Unidirectional Vs Both on 8.4

nickjacobs · ‎09-05-2011

Recently upgraded 8.2 to 8.4.2 on ASA and came across a problem after in prod. We had rules for static twice nats setup that take two different outside IPs for two different ports - and map that to one internal host. As the internal host also talks out on the same services, we chose to use the "both" option to NAT the internal back to the same IP for the same service, which at least in ADSM shows an equivalent duplicate outbound rule that reads correctly. There is also an outbound PAT on the outside interface to catch anything else.

What we saw was that inbound services were fine, mapped to the internal server. Outbound hit the PAT overflow and did not use the same static NAT (covered by the "both" option. The PAT rule was at the bottom of the list.

We solved this by making the initial rule "unidirectional" and creating just below it the logical reverse rule that was identical to that created by "both" and everything then worked fine.

Bug - or am I missing something?

Cheers....

Maykol Rojas · ‎09-05-2011

Hi

Can I see the rules? Static PAT should be used only for inbound connections, and the host if it needs to connect to the outside world it should use the regular PAT unless you configure a 1 to 1 Mapping.

Mike

nickjacobs · ‎09-05-2011

Hi Mike,

Not sure you are understanding - yes it is a one to one mapping - this is about the use of "unidirectional" keyword or not using it which ASDM refers to as "BOTH" and represents by showing the reverse static NAT - which is not translated to CLI but infered by the lack of unidirectional. Thing is it didn't seem to work.

8.2 - working

static (dmz,internet) tcp nat_dns domain s_Server domain netmask 255.255.255.255

static (dmz,internet) tcp nat_mail smtp s_Server smtp netmask 255.255.255.255

global (internet) 10 interface nat (dmz) 10 0.0.0.0 0.0.0.0

8.4.2 - not working - inbound for services fine, outbound match on overflow PAT not static. ASDM shows same rule as below working below, as shown by "BOTH" instead of "unidirectional" on the rules

nat (dmz,internet) source static s_Server nat_mail service smtp smtp

nat (dmz,internet) source static s_Server nat_dns service dns dns

nat (dmz,internet) source dynamic net_dmz interface description DMZ outbound internet PAT

8.4.2 - working

nat (internet,dmz) source static any any destination static nat_mail s_Server service smtp smtp unidirectional

nat (dmz,internet) source static s_Server nat_mail service smtp smtp unidirectional

nat (internet,dmz) source static any any destination static nat_dns s_Server service dns_udp dns_udp unidirectional

nat (dmz,internet) source static s_Server nat_dns service dns dns unidirectional

nat (dmz,internet) source dynamic net_dmz interface description DMZ outbound internet PAT

Maykol Rojas · ‎09-05-2011

Hey,

Thanks for posting the config. Did you have the time to check if the services for SMTP and DNS where created with source or destination keyword?

What you are doing there is port address translation, if the service objects for SMTP and DNS were created with the source keyword, the first one should have worked with no issues.

Mike

nickjacobs · ‎09-05-2011

They are created with destination - as it is a destination service. Why would you create them with source? It wouldn't work - it is a service with a destination port.

nickjacobs · ‎09-05-2011

Are you saying that "Both" as in not unidirectionl - when it infers it duplicates the NAT rule in reverse, it also reverses the service source/destination?

nickjacobs · ‎09-05-2011

OK - I think that is what you are saying - if so ASDM graphically misrepresents what is happening. It show all outside hosts being able to access a NATed inside server on a service DNS. Then it duplicates that in reverse - showing the inside host being NATed with the service object still call DNS - but what you are saying is that it will only match traffic from 53 to a high port, not logically what it shows as a high port from inside to internet on 53.

Maykol Rojas · ‎09-05-2011

Hi Nick,

Sorry for the late response, I was heading back home from work.That is exactly where the confusion comes from. When you have this statement in 8.2

static (dmz,internet) tcp nat_dns smtp s_Server smtp netmask 255.255.255.255

Is for the people on the outside to be able to make connections to the dmz server, this static takes precedense ONLY if the dmzhost comes with a port 53.

Lets do an example,

Host on the outside, comes with a SYN packet on port random say 1025 to dmz server on port 25, then the dmz host is going to reply source 25 and that is when the translation kicks in.

In 8.4, the destination keyword is only used when you are doing destination nat, not when doing Static PAT (Port forwarding) like the one you are doing.

Hope this makes sense.

Mike