SNAT, DNAT and FULL NAT with Port Redirection @ ASA 7.2(4)

Answered Question
Aug 7th, 2008

Greetings,

I need a little help on this one guys. This is what happens, one of our customers uses a Unix based software as his FW solution called Astaro Security Gateway v7.x. The thing is that as most of Unix based solutions it allows the administrators to create SNAT, DNAT and FULL NAT using Port Redirection in a single rule using Object Orientation.

Attached to this post is their current topology.

One of the rules I have to transport to the Cisco IOS sintax is as follows:

Brasilia Network(inside): 10.61.0.0/16

Host (inside): 10.13.1.244

Host (inside2): 10.13.12.20

S: 10.61.0.0/16 TCP 80 | D: 10.13.1.244 TCP 80

DNAT

S: 10.61.0.0/16 TCP 80 | D: 10.13.12.20 TCP 80

The Default Gateway to the LAN(blue) stations and network gear is the inside intf(10.13.1.101). When TCP packets on port 80 coming from any host at the Brasilia Network(10.61.0.0/16) targeting the host 10.13.1.244 gets to the 'inside' intf, there will be a DNAT, changing the 10.13.1.244 to 10.13.12.20 still on port 80 but routed to the inside2 intf. The pre-nat and post-nat, destination port is TCP 80 only.

This is the configuration I inputed on the ASA:

1)access-list Ast_03 extended permit tcp 10.61.0.0 255.255.0.0 eq http host 10.13.1.244 eq http

2)static (inside,inside2) tcp 10.13.12.20 http access-list Ast_03

OUTPUT ERROR: global address overlaps with mask

Can you guys help me out this one?

I know that Port Redirection isn't stated on this one, but there are a LOT of rules that will need that.

Thanks in advance.

Best Regards, Daniel

Attachment: 
I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 4 months ago

If I understand your requirement correctly, then both the ACL and Static are wrong.

The static should be:

access-list Ast_03 extended permit tcp host 10.13.12.20 eq http 10.61.0.0 255.255.0.0

static (inside2,inside) tcp 10.13.1.244 http access-list Ast_03

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 08/07/2008 - 11:42

If I understand your requirement correctly, then both the ACL and Static are wrong.

The static should be:

access-list Ast_03 extended permit tcp host 10.13.12.20 eq http 10.61.0.0 255.255.0.0

static (inside2,inside) tcp 10.13.1.244 http access-list Ast_03

Regards

Farrukh

daniel-costa Thu, 08/14/2008 - 09:58

Hello Farrukh!

I'd like to Thank you for your reply! It worked! But...I'm having a new problem since there is another DNAT based on the Source Address I have to configure.

When HTTP flows from the 10.11.0.0/16 network destined to the host 10.13.1.244 will be NATed to the host 10.13.12.21 still on port 80 and redirected to the inside2 intf.

It's basically the same as the one above but since the Source Address is different it has to be redirected to another server on the 'inside2'.

Following your suggestion I made the following configs:

access-list Ast_04 extended permit tcp host 10.13.12.21 eq http 10.11.0.0 255.255.0.0

static (inside2,inside) tcp 10.13.1.244 http access-list Ast_04

ERROR: mapped-address conflict with existing static

Can you help me out again?

Regards, Dan

Farrukh Haroon Thu, 08/14/2008 - 11:13

Hello Dan, I'm glad it worked the first time round. However what you are trying to achieve now is not possible. You cannot have the same mapped IP and mapped port in more than one static. Because if you do so, the ASA has no way to know to which host to send the traffic that lands on 10.13.1.244:80; 10.13.12.21 or 10.13.12.20. You will have to change the port for this new static to something besides 'http'.

Regards

Farrukh

daniel-costa Thu, 08/14/2008 - 12:06

Hello Farrukh!

Yes! That was exactly what I told out customer.

But after a second I thought it could be possible because what differs the two rules is the Source Address.

- In the first rule 'Ast#03' the source address is one from the 10.16.0.0/16 network which makes a HTTP requisition to the host 10.13.1.244(Destination Address) and the ASA should change it to 10.13.12.20 still using port 80.

- In the second rule 'Ast#04' the source address is one from the 10.11.0.0/16 network which makes a HTTP requisition to the same host 10.13.1.244 but in this case the ASA should change it to 10.13.12.21 still using port 80.

As I see it this is a Source NAT or a NAT based on the Source Address. As hard as I thought I couldn't figure a way of doing this on the ASA Syntax because in some Linux(Web Based) as you can see in the attached picture the fields are pretty clear...I select SNAT, DNAT or FULL NAT.

Thanks again!

Regards, Dan

Attachment: 
Farrukh Haroon Thu, 08/14/2008 - 12:26

That is true Dan, but on the ASA things work differently. All this annoyance is caused by the ASA security-level architecture :)

10.16.0.0/16 Source actually does not matter for UN-NAT traffic (from inside to inside2). If you don't control it will ACL, all traffic from any source to 10.13.1.244:80 will be redirected to 10.13.12.20 (irrespective of Source IP of packet, which actually should have been matched by the destination part of ACL). Try it and let me know.

Regards

Farrukh

Actions

This Discussion