Solved: Static NAT with port translation!

KAROLY KOHEGYI · ‎05-31-2011

Hi!

I'm trying to migrate from olda PIX to newest ASA 8.4.1. Everything seems to be good except the static NAT.

The relevant config.

object network HTTP_SERVER
host 192.168.255.1

object network HTTP_SERVER

nat (inside,outside) static interface service tcp www www

access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

The inside interface uses implicit rule. ( permit any less secure network )

Although te above config the ASA logs the following.

TCP access denied by ACL from 94.94.94.94/2003 to outside:86.101.228.221/80

The 86.101.228.221 our public Internet IP whic are used as outside IP also.

Regards,

Thank in advance ( urgent )

varrao · ‎05-31-2011

Hi Karoly,

Could you try the following nat:

object network HTTP_SERVER
host 192.168.255.1

object service tcp_80

service tcp destination eq www

nat (outside,inside) 1 source static any any destinatination static interface HTTP_SERVER services tcp_80 tcp_80

and static nat is always bi-directional. is it only the packet-tracer test that you are doing??? I woudl not rely on on packet-tracer for it, I woudl suggest taking captures as well as logs to get to the root cause.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

KAROLY KOHEGYI · ‎05-31-2011

The packet tracer shows the packet which arrives from outside and the destination IP is the outside IP of ASA does not enter the NAT lookup.

The asa try to send out the packet via outside and so the packet is dropped by the global rule.

KAROLY KOHEGYI · ‎05-31-2011

Hi!

If i try with packet tracer that the packet arrive from inside to outside. Everything seems to be good.

I do not understand, i think the static nat is bidrrectional automatically.

varrao · ‎05-31-2011

Hi Karoly,

Could you try the following nat:

object network HTTP_SERVER
host 192.168.255.1

object service tcp_80

service tcp destination eq www

nat (outside,inside) 1 source static any any destinatination static interface HTTP_SERVER services tcp_80 tcp_80

and static nat is always bi-directional. is it only the packet-tracer test that you are doing??? I woudl not rely on on packet-tracer for it, I woudl suggest taking captures as well as logs to get to the root cause.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

KAROLY KOHEGYI · ‎06-01-2011

Hi!

Unfortunetly it have not helped. I get the following messages from ASA.

KAROLY KOHEGYI · ‎06-02-2011

Hi Varun!

Your suggestion is working though. ( Meantime I removed the permit ip any any line from outsidein ACL, sorry )

--------------------------------------

first i set the ACE in outsidein ACL

permit tcp any outside_IP www

Wtih this line the ASA always drops the incoming packets ( destination outside IP port WWW )

It was very intereresting that i had to set the following ACE rule in outside in ACL.

permit tcp any CONALF www

I think the incoming ACL checking is the first in the process order but the experience shows the NAT rule is the first!!!???

here is the copy from working ACL

access-list outside_access_in line 1 extended permit tcp any object CONALF eq www 0x535ff132
access-list outside_access_in line 1 extended permit tcp any host 192.168.255.1 eq www (hitcnt=228) 0x535ff132
access-list outside_access_in line 2 extended permit tcp any object CONALF eq smtp 0x68c96011
access-list outside_access_in line 2 extended permit tcp any host 192.168.255.1 eq smtp (hitcnt=1419) 0x68c96011

Regards,

varrao · ‎06-02-2011

Hi Karoly,

Post 8.3, we use private ip's instead of public ip's of internal hosts.Let me explain you my point with an example:

We have a web server public ip - 1.1.1.1

private ip - 192.168.1.1

then the nat command would be:

nat (outside,inside) source static any any destination static public_ip private_ip

the access-list for it would be:

access-list outside_access_in permit tcp any host 192.168.1.1

post 8.3, firewall would first un-nat the public ip to private ip and then check the access rule.

You can verify that by running a packet-tracer for one of your servers.

hope I was able to answer your queries.

Thanks,

Varun

Thanks,
Varun Rao

KAROLY KOHEGYI · ‎06-02-2011

HI!

Thanks your detailed explanation.

I should have to learn the new packet order rules.

Can you suggest me any URL in this issue?? ( ASA 8.4 packet process ordering )

Regards,

Jay Johnston · ‎06-01-2011

The original configuration you posted is correct, here:

object network HTTP_SERVER
host 192.168.255.1

object network HTTP_SERVER

nat (inside,outside) static interface service tcp www www

The problem is most likely due to a manual-NAT entry that is performing PAT to the outside interface, which then is higher in the order of NAT table entries. You probably have a nat line like this which is causing the issue:

nat (any,outside) 1 source dynamic any interface

You can either make this manual nat entry into a dynamic entry, or move the manual nat line to the after auto section. The manual nat line might have been added automatically by the ASDM Startup wizard, and we've since made changes to avoid this situation. See the bug:

www.cisco.com/go/bugs

CSCtj78215 ASDM startup wizard should create after-auto rule for outbound PAT

From the release note:

Symptom:

When using the ASDM startup wizard to configure basic PAT to the outside interface, ASDM will push down this configuration to the platform:

nat (any,outside) 1 source dynamic any interface

Because this NAT rule is added to the top of the manual NAT section (section 1), any other PAT translations that are configured to map a port (service) from the outside interface to a server on the inside (say, providing inbound FTP access to an internal FTP server) will fail since the rule at line 1 will be matched for all inbound traffic destined to the outside interface.

Conditions

For this manual NAT entry to affect other configured NAT translations, there must be other configured manual or object-nat statments that map a service for an inside host to the outside interface. Below is an example of an object NAT entry that maps the FTP service from an inside host to the outside interface.

object network FTP_Server

host 192.168.1.23

object network FTP_Server

nat (inside,outside) static interface service tcp ftp ftp

Because of the manual NAT entry created by the ASDM startup wizard, this object's NAT rule will never be hit, and outside users will be unable to connect to the FTP server by connecting to the ASA's outside interface on port 21.

Workaround:

Move the manual NAT entry created by the ASDM startup wizard to the 'after-auto' section of the configuration. The resulting configuration should look like this:

nat (any,outside) after-auto source dynamic any interface

This will move the new NAT entry below the manual nat entries (section 1) and the other configured static PAT entries (section 2) and allow inbound connectivity to the configured static NAT entries to be matched.