Rules and PAT weird behavior.

Jose Pena · ‎06-22-2012

Hello all,

In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.

Scenario 1

object network LAN-PC1

host 192.168.100.50

object-group service LAN-PC1-8000 tcp

object-port eq 8000

access-list incoming extended permit tcp any object LAN-PC1 object-group LAN-PC1-8000 tcp

object network LAN-PC1

nat (any,outside) static interface service tcp 5800 8000

The scenario 1, is the most common rules and it has been working properly in all firewalls worked without exceptions.

Recently I bought a used Cisco 5505 with OS 8.2(1) that I upgraded to 8.4(3). To make the scenario 1 works, I have to rewrite the configuration to scenario 2:

Scenario 2

object network EXTERNALIP

host 8.8.8.8

object network LAN-PC1

host 192.168.100.50

object-group service LAN-PC1-8000 tcp

object-port eq 8000

access-list incoming extended permit tcp any object EXTERNALIP eq 8000

access-list incoming extended permit tcp any host 192.168.100.50 eq 5800

object network LAN-PC1

nat (any,outside) static interface service tcp 5800 8000

The scenario 1 works only when I add the next line

access-list incoming extended permit ip any any

I want to point that in the Cisco ASA 5505's that I upgraded, the previous line doesn't exist and the scenario 1 works perfectly.

Can any body tell me if I'm doing anything wrong with scenario 1 in my router?

I want to point that other person, here in the forum tolme that it's bettre not to use

access-list incoming extended permit ip any any

and I have to be more restrictive

I want to add a final line, I applied the incoming access-list to outside interface

access-group incoming in interface outside

I don't any other access-list, I'm allowing any LAN traffic to Internet, I don't want to be restrictive from LAN to WAN, for now.

I hope somebody can catch anything that I didn't.

Regards and good night.

NOTE: You can post Ill be checking the posts in the next few hours. If you need more information, Just let me know.

Jouni Forss · ‎06-27-2012

Hi,

I'm not sure if I understood this correctly

But isnt the problem with Scenario 2 that you are using the public/NAT IP in the access-list statement?

From 8.3 software onwards you use the devices actual local IP address in the NAT statements and not the NAT IP.

Heres one example (using private IP addresses)

PUBLIC IP: 192.168.10.10

PRIVATE IP: 10.10.10.10

object network STATIC-WEBSERVER

host 10.10.10.10

nat (inside,outside) static 192.168.10.10 dns

access-list OUTSIDE-IN permit tcp any object STATIC-WEBSERVER eq www

OR

access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq www

The above scenario would make a Static NAT for a single device on your LAN. The device would be visible to the outside interface as 192.168.10.10.

Even though this is the case, you would still need to use the local IP address (or the object which contains that IP address) in the access-list. If you used the IP adderss 192.168.10.10 in the outside interface access-list, the connection wouldnt go through.

- Jouni