Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1771
Views
0
Helpful
5
Replies

Problem created Policy NAT

rubens.palhoni
Level 1
Level 1

‎04-15-2010 06:36 PM - edited ‎03-11-2019 10:33 AM

I need help on project my client with respect to some NAT rules that need to be created in a context of the FWSM that the client is
creating.
According to customer demand, there are two types of connections that need to be released. We conducted some tests using policy NAT but unfortunately we could not create the rules and therefore need your help.
I'll try to explain what client need according to the e-mail client below:
- Due to conflicts of IPs, we have customers that address on outside interface, the IP 192.168.8.3 and other IP 192.168.8.4 on port 3017/TCP
- The firewall should do static NAT and redirect those connections to the IP address 10.2.64.4 port 3017. configure the following NAT and static NAT policy for this situation without problems:
!
static (inside,outside) tcp 192.168.8.3 3017 10.2.64.4 3017 netmask 255.255.255.255
!
access-list NAT_3017_3017 line 1 remark ### Policy-NAT/Redirect porta 3017 para MF-SYSA:10.2.64.4 porta 3017
access-list NAT_3017_3017 line 2 extended permit tcp host 10.2.64.4 eq 3017 any
static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3017
!
- However, we have a situation when the source is the block 125.24.0.0/20 (client Claro GPRS) and IP address 192.168.8.4 on port 3017.
- In this case the firewall should do a static NAT / NAT Policy and redirect the connection to the IP 10.2.64.4 on port 3023/TCP.
To do this try the following, who presented the error below:
!
access-list NAT_3017_3023 line 1 remark ### Policy-NAT/Redirect porta 3017 para MF-SYSA:10.2.64.4 porta 3023
access-list NAT_3017_3023 line 2 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0
static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023
!
Error:
FWSM-SYSTEM/CONTEXT(config)# static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023
WARNING: real-address conflict with existing static
  TCP inside:10.2.64.4/3023 to outside:192.168.8.3/3023 netmask 255.255.255.255
ERROR: mapped-address conflict with existing static
  TCP inside:10.2.64.4/3017 to outside:192.168.8.4/3017 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        show running-config [all] static [<mapped_ip>]
        clear configure static
!
- We also try the following configuration. Include in NAT_3017_3017 ACL (applied there in the beginning) to line 2 with the network 172.24.0.0 255.255.240.0 (source) without success:
access-list NAT_3017_3017 line 1 remark ### Policy-NAT/Redirect porta 3017 para MF-SYSA:10.2.64.4 porta 3017
access-list NAT_3017_3017 line 2 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0
access-list NAT_3017_3017 line 3 extended permit tcp host 10.2.64.4 eq 3017 any
static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3017
!
Error:
FWSM-SYSTEM/AUTOMACAO-COMERCIAL(config)# access-list NAT_3017_3017 line 2 exte$
ERROR: access-list used in static pat has different
                    local ports
ERROR: ACL is not valid for static
FWSM-SYSTEM/CONTEXT(config)#
!
!
This NAT is being migrated from a FreeBSD Firewall which works perfectly. rsssrrs.
It could take a look and give suggestions?
Thanks!!!

Labels:
0 Helpful
5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

‎04-16-2010 04:24 AM

Interesting. What FWSM code are you running? This should work.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/cfgnat_f.html#wp1042553

You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command in order, until the first match, or for regular NAT, using the best match.

See the following description about options for this command:

access-list acl_name—Identify the real addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command (see the "Adding an Extended Access List" section on page 12-6). This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT and static NAT consider the inactive or time-range keywords and stop working when an ACE is inactive.

-KS

0 Helpful

rubens.palhoni
Level 1
Level 1
In response to Kureli Sankar

‎04-16-2010 05:48 AM

Hi Kusankar,

I'm using IOS 4.0.7 in FWSM.

The strange thing is that even creating a NAT policy to match the source IP can not create the rule.

Att,

Rubens

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to rubens.palhoni

‎04-16-2010 06:38 AM

Could you pls. copy and paste the following:

sh run static

sh run access-list

that are tied to the static.

-KS

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Kureli Sankar

‎04-16-2010 07:19 AM

Alright I have tried this out and this is not supported.


static (inside,out) tcp 44.44.44.44 3701 access-list net1
static (inside,out) tcp 44.44.44.44 3702 access-list net2

access-list net1 extended permit tcp host 1.1.1.1 eq 3701 host 100.100.100.1 eq 3701

access-list net2 extended permit tcp host 1.1.1.2 eq 3702 host 100.100.100.100 eq 3702

worked perfectly.

-KS

0 Helpful

rubens.palhoni
Level 1
Level 1
In response to Kureli Sankar

‎04-16-2010 07:48 AM

Hi Kusankar,

Take a look at setting that could be applied and tests we performed:

#### With this setup worked perfectly applied traffic: #####

access-list NAT_3017_3023 extended permit tcp host 10.2.64.4 eq 3023 172.24.0.0 255.255.240.0

static (inside,outside) tcp 192.168.8.4 3017 access-list NAT_3017_3023

#### With this set up NAT also worked perfectly: ####

static (inside,outside) tcp 192.168.8.3 3017 10.2.64.4 3017 netmask 255.255.255.255

#### Now, this rule could set up without problems, but the NAT is not being mounted. What I realized when creating the static NAT with nat policy without informing the protocol (TCP or UDP) and port access, the firewall does not mount the NAT. If the static is created with the protocol and port configuration have a conflict with the first rule created:

access-list NAT_3017_3017 extended permit tcp host 10.2.64.4 eq 3017 any range eq 1 65535

static (inside,outside) 192.168.8.4  access-list NAT_3017_3017

Any suggestions? Actually you can play this setup?


The setting range of port created in the ACL, it is necessary because when the connection is established by any outside source, the source IP uses random port. Therefore it was necessary to set up this way.

Att,

Rubens

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card