Configuring static NAT in new ASA code 8.3.1

Answered Question
Jun 11th, 2010

Forum

I was attempting to configure a static NAT statement on a clients firewall which is running code version 8.3.1.  I got a message indicating that the old static command had been deprecated, and that the "nat"command needed to be used instead.

What I am trying to do is the following ( in the old format)

Access-list ext PJMNAT permit ip host 192.168.103.59 host 206.223.104.11

Static (inside,WAN) 172.28.6.133 access-list PJMNAT

In other words, I need for traffic to from 192.168.103.59 to be translated to 172.28.6.133 when communicating to 206.223.104.11 on the WAN interface.

Would anyone know how to write this on the ASA running code 8.3.1?

Thanks

Kevin

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 7 months ago


Please confirm that you're trying to PING 206.223.104.11 from 192.168.103.59
And you want it to NAT to 172.28.6.133

Please do a Packet Tracer test to check which process is failing on the ASA.

Federico.

Correct Answer by Federico Coto F... about 6 years 7 months ago

Let's do two things:

Specify the actual address instead of the object-group just to make sure the NAT rule works.

Post a ''sh run object-group PJMServers'' to make sure the configuration exists (so we can configure it using the object-group)

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (6 ratings)
Loading.
Federico Coto F... Fri, 06/11/2010 - 08:23

Hi,

In 8.3 the NAT syntax changed completely.

From the migration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Old Configuration

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224


static (inside,outside) 209.165.202.129 access-list NET1


Migrated Configuration

object network obj-10.1.2.27
host 10.1.2.27
object network obj-209.165.202.129
host 209.165.202.129
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224

nat (inside,outside) source static obj-10.1.2.27 obj-209.165.202.129 destination static obj-10.76.5.0 obj-10.76.5.0

Federico.

Kevin Melton Fri, 06/11/2010 - 09:06

Federico

I am having difficulty trying to follow the example you have used.

Can you take my real time data and show how the rule should be written based on that?

Thanks

Kevin

Federico Coto F... Fri, 06/11/2010 - 09:11

object network obj-192.168.103.59
host 192.168.103.59

object network obj-172.28.6.133
host 172.28.6.133

object network obj-206.223.104.11
host 206.223.104.11

nat (inside,WAN) source static obj-192.168.103.59 obj-172.28.6.133 destination static obj-206.223.104.11 obj-206.223.104.11

Federico.

Kevin Melton Fri, 06/11/2010 - 09:35

Federico

Thanks for the response.

One thing I am trying to do is to use an existing object-group called PJMServers.  This object group has several addresses in it (in the 206.223.104.X range).

here is how I am trying to configure the nat statement and the associated error message:

nat (inside,WAN) source static obj-192.168.103.59 obj-172.28.6.133 destination static obj-group PJMServers

ERROR: obj-group doesn't match an existing object or object-group

how do I write in the existing object group insteead of the 1 object?

thx

kevin

Correct Answer
Federico Coto F... Fri, 06/11/2010 - 09:39

Let's do two things:

Specify the actual address instead of the object-group just to make sure the NAT rule works.

Post a ''sh run object-group PJMServers'' to make sure the configuration exists (so we can configure it using the object-group)

Federico.

Kevin Melton Fri, 06/11/2010 - 10:05

I actually did exactly that, but I am still not getting any ICMP replies from the source 206.223.104.13 (not .11 like I thought) as it tries to ping 172.28.6.133 (which is actually our 192.168.103.59 on the inside).

Here is the requested output:

lo-asa# sh run object-group PJMServers
                             ^
ERROR: % Invalid input detected at '^' marker.
lo-asa# sho run object-group PJMServers
                              ^
ERROR: % Invalid input detected at '^' marker.

sh run object-group network

object-group network PJMServers
network-object object PriEMSUCSPair
network-object object PriEMSUCSPair2
network-object object SecEMSUCSPair
network-object object SecEMSUCSPair2
network-object host 206.223.104.20
network-object host 206.223.104.21
network-object host 206.223.104.22
network-object host 206.223.104.23
network-object host 206.223.104.80
network-object host 206.223.105.2
network-object host 206.223.105.3
network-object host 206.223.104.11
network-object host 206.223.104.13
network-object host 206.223.104.15
network-object host 206.223.104.17

Kevin Melton Fri, 06/11/2010 - 11:10

Federico

I inadvertintly put "answered" as the status of this post.  If you can, I would still need your help.  I still show the object-group PJMServers as being on the box.

Thanks

Kevin

Correct Answer
Federico Coto F... Fri, 06/11/2010 - 13:11


Please confirm that you're trying to PING 206.223.104.11 from 192.168.103.59
And you want it to NAT to 172.28.6.133

Please do a Packet Tracer test to check which process is failing on the ASA.

Federico.

Kevin Melton Mon, 06/14/2010 - 03:36

In all actuality it should be 206.223.104.13 that it pinging 172.28.6.133.  206.223.104.13 is our business partner.  He is trying to ping our 192.168.103.59 box.  But he doesnt know the box as 192.168.103.59.  He knows the box as 172.28.6.133.

Thanks Federico

Kevin

Kevin Melton Mon, 06/14/2010 - 12:53

Federico,

     I actually worked through and figured out the NAT statement, but now i have run into another issue that may need of your assistance.  I wrote the NAT statement as :  [nat (inside,WAN) source static obj-192.168.103.59 obj-172.28.6.133 destination static PJMServers PJMServers]  with PJMServers as an object group I have created.  With that in place I can now see traffic orgininating from 192.168.103.59 being translated on the WAN interface(from INSIDE to WAN) to 172.28.6.133 in route for the 206.223.104.13 address.  The issue I am having now is that the ICMP request I am sending out is getting this response via a capture on the WAN interface of the ASA:

1: 15:46:31.797352 172.28.6.133 > 206.223.104.13: icmp: echo request
   2: 15:46:31.813587 206.223.104.13 > 172.28.6.133: icmp: echo reply
   3: 15:46:31.814945 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
   4: 15:46:37.297668 172.28.6.133 > 206.223.104.13: icmp: echo request
   5: 15:46:37.314116 206.223.104.13 > 172.28.6.133: icmp: echo reply
   6: 15:46:37.315077 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
   7: 15:46:42.797611 172.28.6.133 > 206.223.104.13: icmp: echo request
   8: 15:46:42.813724 206.223.104.13 > 172.28.6.133: icmp: echo reply
   9: 15:46:42.814761 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
  10: 15:46:48.297851 172.28.6.133 > 206.223.104.13: icmp: echo request
  11: 15:46:48.314238 206.223.104.13 > 172.28.6.133: icmp: echo reply
  12: 15:46:53.798176 172.28.6.133 > 206.223.104.13: icmp: echo request
  13: 15:46:53.814472 206.223.104.13 > 172.28.6.133: icmp: echo reply
  14: 15:46:59.298110 172.28.6.133 > 206.223.104.13: icmp: echo request
  15: 15:46:59.314497 206.223.104.13 > 172.28.6.133: icmp: echo reply
  16: 15:46:59.315672 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
  17: 15:47:04.798191 172.28.6.133 > 206.223.104.13: icmp: echo request
  18: 15:47:04.814594 206.223.104.13 > 172.28.6.133: icmp: echo reply
  19: 15:47:04.815509 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
  20: 15:47:10.298354 172.28.6.133 > 206.223.104.13: icmp: echo request
  21: 15:47:10.314742 206.223.104.13 > 172.28.6.133: icmp: echo reply
  22: 15:47:10.315642 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter
  23: 15:47:15.799366 172.28.6.133 > 206.223.104.13: icmp: echo request
  24: 15:47:15.815707 206.223.104.13 > 172.28.6.133: icmp: echo reply

the message "host 172.28.6.133 unreachable - admin prohibited filter" makes me think I am being denied via an ACL on the ASA on either the INSIDE or WAN interface, but I have created multiple permit statement to allow IP and not just ICMP between the addresses.  Do you have anything to try that could help?  Thanks

Federico Coto F... Mon, 06/14/2010 - 13:09

Capture on the WAN interface:


Shows succesful ICMP echo-request from 172.28.6.133 to 206.223.104.13
Then, the ICMP echo-reply back
Then, you get this message:
   3: 15:46:31.814945 172.28.6.133 > 206.223.104.13: icmp: host 172.28.6.133 unreachable - admin prohibited filter

Again, the NAT IP is trying to send ICMP to 206.28.6.133?

Aside from the error, the PING seems to be working, what problem are you having?

Federico.

Kevin Melton Mon, 06/14/2010 - 14:24

the ICMP is going to 206.223.104.13.

The issue is the Server(192.168.103.59) being translated to 172.28.6.133 is not actually recieving the echo-reply, it is getting non-replys(timeouts) during the Ping.

Actions

This Discussion