Re: Static Policy NAT Rule in ASA

carlosluqueportero · ‎08-26-2010

Hi,

we have a 5520 ASA and we need use NAT to a DMZ server. Users from outside should access to http port and DMZ server listen in 8080. For Corporative users (LAN, Remote branch office and VPN Remote-USers) server listen in port 80 (they attack to public address port 80 too).

We think use Static Policy NAT Rule in order to translate <internal_server_Addres>:8080 port to <public_server_Addres>:80 for destination "any" and other rule for <internal_server_Addres>:80 port to <public_server_Addres>:80 to the IP list of corporative users (LAN, Remote users...)

It doesn´t work configuring DMZ51_nat_static_1 with deny rules for corporative users ("ERROR: access-list has deny statements" from CLI) nor create a static nat rule for specific destionation and other different rule for "any" destination (overlapping rule warning).

It is the actual configuracion (all traffic <internal_server_Addres>:8080 port to <public_server_Addres>:80 without exceptions)

access-list DMZ51_nat_static_1 extended permit tcp host <PRIVATE IP ADDRESS> eq 8080 any
static (DMZ51,outside) tcp <PUBLIC IP ADDRESS> www access-list DMZ51_nat_static_1

Any idea how can I that we need?

Thank you,

Regards

Carlos

Kureli Sankar · ‎08-26-2010

Carlos,

What you saw is expected.

1. You cannot add deny lines in policy ACL.

2. You cannot add ports and protocols in a nat exemption ACL.

Now, I can understand the outside users accessing the DMZ server using the public address. Do the LAN, VPN users and Remote branch also address the DMZ server with the public address? If so, this traffic will be seen on the outside of the ASA? How come?

Would you draw a little toplogy for us? Where are the Remote Branches?

inside LAN------(in)ASA(out)----Internet

|

DMZ

The LAN users should access the DMZ servers using their inside address. So just this static

static (D,O) tcp p.p.p.p 80 d.d.d.d 8080

where p.p.p.p - is the public address

d.d.d.d - is the dmz real address

-KS

carlosluqueportero · ‎08-26-2010

Hi, thanks for your answer.

Kusankar, everybody access to the server with the Public IP Address, the differenc is that Users from Internet access to port 80 and it is redirect to private-IP port 8080 and the rest users (remote users, remote branch and LAN) access to public IP address port 80 and we only need IP translatation to real IP in the DMZ server withouth port translation. When we don´t use port translation everything work fine. Remote users access to the DMZ accross outside (Internet).

The topology is as you say:

inside LAN------(in)ASA(out)----Internet (remote users, branch office, internet users)

(inside users) |

DMZ

(Web Server)

I am trying use policy nat rule in order to say that port redirection with NAT is use when the destination of the packet is for "any" IP in outside interface and only NAT(withouth port redirection) is used for known ip (vpn remote users and branch offices) but I don´t know how do it. When I configure it from ASDM, it say that there is an overlapping rule (one policy nat rule is with destination "any" and the other one if for known ip using the same external interface)

Regards,

Carlos

Nagaraja Thanthry · ‎08-26-2010

Hello,

If you want specific user groups to access specific ports, you could use policy NAT.

access-list Corp permit tcp eq 80

access-list Gen permit tcp eq 8080 any

static (DMZ,outside) tcp 80 access-list Corp

static (DMZ,outside) tcp 80 access-list Gen

Hope this helps.

Regards,

NT

Message was edited by: Nagaraja Thanthry

carlosluqueportero · ‎08-27-2010

Hi, thank you but I cannot configure it from CLI. I receive the following error:"ERROR: mapped-address conflict with existing static"

I am using version 8.0(4). Any idea?

Carlos

praprama · ‎08-27-2010

Hi,

The error you are saying is expected because we are using the same public IP and port configuration in both the statics (P.P.P.P:80).

I am still a bit confused with the requirement. The web server that you have assuming the public IP is going to be P.P.P.P, you want remote users, corporate network, etc to access it using regular url "http://P.P.P.P" but for internet users, they should be accessing it using the url "http://P.P.P.P:8080"

Please let me know if the above is your requirement or if i am wrong in my understanding.

Regards,

Prapanch.

carlosluqueportero · ‎08-27-2010

Hi

all users access to (<80>). For general users (unknow IPs) the NAT should do a PAT and translate:

<80> to <8080>

for known ip ranges (inside, remote branch..) the ASA only shoul translate the IP keeping the same port

<80> to <80>

I don´t understand why using policy nat rule i cannot do it. I understood policy nat rules were employed when you need different NAT behaviour based on the destination of the packet and It is that we are doing in this case... For some known IP only Static NAT and for the rest of IP (Any) NAT+PAT with the same public address in both cases and the same interfaces (DMZ-outside)

Thank you for your help and time.

Regards,

Kureli Sankar · ‎08-27-2010

Unfortunately this will not work.

You need unique port numbers.

You cannot do

80 to 80

80 to 8080

You probably need to ask one batch of users to use http://x.x.x.x:8080 when they try to access.

-KS

praprama · ‎08-27-2010

Hi,

The mains purpose of policy NAT is to translate a set of inside users to different public IPs and/or ports when accessing different locations. Now in our case, the translated IP:port combination is going to be the same while the inside IP:port combination is going to be different. I am afraid the ASA will not accept 2 statics with the same translated IP:port combination.

Regards,

Prapanch

carlosluqueportero · ‎08-27-2010

Ok, I understand it is not possible using policy nat rule with the same public-ip:port. Have somebody any other idea to do that we need: Using one public IP and port, it will be translate to different internal port depending the IP address who do the request?

Thank you.

Regards,