03-11-2012 05:02 PM - edited 03-11-2019 03:40 PM
Hello all,
This problem is killing me. Makes me feel like crying. Maybe giving this game up and clean toilets for a living. Sorry but WHY did Cisco have to go screw with something that JUST WORKED in 8.2 and eariler. It's simple really, but I can't get it to work. Trying to translate telnet for switches to the outside ip address at some random ports.
172.16.200.2:23 -> 10.199.199.2:2300
172.16.200.3:23 -> 10.199.199.2:2301
172.16.200.4:23 -> 10.199.199.2:2302
etc....
ASA 5510 running 8.4(3):
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.199.199.2 255.255.255.248
interface Ethernet0/1.200
vlan 200
nameif inside
security-level 100
ip address 172.16.200.254 255.255.255.0
access-list outsideACL extended permit ip any any (THIS IS TO RULE OUT ACL PROBLEM)
access-group outsideACL in interface outside
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network Switch_TN
host 172.16.200.3
nat (any,outside) source dynamic obj-any interface
object network Switch_TN
nat (inside,outside) static interface service tcp telnet 2301
I can not access the switch at 10.199.199.2:2301 . What am I doing wrong? Or should cleaning toilets be something I really should look at!
Now if i run this NAT statment:
object network Switch_TN
nat (inside,outside) static 10.199.199.3 service tcp telnet 2301
I am able to access the switch at 10.199.199.3:2301
Please tell me what I'm missing! Thanks for your time and help,
Nick
03-11-2012 05:19 PM
You need to input static NAT rules from outside interface to inside hosts along with the associated ports. ACLs can be used then to allow telnet traffic from outside (i.e. specific hosts) to global address with port numbers, and then when traffic arrives on the global interface,static NAT rules will map it to the internal hosts and pass the traffic through.
03-11-2012 05:50 PM
Thanks for the Quick reply. But I still don't understand.
"input static NAT rules from outside to inside"? What does that mean? I tried a rule like:
Object network OutsideIP
host 10.199.199.2
nat (outside,inside) static Switch_TN service tcp 2301 23
But the ASA does not take that command. Then you talk about ACL's? But I have an "IP any any" ACL on the outside interface. Did you read my config? Again, thanks for trying. But your post has me completely lost. I guess I'm fundamentally at odds as to why my config will not work, something close to that statement use to work in older ASA versions.
Thanks,
Nick
03-13-2012 11:04 AM
Ok, looks like I got my problem fixed. The "after-auto" in my PAT statment will allow me to use both my outside interface as a PAT interface and the NAT statment. The Problem for me is knowing why that worked. Can someone forward info as to why that worked? So if I have the following commands:
nat (any,outside) after-auto source dynamic any interface
object network Switch_TN
nat (inside,outside) static interface service tcp telnet 2303
Now, telnet to my switches worked.
Nick
03-25-2012 02:52 PM
Hi Nick,
If you use dynamic NAT first and then specify static NAT rules, static NAT rules will not be considered if the word "after-auto" is missing in the dynamic NAT rule.
Manual NAT is always considered before dynamic NAT so if you use "after-auto" on dynamic rule, it will take precedence over static first.
Regards,
03-25-2012 06:03 PM
Interesting tidbit of information.
Now Im using 8.43 and do NOT have any such after-auto statement in my Dynamic NAT rule.
How then do you explaing, that my static NAT rules that come after my Dynamic rule, DO work, despite the above comment???
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
(dynamic pat for inside and dmz respectively)
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
(static NAT for port forwarding purposes)
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
03-26-2012 06:06 PM
Hi Alex,
What is the output of show nat for you.
If I didn't have after-auto, the Nat statment went into section 1. Now its in Section 3. Where my static NAT statments always remain in Section 2. I still have not educated myself on these list. But will soon.
Sorry Kamil, your replys are hard to follow. "Manual NAT is always considered before dynamic NAT so if you use "after-auto" on dynamic rule, it will take precedence over static first."
If nat (any,outside) source dynamic any interface is a dynamic Nat policy. Which i believe it is. This policy would end up in Manual Nat Polices (Section 1). Then is I use the same command but with after-auto, nat (any,outside) after-auto source dynamic any interface. This policy will be in Manual NAT Policies (Section 3). After which my
Auto NAT Policies (Section 2) statement will start to work.
So "dynamic nat" is placed into Manual NAT Sec, 1 or 3 based on after-auto. In my configuration I have to use After-auto, so that the static statements are placed before the dynamic PAT statement. So you can see how I'm confused by your sentence. I do appreciate the support.
If anyone has the right answer, please educate us. As Alex's configuration in my eye's should work, and in fact does for him. But I've done the same config, and does not work for me.
Thanks,
Nick
03-27-2012 09:04 PM
Well I only used object oriented NAT rules in ADSM. Not CLI. When one uses this method the rules are automagically ordered I guess. When you do it manually (believe this is called twice nat or manual nat) things get hairy LOL.
In my setup all my services are destination services.
Also, I think we are mixing apples and oranges. I am opening up a server or servers within the LAN to external users. So I am really only concerned with one direction outbound to inbound. By the very fact that a. I have a routing next hop outbound to the ISP gateway IP and I have allowed all hosts on the LAN dynamic pat (to get to the net) and by the fact that higher to lower security traffic is permitted by default ( a high falutin term for the much easier LAN to WAN permit lingo) I know return traffic to the external originator will get back to him easy peasy.
It appears that your more concerned about internal users behind the asa to get out to external servers. In other words your intent is LAN to WAN deny execpt for access to external servers. Basically you will need a firewall rule that denys any to any type of idea but only AFTER firewall LAN to wan rules for specficied internal user via certain services to certain external IPs of the ALLOW variety. Order here is important as the rules are checked one by one.
How do to nat for this is beyond me because then I would probably have to use source for services and manual nat (twice nat) which blows my mind..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: