Re: Nat with Port translation with 8.4(3)

nickhesson · ‎03-11-2012

Hello all,

This problem is killing me. Makes me feel like crying. Maybe giving this game up and clean toilets for a living. Sorry but WHY did Cisco have to go screw with something that JUST WORKED in 8.2 and eariler. It's simple really, but I can't get it to work. Trying to translate telnet for switches to the outside ip address at some random ports.

172.16.200.2:23 -> 10.199.199.2:2300

172.16.200.3:23 -> 10.199.199.2:2301

172.16.200.4:23 -> 10.199.199.2:2302

etc....

ASA 5510 running 8.4(3):

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.199.199.2 255.255.255.248

interface Ethernet0/1.200

vlan 200

nameif inside

security-level 100

ip address 172.16.200.254 255.255.255.0

access-list outsideACL extended permit ip any any (THIS IS TO RULE OUT ACL PROBLEM)

access-group outsideACL in interface outside

object network obj-any

subnet 0.0.0.0 0.0.0.0

object network Switch_TN

host 172.16.200.3

nat (any,outside) source dynamic obj-any interface

object network Switch_TN

nat (inside,outside) static interface service tcp telnet 2301

I can not access the switch at 10.199.199.2:2301 . What am I doing wrong? Or should cleaning toilets be something I really should look at!

Now if i run this NAT statment:

object network Switch_TN

nat (inside,outside) static 10.199.199.3 service tcp telnet 2301

I am able to access the switch at 10.199.199.3:2301

Please tell me what I'm missing! Thanks for your time and help,

Nick

amigomnemonik · ‎03-11-2012

You need to input static NAT rules from outside interface to inside hosts along with the associated ports. ACLs can be used then to allow telnet traffic from outside (i.e. specific hosts) to global address with port numbers, and then when traffic arrives on the global interface,static NAT rules will map it to the internal hosts and pass the traffic through.

nickhesson · ‎03-11-2012

Thanks for the Quick reply. But I still don't understand.

"input static NAT rules from outside to inside"? What does that mean? I tried a rule like:

Object network OutsideIP

host 10.199.199.2

nat (outside,inside) static Switch_TN service tcp 2301 23

But the ASA does not take that command. Then you talk about ACL's? But I have an "IP any any" ACL on the outside interface. Did you read my config? Again, thanks for trying. But your post has me completely lost. I guess I'm fundamentally at odds as to why my config will not work, something close to that statement use to work in older ASA versions.

Thanks,

Nick

nickhesson · ‎03-13-2012

Ok, looks like I got my problem fixed. The "after-auto" in my PAT statment will allow me to use both my outside interface as a PAT interface and the NAT statment. The Problem for me is knowing why that worked. Can someone forward info as to why that worked? So if I have the following commands:

nat (any,outside) after-auto source dynamic any interface

object network Switch_TN

nat (inside,outside) static interface service tcp telnet 2303

Now, telnet to my switches worked.

Nick

amigomnemonik · ‎03-25-2012

Hi Nick,

If you use dynamic NAT first and then specify static NAT rules, static NAT rules will not be considered if the word "after-auto" is missing in the dynamic NAT rule.

Manual NAT is always considered before dynamic NAT so if you use "after-auto" on dynamic rule, it will take precedence over static first.

Regards,

llamaw0rksE · ‎03-25-2012

Interesting tidbit of information.

Now Im using 8.43 and do NOT have any such after-auto statement in my Dynamic NAT rule.

How then do you explaing, that my static NAT rules that come after my Dynamic rule, DO work, despite the above comment???

object network obj_any_main-lan

nat (main-lan,outside) dynamic interface

object network obj_any-admin-dmz

nat (admin-dmz,outside) dynamic interface
(dynamic pat for inside and dmz respectively)

object network NAT4OM3

nat (main-lan,outside) static interface service tcp https https

object network NAT4OM1

nat (main-lan,outside) static interface service tcp 5080 5080

object network NAT4OM2

nat (main-lan,outside) static interface service tcp 8088 8088

object network NAT4RDP

nat (main-lan,outside) static interface service tcp 3389 3389

object network NAT4TFS

nat (main-lan,outside) static interface service tcp 8080 8080

object network NAT4WWW2OM1

nat (main-lan,outside) static interface service tcp 5080 www

(static NAT for port forwarding purposes)

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1

nickhesson · ‎03-26-2012

Hi Alex,

What is the output of show nat for you.

If I didn't have after-auto, the Nat statment went into section 1. Now its in Section 3. Where my static NAT statments always remain in Section 2. I still have not educated myself on these list. But will soon.

Sorry Kamil, your replys are hard to follow. "Manual NAT is always considered before dynamic NAT so if you use "after-auto" on dynamic rule, it will take precedence over static first."

If nat (any,outside) source dynamic any interface is a dynamic Nat policy. Which i believe it is. This policy would end up in Manual Nat Polices (Section 1). Then is I use the same command but with after-auto, nat (any,outside) after-auto source dynamic any interface. This policy will be in Manual NAT Policies (Section 3). After which my

Auto NAT Policies (Section 2) statement will start to work.

So "dynamic nat" is placed into Manual NAT Sec, 1 or 3 based on after-auto. In my configuration I have to use After-auto, so that the static statements are placed before the dynamic PAT statement. So you can see how I'm confused by your sentence. I do appreciate the support.

If anyone has the right answer, please educate us. As Alex's configuration in my eye's should work, and in fact does for him. But I've done the same config, and does not work for me.

Thanks,

Nick

llamaw0rksE · ‎03-27-2012

Well I only used object oriented NAT rules in ADSM. Not CLI. When one uses this method the rules are automagically ordered I guess. When you do it manually (believe this is called twice nat or manual nat) things get hairy LOL.

In my setup all my services are destination services.

Also, I think we are mixing apples and oranges. I am opening up a server or servers within the LAN to external users. So I am really only concerned with one direction outbound to inbound. By the very fact that a. I have a routing next hop outbound to the ISP gateway IP and I have allowed all hosts on the LAN dynamic pat (to get to the net) and by the fact that higher to lower security traffic is permitted by default ( a high falutin term for the much easier LAN to WAN permit lingo) I know return traffic to the external originator will get back to him easy peasy.

It appears that your more concerned about internal users behind the asa to get out to external servers. In other words your intent is LAN to WAN deny execpt for access to external servers. Basically you will need a firewall rule that denys any to any type of idea but only AFTER firewall LAN to wan rules for specficied internal user via certain services to certain external IPs of the ALLOW variety. Order here is important as the rules are checked one by one.

How do to nat for this is beyond me because then I would probably have to use source for services and manual nat (twice nat) which blows my mind..