NAT'ing with service groups

HSSEngineering · ‎07-10-2014

I'm trying to optimize my nat rules for port forwarding on my ASA 5505 but it's not comming along.

I have a server which runs imap and a website - port 25 and 80.

I would like to create a service for each port, join them in a service group, and let outside traffic flow in.

So what I have is as follow:

!My server

object network testServer
host 192.168.1.110

!My ports

object service myImap
service tcp source eq 25 destination eq 25

object service http
service tcp source eq 80 destination eq 80

!A service group

object-group service testServerPorts
service-object object myImap
service-object object http

!NAT'ing

nat (inside,outside) source static testServer interface service myImap myImap

nat (inside,outside) source static testServer interface service http http

!Access-list

access-list outside_access_in permit object-group testServerPorts object testServer any
access-group outside_access_in in interface outside

However there's no love from the unit.

Anyone care to take a shot at it?

Jouni Forss · ‎07-10-2014

Hi,

You can not use those same "object" in both the ACL and the NAT configuration as in the NAT configuration you would only need the "source" parameter while in the ACL you would need the "destination" parameter.

To clarify, in the NAT configuration you are using we need to configure only the "source" sections port which might naturally sound a bit wierd depending how you think of the NAT configuration.

Essentially the NAT commands format is

nat (sourceint,destint) source <static/dynamic> <real source> <mapped source> destination static <mapped destination> <real destination> service <real service> <mapped service>

So if you again look at your "object service" configurations you will notice that you have mentioned both "source" and "destination" parameters. This would essentially mean that only traffic sourced and destined for those ports will match this NAT rule. To my understanding these connections dont use identical ports as their source and destination.

In the above configuration format your will notice that the first 2 sections where you configure eithe an "object" or "object-group" relate to the real source address and the mapped source address. When you think about it from that perspective you will notice that you would only want to modify/match the real port on the server and the mapped port on the firewall. Hope I made any sense :)

For the NAT configuration you have the following options in format

object service HTTP
service tcp source eq 80

object service SMTP
service tcp source eq 25

object network SERVER
host 192.168.1.110

nat (inside,outside) source static SERVER interface service HTTP HTTP
nat (inside,outside) source static SERVER interface service SMTP SMTP

Or you could do

object network SERVER-HTTP
host 192.168.1.110
nat (inside,outside) static interface service tcp 80 80

object network SERVER-SMTP
host 192.168.1.110
nat (inside,outside) static interface service tcp 25 25

In the above configuration we use Auto NAT / Network Object NAT where you configure the local IP address and the "nat" command under an "object network". I will it to you to device which format you use. Your original NAT configuration is a Manual NAT / Twice NAT format which uses different objects but is not configured UNDER any object.

For the ACL you could do for example

object-group service SERVER-PORTS
service-object tcp destination eq www
service-object tcp destination eq smtp

object network SERVER
host 192.168.1.110

access-list outside_access_in permit object-group SERVER-PORTS any object SERVER

Hope this helps :)

Let me know how it goes

- Jouni