Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1462
Views
0
Helpful
3
Replies

Static NAT with Object Group on ASA 9.1(6)

Go to solution
ritchieb
Level 1
Level 1

‎10-14-2015 07:05 AM - edited ‎03-11-2019 11:44 PM

I have the following configured on an ASA FW (Version 9.1(6));

nat (dmz-interface,outside) source static OBJECT-GROUP Nat_10.10.10.20 destination static COMPANY-A_172.16.1.0 COMPANY-A_172.16.1.0

OBJECT-GROUP is a group, containing 3 hosts;

object-group network OBJECT-GROUP
 network-object object 10.1.75.33
 network-object object 10.1.75.34
 network-object host 10.1.67.12

My understanding was that if there’s a many-to-one configuration then no inbound connection permitted as the address it should be translated to isn’t known. But……

This appears to be allowing inbound connectivity from outside to 10.10.10.20, translating to 10.1.75.33

ASA-FW# show xlate | inc 10.10.10.20
NAT from dmz-interface:10.1.75.33, 10.1.75.34, 10.1.67.12 to outside:10.10.10.20
ASA-FW#
ASA-FW# show nat detail | inc 10.10.10.20
14 (dmz-interface) to (outside) source static OBJECT-GROUP Nat_10.10.10.20   destination static COMPANY-A_172.16.1.0 COMPANY-A_172.16.1.0
    Source - Origin: 10.1.75.33/32, 10.1.75.34/32, 10.1.67.12/32, Translated: 10.10.10.20/32
ASA-FW#
ASA-FW# show conn | inc 10.1.75.33
TCP outside  172.16.1.1:51318 dmz-interface  10.1.75.33:5672, idle 0:01:24, bytes 912, flags UIOB
TCP outside  172.16.1.1:42717 dmz-interface  10.1.75.33:5672, idle 0:00:29, bytes 3528, flags UIOB
TCP outside  172.16.1.1:41029 dmz-interface  10.1.75.33:5672, idle 0:01:22, bytes 9472, flags UIOB
ASA-FW#


My question is – how is the internal host address determined when a group is used? Does it take the first in the list?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-14-2015 10:37 AM

Hi,

In Many-to-one mapping, all the internal host would be able to go outside with the mapped address but connection for them would not be able to go out.  Lowest Real IP address should be selected as the real address for the bidirectional one. (i am not quite sure why it has taken the object .33 instead of host .12. You could try replace keyword 'object' with 'real' under that object group).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html#wp1107407

Above link explain the scenarios with different mapping scenarios and how to select real or mapped address.

ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. These other mapping options, however, might result in unintended consequences. We recommend using only one-to-one or one-to-many mappings.

 

Regards,

Akshay Rastogi

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-14-2015 10:37 AM

Hi,

In Many-to-one mapping, all the internal host would be able to go outside with the mapped address but connection for them would not be able to go out.  Lowest Real IP address should be selected as the real address for the bidirectional one. (i am not quite sure why it has taken the object .33 instead of host .12. You could try replace keyword 'object' with 'real' under that object group).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html#wp1107407

Above link explain the scenarios with different mapping scenarios and how to select real or mapped address.

ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. These other mapping options, however, might result in unintended consequences. We recommend using only one-to-one or one-to-many mappings.

 

Regards,

Akshay Rastogi

0 Helpful

Go to solution
ritchieb
Level 1
Level 1
In response to Akshay Rastogi

‎10-15-2015 12:56 AM

Hi Akshay,

 

Thanks for the info, that seems to make sense. I think maybe it would be the lowest IP if the first connection was inbound outside -> dmz-interface. Perhaps the first connection to perform NAT on was from 10.1.75.33 and therefore it became the translated address, as your link states "The first translation is always active so both translated and remote hosts can initiate connections, but the subsequent mappings are unidirectional to the real host. "

If I had some equipment to test I would!

 

Regards,

Brian

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to ritchieb

‎10-15-2015 04:22 AM

Hi Brian,

That's correct.

 

Please mark the answer as correct if it helps.

Regards,


Regards,

Akshay Rastogi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card