Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
2
Replies

Policy Based PAT

Go to solution
steve martin
Level 1
Level 1

‎02-05-2014 04:10 AM - edited ‎03-11-2019 08:40 PM

                   Hello,

I'm having a problem setting up a policy based pat.  I 'll tell you what I tried to do and then you can advise me if this is correct.  This is on a

ASA 8.6 5540.

We are trying to access a webpage that an application running on port 8080, external to my firewall on 172.53.16.17.  The partner organisation  wants the source address to be 172.53.130.17 and is dropping anything which has an internal ip address.  I therefore followed the example on the cisco website

object network PAT-SOURCE ( my lan)
subnet 172.30.0.0 255.255.0.0

object network PAT-SOURCE-MAPPED (the transition)
host 172.53.130.17

object network PAT-DESTINATION (the app)
host 172.53.16.17

object service SERVICE  ( the service which translates the www traffic to 8080)
service tcp source eq www destination eq 8080

When I run the following command

nat (inside,outside) source static PAT-SOURCE PAT-SOURCED-MAPPED destination static PAT-DESTINATION PAT-DESTINATION service SERVICE SERVICE

I receive the following error-

ERROR: PAT-SOURCED-MAPPED doesn't match an existing object or object-group

Any help would greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 05:29 AM

Hi,

The ERROR messages states that you are using the "object" or "object-group" name that doesnt exist.

Notice that you have typed it wrong

The command has PAT-SOURCED-MAPPED

The actual "object" is named PAT-SOURCE-MAPPED

Though I think you might have to change the "object" name a bit because of other reasons. The that reason is that you should probably change the NAT to be a Dynamic Policy PAT by changing the "source static" to "source dynamic" and because of this the "object" name starting with PAT might confuse the ASA. Or atleast I think I had such a problem in the past.

To me it seems that there are some things that need to be changed in the configurations.

  • "source static" -> "source dynamic"
  • PAT-SOURCE-MAPPED --> MAPPED-IP (for example)
  • "object service" needs redoing
  • Because of the above changes the actual "nat" command needs changes

I would suggest the following configuration

object network PAT-SOURCE
subnet 172.30.0.0 255.255.0.0

object network MAPPED-IP
host 172.53.130.17

object network PAT-DESTINATION
host 172.53.16.17

object service TCP-80
service tcp destination eq 80

object service TCP-8080

service tcp destination eq 8080

nat  (inside,outside) source dynamic PAT-SOURCE MAPPED-IP  destination static PAT-DESTINATION PAT-DESTINATION service TCP-8080 TCP-80

The above configuration does so that when connection is coming from PAT-SOURCE and going to PAT-DESTINATION with the destination port TCP-80 then the source address will be NATed to MAPPED-IP and the destination port will be UN-NATed to TCP-8080

If I missunderstood the purpose of the NAT configuration (according to the above description I gave) then please correct me.

Hope this helps

Let me know how it goes

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 05:29 AM

Hi,

The ERROR messages states that you are using the "object" or "object-group" name that doesnt exist.

Notice that you have typed it wrong

The command has PAT-SOURCED-MAPPED

The actual "object" is named PAT-SOURCE-MAPPED

Though I think you might have to change the "object" name a bit because of other reasons. The that reason is that you should probably change the NAT to be a Dynamic Policy PAT by changing the "source static" to "source dynamic" and because of this the "object" name starting with PAT might confuse the ASA. Or atleast I think I had such a problem in the past.

To me it seems that there are some things that need to be changed in the configurations.

  • "source static" -> "source dynamic"
  • PAT-SOURCE-MAPPED --> MAPPED-IP (for example)
  • "object service" needs redoing
  • Because of the above changes the actual "nat" command needs changes

I would suggest the following configuration

object network PAT-SOURCE
subnet 172.30.0.0 255.255.0.0

object network MAPPED-IP
host 172.53.130.17

object network PAT-DESTINATION
host 172.53.16.17

object service TCP-80
service tcp destination eq 80

object service TCP-8080

service tcp destination eq 8080

nat  (inside,outside) source dynamic PAT-SOURCE MAPPED-IP  destination static PAT-DESTINATION PAT-DESTINATION service TCP-8080 TCP-80

The above configuration does so that when connection is coming from PAT-SOURCE and going to PAT-DESTINATION with the destination port TCP-80 then the source address will be NATed to MAPPED-IP and the destination port will be UN-NATed to TCP-8080

If I missunderstood the purpose of the NAT configuration (according to the above description I gave) then please correct me.

Hope this helps

Let me know how it goes

- Jouni

0 Helpful

Go to solution
steve martin
Level 1
Level 1
In response to Jouni Forss

‎02-05-2014 06:17 AM

Thanks for your help, I've spend two days looking at it and I still had typo's.  Works a treat.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card