ASA 5510 DMZ and NAT question

Document

Tue, 03/31/2015 - 05:41
Jan 3rd, 2014
User Badges:
  • Silver, 250 points or more

Introduction

This document describes the issue faced by an user where he wants his ftp server to communicate with devices residing in DMZ.

Prerequisites

ASA 5510

ASA Version 8.2(1)

FTP Server

Problem

Goal is to have a FTP Server on the DMZ and be able to access it using the outside interface (which is currently just configured as 10.2.2.2)  User tried adding the NAT rule using asdm and CLI but it won't take.

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

Configuration

ASA Version 8.2(1)

!

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address


!

interface Ethernet0/1

nameif inside

security-level 100

no ip address


!

interface Ethernet0/1.1

vlan 1

nameif inside1

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0


!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group network FTPServer-External

network-object 10.2.2.2 255.255.255.255

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu dmz 1500

mtu inside1 1500

mtu inside3 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (dmz) 1 172.20.10.0 255.255.255.0

nat (inside1) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

 

Solution

The Static PAT (Port Forward) configuration seems valid

Though you dont have any IP address in the visible configuration for the "outside" interface.

 

interface Ethernet0/0

nameif outside

security-level 0

no ip address

User should add

interface Ethernet0/0

ip address <ip address> <mask>

 

The "static" command itself refers to the "outside" interface with the parameter "interface" and if the interface has no IP address configured I would imagine it wont accept the NAT configuration as there is no IP address to use for the NAT configuration you are trying to insert.

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

The other problem you had before was that you were using incorrectly the native VLAN interface.

 

First of all remove this:

no access-group inside_access_in

 

Add the following

policy-map global_policy

class class-default

inspect FTP

 

Just in case you do not have it

static (dmz,inside)172.20.10.5 172.20.10.5

static (inside,dmz)  10.20.10.0 10.20.10.0 netmask 255.255.255.0

This is the correct configuration:

Lower the security level of the interface where the FTP server resides:

 

enable

config t

Interface Ethernet0/2

security-level 90

User need to do this because you are playing with same-security-traffic feature which if you really don't know for what it is used just don't use it as it is not necessary on your setup.

enable

config t

static (dmz,inside) tcp 10.2.2.1 21 172.20.10.5 211 netmask 255.255.255.255

 

Then add the next line:

enable

config t

global (dmz) 1 interface

User have the next configuration line that obligates it to PAT when going to the DMZ.

nat (inside) 1 10.20.10.0 255.255.255.0

Scenario 2:

Problem: User have a 5515 ASA, with below mentioned configuration
 
outside interface
X.X.X.1/24
dmz interface
192.168.1.1/24
object network SMTP_SERVER
 host 192.168.1.3
object network obj-X.X.X.2
 host X.X.X.2

 

Q1: User would like to know if this NAT configuration is valid ?

object network SMTP_SERVER
 nat (dmz,outside) static interface service tcp smtp smtp

is the below mentioned command is simiular to command above?
nat (dmz,outside) source static SMTP_SERVER obj-X.X.X.2 service 25 25
 
Q2: By user's understanding the first one is for "publish a service to the internet", a host outside would be able to access the smtp service on the host smtp_server in the dmz. and the second config is for allowing the smtp_server to go outside with the IP obj-X.X.X.2.If his understanding is correct or at the end both configurations allow the same. User is asking this because he has deployed several servers on the dmz segment that needs to be accesed from the internet (outside), he assumes he must create several object and configurations as the first one.?
 
A1:

Well, the main reason for using auto NAT is that it is considered as one of the best practices.  when you need to take the destination address into account then manual NAT comes into play.  With manual NAT you can specify the destination address as well as destination address can also be translated as per requirement.  It's up to you which NAT you want to use. There is nothing wrong in using both NAT's together,  but troubleshooting becomes easier when they are seperate.  Keep complicated stuff in manual NAT and the rest in auto. 

A2:

Basically the configuration will produce the same outcome, but there are few differences though.  the first and most obvious is that your second statement will be translating the server IP to x.x.x.2 instead of x.x.x.1 which is your outside interface (as per your explanation above).second, and the most important to remember is that the second nat statement is what is refered to as manual NAT and will be executed before the object nat and the after-auto nat.

object nat:

object network SMTP_SERVER
 nat (dmz,outside) static interface service tcp smtp smtp

manual nat:
nat (dmz,outside) source static SMTP_SERVER obj-X.X.X.2 service 25 25

So, even if you have a NAT statement in the object NAT (aka auto nat) or in the after-auto NAT that matches the SMTP-SERVER object and SMTP port, this will never match as it will be matched only on the manual NAT.

 

Source Discussion

ASA 5510 DMZ Nat question

Related info

Basic ASA NAT Config

Loading.

Actions

This Document

Related Content