cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
943
Views
0
Helpful
6
Replies

Creating Static NAT Rules

llamaw0rksE
Level 1
Level 1

It seems there are possibly two ways to set these up.

a.  Embedded within net-object rules

b.  Independently via NAT rules.

For the life of me, both escape me.

Anybody have a decent reference that covers both.

Nothing I have tried in the ASDM or CLI gets me to successfully mirror examples.

8.4(3) rules.......

Okay I have been confusing using twice NAT (using nat rules with objects and services as parameters) whereas I should just use Nat embedded in neworks objects simpler and all I need.

Now to program...

6 Replies 6

llamaw0rksE
Level 1
Level 1

Here is my latest config.......Please helpl

Lan to Lan  good!

inside to internet good!

dmz to internet good!

internet to inside BAD :-(

: Saved
:
ASA Version 8.4(3)
!
hostname zyxelbeatsbattlestargalacticaandCisco
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -2
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 555.555.555.98
description Corporate Ojbect for access to TFS, OM
object network -remote-h
subnet 11.111.0.0 255.255.0.0
object network -remote-w
subnet 22.222.222.0 255.255.255.0
object network -remote2
host 33.3.333.4
object network -remote1
host 444.44.444.133
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object-group network Router-Admin
description Remote access to adjust router settings
network-object object -remote1
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description AgileGroup Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object -remote-h
network-object object -remote-w
network-object object -remote1
network-object object -remote2
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object input-port
service-object object OM3
access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP
access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list OM-FWrule extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list RDP-FWrule extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list Remote-Router-Admin extended permit object RouterAdmin object rm-remote any
access-list Remote-Router-Admin extended permit object RouterAdmin object TrustedInternetUsers any
pager lines 24
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 33349
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http 444.44.444.133 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh 444.44.444.133 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 66.666.6.96 66.666.6.97 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 66.666.6.96 66.666.6.97 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 66.666.6.96 66.666.6.97 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5 password Xl5915GPBhncsPAQ encrypted
username user3 password mAVJxjP/lM8yc59F encrypted
username user4 password w7V/UFyrOwnQknqm encrypted
username user2 password .NJvJ7zi.ROsatP7 encrypted
username user1 password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8135c36da331e34243baa55a8fe8c5a
: end
no asdm history enable

It has been pointed out that my acl rules may be the issue not NAT and specifically I needed to indicate which interface.  I find it onerous to have to indicate interface in a separate rulle vice within the existing rules but so be it.....  Can you review the following and comment.....

Current ACL from above.....

access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP 

access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object   

proposed ACLs......... 

access-list TFS-FWrule extended permit object TFS interface outside object VS-pcIP

access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP 

access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP 

access-list OM-FWrule extended permit object-group OMServiceGroup interface outside object VS-pcIP 

access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP

access-list RDP-FWrule extended permit object RDP interface outside object VS-pcIP 

access-list RDP-FWrule extended permit object RDP object-group TFS-usergroup object VS-pcIP 

access-list Corporate-OMFWrule extended permit object-group CorporateServiceGroup interface outside object VS-pcIP

access-list Corporate-OMFWrule extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP

I did not have success. 

Okay after much angst, I noticed I was missing an access-group rule pertaining to the outside interface. This is nowhere to be seen in the ACL manager in ASDM. (CLI command insert would have been too easy).

Well its in the Access Rules by attaching a rule to the default outbound object sitting there. LIke I was supposed to figure that out from rule examples (not discussed in any and I mean ANY cisco doc or googled search).


I thought I understood this conceptually. To apply access rules to the outside interface you have to open up the firewall interface as so much as its in a closed position. You apply this access-group rule to open the door. Then the router will allow traffic BUT only according to the rules you have stipulated for the outbound interface. At least thats what I am hoping. I would hate to think its wide open now.

What bothers me is that by invoking this rule access-group it created another rule IP any any allowed..as per below.


IS this finally the correct ACL structure????


access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP

access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP

access-list RDP-FWrule extended permit object RDP object-group TFS-usergroup object VS-pcIP

access-list Corporate-OMFWrule extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP

access-list outside_access_in extended permit ip any any



access-group outside_access_in in interface outside



The bolded text is what invoking a global outside access rule created (unexpectedly) along with the expected access group rule in italics.  I am starting to doubt acl manager.........

--

Bingo (I am also starting to think that using the ACL manager might havebeen a waste of time and I should make all rules in the Access Rules section.).


I deleted all and made rules only from ACCESS RULE menu and NOT from the ACL manager. I am surmizing the manager should NOT be used to make new ones, just to modify existing ones (parameters).


A case of smart CLI people here but not savvy in ADSM. :-P


Here is my latest and last, so confident am I Yoda!!

(i added a deny all as last rule)


access-list outside_access_in remark Access to VS-TFS

access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP

access-list outside_access_in remark Access to Open Meetings

access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP

access-list outside_access_in remark remote access to VS

access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended deny ip any any


access-group outside_access_in in interface outside

--

Well Im stumped again.  No external access  I even removed the last deny rule when I realized its not needed.\

Any ideas??? 

There is a global implicit deny rule a the bottom of the access rules page, but nto sure if I should touch that

In any case its a last rule and anyways global rules are implemented after interface rules. So shouldnt be a factor.

I added


access-list main-lan_access_in extended permit ip any any

and its associated.....

access-group main-lan_access_in in interface main-lan


and still no joy. :-(

The only way it works if I stick in before the global implicite deny rule, a global access rule any any permit. :-((

Review Cisco Networking for a $25 gift card