Solved: PAT port range

lcaruso · ‎02-10-2013

Hi,

I'm looking for a way to avoid doing 999 individual port address translations for ports in a range 1-999 for the same protocol.

I'm not finding anything that asa code v9.11 will allow.

I have the service objects defined but cannot find a way to get the nat statement to allow the service object.

object network foobar
host 192.168.100.22
nat (inside,outside) static interface service fooservice fooservice

Hope I'm missing something here. Any help appreciated.

Thanks.

Jouni Forss · ‎02-10-2013

Hi,

Seems there is a bug in the 9.1 ASA software as I tried to configure this first with that software. That gave a wierd result and I checked another post on these forums that related to a similiar problem

I then booted my ASA with 8.4(5) software and the NAT is now working normally. So I imagine you will have to wait for a correcting software or move to a older software to get it working in the meanwhile

Heres the configuration I did and a "packet-tracer" output to test it

NAT CONFIGURATION

Where

SERVICE-LOCAL = The actual port range on the LAN
SERVICE-MAPPED = The corresponding NATed/Mapped port range on the WAN
SERVER-LOCAL = Server IP on the LAN
SERVER-MAPPED = Server IP NATed/Mapped on the WAN
nat = The NAT configuration
Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration
X.X.X.X = My server LAN IP address

object service SERVICE-LOCAL

service tcp source range 5000 6000

object service SERVICE-MAPPED

service tcp source range 15000 16000

object network SERVER-LOCAL

host X.X.X.X

object network SERVER-MAPPED

host Y.Y.Y.Y

nat (LAN,WAN) source static SERVER-LOCAL SERVER-MAPPED service SERVICE-LOCAL SERVICE-MAPPED

PACKET-TRACER TEST

Where

WAN = My ASAs "outside" interface
1.2.3.4 = Random address behind the WAN interface
Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration
X.X.X.X = My server LAN IP address

ASA# packet-tracer input WAN tcp 1.2.3.4 20000 Y.Y.Y.Y 15000

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER-LOCAL SERVER-MAPPED service SERVICE-LOCAL SERVICE-MAPPED

Additional Information:

NAT divert to egress interface LAN

Untranslate Y.Y.Y.Y/15000 to X.X.X.X/5000

Link to the dicussion with the NAT problem:

https://supportforums.cisco.com/thread/2196562?tstart=60

Link to the BugID (CLICK THE BUG ID AT THE END OF THE LINK)

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCud64705

Finally the same NAT configuration as above but while running ASA software 9.1(1)

Where

WAN = My ASAs "outside" interface
1.2.3.4 = Random address behind the WAN interface
Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration
X.X.X.X = My ASA WAN interface IP address

ASA(config)# packet-tracer input WAN tcp 1.2.3.4 20000 Y.Y.Y.Y 15000

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in X.X.X.X 255.255.255.248 WAN

Result:

input-interface: WAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Hope the above information has been helpfull. If so please rate

- Jouni

View solution in original post

Jouni Forss · ‎02-10-2013

Hi,

Seems there is a bug in the 9.1 ASA software as I tried to configure this first with that software. That gave a wierd result and I checked another post on these forums that related to a similiar problem

I then booted my ASA with 8.4(5) software and the NAT is now working normally. So I imagine you will have to wait for a correcting software or move to a older software to get it working in the meanwhile

Heres the configuration I did and a "packet-tracer" output to test it

NAT CONFIGURATION

Where

SERVICE-LOCAL = The actual port range on the LAN
SERVICE-MAPPED = The corresponding NATed/Mapped port range on the WAN
SERVER-LOCAL = Server IP on the LAN
SERVER-MAPPED = Server IP NATed/Mapped on the WAN
nat = The NAT configuration
Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration
X.X.X.X = My server LAN IP address

object service SERVICE-LOCAL

service tcp source range 5000 6000

object service SERVICE-MAPPED

service tcp source range 15000 16000

object network SERVER-LOCAL

host X.X.X.X

object network SERVER-MAPPED

host Y.Y.Y.Y

nat (LAN,WAN) source static SERVER-LOCAL SERVER-MAPPED service SERVICE-LOCAL SERVICE-MAPPED

PACKET-TRACER TEST

Where

WAN = My ASAs "outside" interface
1.2.3.4 = Random address behind the WAN interface
Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration
X.X.X.X = My server LAN IP address

ASA# packet-tracer input WAN tcp 1.2.3.4 20000 Y.Y.Y.Y 15000

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER-LOCAL SERVER-MAPPED service SERVICE-LOCAL SERVICE-MAPPED

Additional Information:

NAT divert to egress interface LAN

Untranslate Y.Y.Y.Y/15000 to X.X.X.X/5000

Link to the dicussion with the NAT problem:

https://supportforums.cisco.com/thread/2196562?tstart=60

Link to the BugID (CLICK THE BUG ID AT THE END OF THE LINK)

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCud64705

Finally the same NAT configuration as above but while running ASA software 9.1(1)

Where

WAN = My ASAs "outside" interface
1.2.3.4 = Random address behind the WAN interface
Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration
X.X.X.X = My ASA WAN interface IP address

ASA(config)# packet-tracer input WAN tcp 1.2.3.4 20000 Y.Y.Y.Y 15000

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in X.X.X.X 255.255.255.248 WAN

Result:

input-interface: WAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Hope the above information has been helpfull. If so please rate

- Jouni

lcaruso · ‎02-10-2013

Thanks for your post. TAC agrees about the bug.

This is a 5512X so I won't be downleveling to 8.4(5) on this platform.

Time to write some generator code in Python.

Jouni Forss · ‎02-10-2013

Would 8.6 work for you (In case it doesnt have this bug, I dont know)? Or is there perhaps some new feature in the 9.x you need to keep?

I personally dont have any of the new 5500-X models available for testing.

Only 5585-X models but those to my understanding dont take the 8.6 software.

- Jouni

lcaruso · ‎02-10-2013

Probably need to stick with 9.x and also don't know if 8.6 is without that bug.

I'm going to find out if all those ports are really needed or if this is just case of not doing one's homework.

What app needs 999 (consecutive) ports tcp and udp identically?

Oh wait, it's an IBM server.