wan to the lan interface of dfl.

so we permit the following

if a request from internet reach the 194.250.47.129 for ftp then redirect it to 192.168.171.3 for ftp

194.250.47.130 for ftp 192.168.170.102 for port 6128

194.250.47.131 for ftp 192.168.171.10 for ftp

194.250.47.132 for ftp 192.168.171.10 for ftp

194.250.47.129 for www then redirect it to 192.168.171.10 for www

194.250.47.130 for www 192.168.171.10 for www

194.250.47.131 for www 192.168.171.10 for www

194.250.47.132 or www 192.168.171.10 for www

same type for oracle database running sqlnet v2

if a request from internet reach 194.250.47.132 for 1521 then redirect to 192.168.169.4

if a request from the lan to the 194.250.47.129 then redirect the paquet to 192.168.171.10

This is what we have working on the D-Link except the oracle database.

So i try to duplicate same configuration on asa 5505 software 8.3

i can not have ftt from 131 and 132 static pat to 192.168.171.10. When trying it the ASA replace the previous entry with the new entry.

same for www and 131 and 132 to 192.168.171.10. Same behaviour than with ftp.

can someone help me sort out the issue with ftp and www and guide me through sqlnet configuration.

mirober2 · ‎03-15-2011

Hi Ange,

Unfortunately, you can currently only configure 1 NAT rule per object (we have an enhancement request CSCte96293 filed to change this in the future). Therefore, if you configure a 2nd NAT rule in the same object it will overwrite the 1st one.

Try this configuration instead:

object network obj-192.168.171.3
   host 192.168.171.3
   nat (dmz,outside) static 194.250.47.129 service tcp ftp ftp
object network obj-192.168.170.102
   host 192.168.170.102
   nat (inside,outside) static 194.250.47.130 service tcp 6128 ftp
object network obj-192.168.171.10-ftp1
   host 192.168.171.10
   nat (dmz,outside) static 194.250.47.131 service tcp ftp ftp
object network obj-192.168.171.10-ftp2
   host 192.168.171.10
   nat (dmz,outside) static 194.250.47.132 service tcp ftp ftp
object network obj-192.168.171.10-www1
   host 192.168.171.10
   nat (dmz,outside) static 194.250.47.129 service tcp www www
object network obj-192.168.171.10-www2
   host 192.168.171.10
   nat (dmz,outside) static 194.250.47.130 service tcp www www
object network obj-192.168.171.10-www3
   host 192.168.171.10
   nat (dmz,outside) static 194.250.47.131 service tcp www www
object network obj-192.168.171.10-www4
   host 192.168.171.10
   nat (dmz,outside) static 194.250.47.132 service tcp www www
!
access-list outside_access_in permit tcp any host 192.168.171.3 eq ftp
access-list outside_access_in permit tcp any host 192.168.170.102 eq 6128
access-list outside_access_in permit tcp any host 192.168.171.10 eq ftp
access-list outside_access_in permit tcp any host 192.168.171.10 eq www
access-group outside_access_in in interface outside

Hope that helps.

-Mike

Ange OKOBET · ‎03-15-2011

Hi Mike,

It seems to work. will test it.

By the way can you help me regarding sqlnet inspection.

Is it enable by defaukt ? Do I need to enable it ?

How to write the acl to permit a trafic coming on 194.250.47.130 to be redirect to the oracle database on 192.168.169.4 ?

many thanks .

mirober2 · ‎03-16-2011

Hi Ange,

Yes, SQLnet inspection is enabled by default. You can enable it globally like this:

class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect sqlnet
!
service-policy global_policy global

To setup NAT for the Oracle server, you can use the examples I posted previously as a template. Just change the IPs and interfaces where needed:

object network obj-192.168.169.4
   host 192.168.169.4
   nat (oracle,outside) static 194.250.47.130 service tcp 1521 1521
!
access-list outside_access_in permit tcp any host 192.168.169.4 eq 1521

Hope that helps.

-Mike

Ange OKOBET · ‎03-17-2011

Hi Mike,

Many thanks.

Will deploy the cisco with the databases and check how that works.

Will continue thread if encounter any other issues ..

Many thanks again.

Ange

Ange OKOBET · ‎03-23-2011

I have implemented the configuration as we discussed and needed some fine tunes regarding sqlnet.

I had to modify the access rule not to point to sqlnet service but to do a static nat and access rule for ports above 1024 and it is working fine.

my last question is regarding this issue:

request sent from the inside to outside.

I want the asa to capture paquet and to redirect the request to the dmz or oracle interface.

Is this doable ?

Ange OKOBET · ‎03-25-2011

I encounter again an issue.

If I try to nat 194.250.47.131 to 192.168.170.32 and 192.168.171.10 for www service, the firewall complains about overlapping issue.

In my understanding that should not prevent the cisco to process the packets correctly to the private IPs ?

Ange OKOBET · ‎03-28-2011

Hello,

I sort out the issue.

The configuration is running as expected.

Need now to add the dual wan for inbound connections on second isp interface.

Many thanks.