Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3284
Views
0
Helpful
4
Replies

ASA 8.3 - loss of NAT flexibility?

mnantel
Level 1
Level 1

‎03-26-2010 06:50 AM - edited ‎03-11-2019 10:26 AM

Hello all,

I have a case open with the TAC already on this, but I thought I would throw this on the community forums (this is my first post) since there might be others experiencing a similar issue.

I've come to expect being able to translate the source of packets coming from the outside interface towards an inbound host. I've usually had to do that when migrating firewalls, for instance, when the internal host's default gateway was pointed somewhere else than the ASA from which the trafic was coming from. This would effectively hide the external/vpn/etc.. address, and replace it with, e.g. the ASA's inside interface IP. The following is sample code which would achieve this previously:

Remote IPSEC tunnel subnet: 192.168.90.0/23

Local server: 20.20.20.5

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 20.20.20.1 255.255.255.0

access-list outside_nat_outbound extended permit ip 192.168.90.0 255.255.254.0 host 20.20.20.5

access-list inside_nat0_outbound extended permit ip any 192.168.90.0 255.255.254.0

global (outside) 1 interface

global (inside) 2 interface

nat (outside) 2 access-list outside_nat_outbound outside

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp-data 20.20.20.5 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 20.20.20.5 ftp netmask 255.255.255.255

This would effectively change the source of trafic from 192.168.90.0/23 to 20.20.20.5 to the inside interface IP: 20.20.20.1. This config works wonderfully in 8.2, yet upgrading that config to 8.3 yields a broken configuration that doesn't end up changing the source address, and instead leaves it intact.

So far I've had no workaround from the TAC. Either the new NAT engine results in some loss of flexibility, or I can't wrap my head around the solution.

I've already heard "why are you doing this" and "you should instead fix the routing problem". Fact is: this works in 8.2, and so far it doesnt in 8.3. I'm looking for a straight answer whether or not 8.3 simply won't support this configuration any longer.

Labels:
0 Helpful
4 Replies 4

dhananjoy chowdhury
Level 5
Level 5

‎03-26-2010 07:21 AM

Hi,

In 8.3, NAT commands have changed. Check whether all the 8.2 nat configs have been migrated in the 8.3 config.

Here are some limitations of migration to 8.3

- Dynamic identity NAT (the nat 0 command) will not be migrated.

- The dns option in static PAT and policy NAT commands will be ignored.

- Connection Settings in old NAT commands—Options such as conn-max, emb-limit, norandomseq, or nailed will be moved to service policies.

For detailed information on the changed NAT commands,check this link

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60047

0 Helpful

mnantel
Level 1
Level 1
In response to dhananjoy chowdhury

‎03-26-2010 07:25 AM

Hi,

I'm well aware that there have been changes, and I can't find a replacement configuration that works in my scenario. Hence this post.

0 Helpful

holzerb
Level 1
Level 1

‎07-23-2010 10:54 AM

I've had to do the exact same thing... when someone installs a remote machine and makes a typo in the default gateway.  Without hands-on, this is a way to gain remote access to the machine to correct the typo (then take out the nat commands, in my case).

Here's my take on getting the inbound traffic translated:

object network obj-192.168.90.0

subnet 192.168.90.0 255.255.255.0

object network obj-20.20.20.5

host 20.20.20.5

nat (any,inside) source dynamic obj-192.168.90.0 interface dest static obj-20.20.20.5 obj-20.20.20.5

But I will say I hate the new 8.3 code and have little experience with it.  Let us know what you get to work...
0 Helpful

August Ritchie
Level 1
Level 1

‎07-23-2010 12:30 PM

I was looking over this page, and think that it may have the solution.

https://supportforums.cisco.com/docs/DOC-9129

object service ftpPorts

   service tcp destination range ftp-data ftp

object network obj-20.20.20.5

   host 20.20.20.5

   nat (inside,outside) static interface service tcp  ftpPorts  ftpPorts

object network obj-192.168.90.0

   subnet 192.168.90.0 255.255.254.0

nat (outside,inside) source dynamic obj-192.168.90.0 interface destination static obj-20.20.20.5 obj-20.20.20.5

I added this to my ASA and it took, but I am not able to test at this point, thus you may want to wait for a window if you are working with a production box.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card