Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1443
Views
0
Helpful
7
Replies

Difference between NAT and access-list on ASA and ISR Router

williamk
Level 1
Level 1

‎10-01-2019 11:48 AM - edited ‎10-01-2019 12:43 PM

Hi, am replacing an ASA with a Cisco ISR router. The context of the nat rules and access rules are a little different, so want to make sure I am translating them correctly. Access rules are for incoming traffic on the WAN interface. Relevant configs are shown below. I did not write the ASA rules, so have no idea why they used port ranges, or why they did both TCP and UDP.  So I cleaned up the port ranges and left it as allowing both TCP and UDP on the router. Did I translate correctly?

--ASA CONFIG--
object network GWMobile2 
host 192.168.200.79

object network GWMobile2 
nat (any,any) static 1.1.1.1

access-list WAN_access_in extended permit object-group TCPUDP any4 object GWMobile2 object-group GWMobile

object-group protocol TCPUDP
protocol-object udp
protocol-object tcp

object-group service GWMobile tcp-udp
port-object range 3102 3102
port-object range 8120 8120
group-object Internet

object-group service Internet tcp-udp
description HTTP
port-object eq www
port-object range 443 443

--ISR Router config ----
ip nat inside source static 192.168.200.79 1.1.1.1

ip access-list extended OUTtoIN_ACL
    permit object-group GWMobile_Service any host 192.168.200.79

Service object group GWMobile_Service
 tcp-udp eq 3102
 tcp-udp eq 8120
 tcp-udp eq 80
 tcp-udp eq 443

 

Labels:
0 Helpful
7 Replies 7

paul driver
VIP
VIP

‎10-01-2019 04:02 PM - edited ‎10-01-2019 04:10 PM

Hello

Try the below interpretations:
access-list 100 permit tcp host 192.168.200.79 any eq 3102
access-list 100 permit tcp host 192.168.200.79 any eq 8120
access-list 100 permit tcp host 192.168.200.79 any eq www
access-list 100 permit tcp host 192.168.200.79 any eq 443
access-list 100 permit udp host 192.168.200.79 any eq 3102
access-list 100 permit udp host 192.168.200.79 any eq 8120

route-map TST permit 10
match ip address 100

ip nat inside source static 192.168.200.79 1.1.1.1 route-map TST


or

ip nat inside source static tcp 192.168.200.79 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.200.79 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.200.79 3102 1.1.1.1 3102 extendable
ip nat inside source static udp 192.168.200.79 3102 1.1.1.1 3102 extendable
ip nat inside source static tcp 192.168.200.79 8120 1.1.1.1 8120 extendable
ip nat inside source static udp 192.168.200.79 8120 1.1.1.1 8120 extendable


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

williamk
Level 1
Level 1
In response to paul driver

‎10-01-2019 04:29 PM

Hello again Paul,

I have not been able to test my configuration on a live router yet, so not sure if my nat and access-list will work or not on the ISR Router.  Is there something wrong with my proposed ISR config?  I noticed you are using route maps and not using service groups.  Your way is probably better, I am just trying to understand why.  I need to choose a way and stick with it as I translate all the NAT rules and access rules from the ASA to the ISR.

0 Helpful

paul driver
VIP
VIP
In response to williamk

‎10-01-2019 04:40 PM - edited ‎10-01-2019 04:47 PM

Hello @williamk 

@williamk wrote:

.  Is there something wrong with my proposed ISR config?  I noticed you are using route maps and not using service groups.  

I dont see any relation with your object-group, acl and your nat statement!

However Its late in day here and i'm a bit punchy so maybe another review would be required but at this time as far as i can see that is the interpretation i got  from the asa config your posted.- I have provided two possible options but could there be others?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

williamk
Level 1
Level 1
In response to paul driver

‎10-02-2019 08:30 AM

Hi Paul, 

 

You are correct, in my ISR config, there is no direct relation between the ACL and the NAT statement.  It is the same way on the ASA.  My understanding on the ASA is that the two are seperate, but of course one won't work with out the other.  So on the ISR then is it better to use a route map tied to an ACL, or can I just do it like it was done on the ASA, with seperate NAT statements, and a ACL on the WAN interface that allows the incoming traffic that will be translated to the inside IPs?  Just trying to discern best practice here, if there is one.

0 Helpful

paul driver
VIP
VIP
In response to williamk

‎10-02-2019 11:24 AM - edited ‎10-02-2019 11:54 AM

Hello
If you look closely with the ASA config there is indeed a relation with the access-list and object groups, the two suggested configs I posted for the asr would both work>

Personally the route-map is more elegant option.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

williamk
Level 1
Level 1
In response to paul driver

‎10-02-2019 04:25 PM

OK, got it.  So if I use your second NAT solution:

ip nat inside source static tcp 192.168.200.79 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.200.79 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.200.79 3102 1.1.1.1 3102 extendable
ip nat inside source static udp 192.168.200.79 3102 1.1.1.1 3102 extendable
ip nat inside source static tcp 192.168.200.79 8120 1.1.1.1 8120 extendable
ip nat inside source static udp 192.168.200.79 8120 1.1.1.1 8120 extendable

 

Will the following access-list work with that?  I have a zone based firewall with an ACL that allows incoming traffic on the WAN interface:

ip access-list extended OUTtoIN_ACL
permit object-group GWMobile_Service any host 192.168.200.79

 

Service object group GWMobile_Service
tcp-udp eq 3102
tcp-udp eq 8120
tcp-udp eq 80
tcp-udp eq 443

 

If I am correct this ACL is saying allow any ip to hit 192.168.200.79 on the destination ports in the GWMobile_Service group.

0 Helpful

paul driver
VIP
VIP
In response to williamk

‎10-03-2019 12:06 AM

Hello

Nat will work providing your iOS fw allows outside initiation of traffic towards its public /internet host


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents