Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510, 8.4(4)1 totally confused NAT

I'll try to keep this simple. I've spent about 18 hours researching, searching and experimenting, and that's an honest figure, I kept track of my time so far.
I need to run an inside server on our inside network but have the outside be able to reach it via 3 specific ports and protocols.
I had HOPED to use objects and groups to accomplish this and not have to redefine this server or host 3 times and run 3 or more NAT statements as that totally defeats the concept and purpose of objects, doesn't it? But the NAT statement seems to refuse to deal with GROUPS. I can put a single SERVICE, or a single port in the NAT, but I can't get a single NAT line under a single object - this server, to take multiple ports that are not a range.

Here's the need - I'll define each thing first to keep it simple and straight (at least in my head):
Interface that faces or sits on the dirty Internet is named "WAN" (why I do not know but it is and it's too complex to change it now)
WAN, the outside interface, has an IP address of 1.1.1.66
Our provider has given us 16 public hosts or addresses we can use.
(1.1.1.67 is on the failover ASA for this same interface.)
My server on the inside LAN is 10.10.10.70
I need to use a DIFFERENT address as I need to keep it apart from the 1.1.1.66 and 1.1.1.67 used on the 5510 pair WAN interface.

I want to use a specific Internet address of 1.1.1.68 for outside to access the server sitting on 10.10.10.70 on the inside.
BUT, I want access for UDP 500, UDP 4500 and ESP only, nothing else.

The idea is this - something on the outside, meaning on the Internet, needs my server on the inside so hits the WAN interface at this IP address of 1.1.1.68 UDP port 500 or 4500 or ESP to get to my server on the LAN inside.
The ASA has to notice traffic on UDP 500, 4500 and ESP aimed at 1.1.1.68  and translate it to the SAME ports on 10.10.10.70.
So I need a NAT that will say traffic hitting 1.1.1.68 UDP 500 or UDP 4500 or ESP should be forwarded to 10.10.10.70 UDP 500, or UDP 4500 or ESP.

The server needs to respond back of course!
So very simple it's done all the time. "port forwarding" and a static NAT - that server always would be found at 1.1.1.68 if you were outside looking in and it would also always go out as that address. but inside we know it as 10.10.10.70

I can seem to get NAT to take if I use a single service or define a single service, but when I create a service group that has UDP 500, UDP 4500 and ESP in it, it won't recognize any group - it pukes if I say any word except SERVICE in the NAT statement.

This is one way I've tried, but then 8.3 and later don't seem to like this and the word "source" is killing me and I can't find reference to it anywhere.

object service VPN-4500
 service udp destination eq 4500
object service VPN-500
 service udp destination eq isakmp

object-group service mygroup
 service-object object VPN-4500
 service-object object VPN-500

(I also now have ESP in there but that's of no consequence as it won't even work with just these two)

object network servernetworkobject
 host 10.10.10.70
 description my server
object network vpn-out
 host 1.1.1.68
 description second IP address to use when aiming at my server

 

nat (inside,WAN) source static servernetworkobject WANsecondIP service mygroup mygroup

where servernetworkobject is the name I've defined for the network object in the ASA and WANsecondIP is the address I want to use defined as a network object and mygroup is the group I created that contains the 3 services or ports.
Those aren't real names or addresses so it's not really that corny in the configuration, I just cleaned it up for public use

 

ALL examples I find on the web, including Cisco sites, look a lot like this, but then I also see it must be defined with the network object itself and that's different than the samples on the Cisco sites! I'm SO confused.... Object should simplify this in spades, instead it's making it a lot harder and making the configuration a whole lot bigger and more clumsy.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The easiest way to do it is:1

The easiest way to do it is:

1. define the static nat rule

2. Add an access-list (or entry in the existing WAN_in (or whatever you call it) access list) to allow the service group.

So you would have:

object network servernetworkobject
 host 10.10.10.70
 description my server
object network vpn-out
 host 1.1.1.68
 description second IP address to use when aiming at my server

nat (inside,WAN) source static servernetworkobject vpn-out

...and

access-list WAN_in extended permit object-group mygroup any object servernetworkobject

2 REPLIES
Hall of Fame Super Silver

The easiest way to do it is:1

The easiest way to do it is:

1. define the static nat rule

2. Add an access-list (or entry in the existing WAN_in (or whatever you call it) access list) to allow the service group.

So you would have:

object network servernetworkobject
 host 10.10.10.70
 description my server
object network vpn-out
 host 1.1.1.68
 description second IP address to use when aiming at my server

nat (inside,WAN) source static servernetworkobject vpn-out

...and

access-list WAN_in extended permit object-group mygroup any object servernetworkobject

New Member

Well, you nailed it again. I

Well, you nailed it again. I did find a little feature in the ASDM that is called "public server". It appeared to be similar to what I wanted to do.

I followed what you advised there, but experimented in the ASDM as well and found that it matched what I was doing manually, including being able to use the port group I'd created.

Odd that it's done there and not in NAT as I'd prefer to not translate ALL ports and protocols but ONLY those directly related to my project as in my mind if the others aren't even translated at all, then if the access list is bad or off or somehow removed or modified, no big deal as the NAT or PAT would not translate those other ports so nothing could get to the server anyway, it wouldn't know where to find it!

So to me, doing this ALL through NAT is far more secure, safer. If it can't find the server, it can't touch the server.  This method of doing it is more like putting the server on display but locking the windows. You can see it, you can get translated to and from it, but we'll not let you touch it. Look, but don't touch. I'd rather say "ha ha ha - you can't even see it! You don't even know it exists!
And this is even MORE odd because if it was a SINGLE protocol or port, say it was a WEB server, I could NAT the address and tell it port 80 to port 80 and pretty much be done. But since it's more than 1 port, because it's 2 ports, I can't do it in NAT. Well, I could by defining TWO objects, I could call it "server1 ip x.x.x.x port 80 port 80" and then define a second object "server2 ip x.x.x.x port 443 port 443" for example.

And I can define both objects just like that, sort of, and I can NAT each address/port to the SAME object, but I can't do it with a single object and single NAT. I could if it was a PORT RANGE, making this even more odd that Cisco won't allow 2 ports.
So I can create 2 objects, point BOTH objects to the exact same IP address or server, then NAT the same addresses, but a different port using 2 NAT, or I can NAT using a range like 80-443 for example and be done with it in a single object, single NAT. But since the two ports aren't contiguous, I can't do it at one NAT even with an object group.

And that's what threw me - there is absolutely no logic in that! There's no logic in allowing me to define multiple ports using a range, allowing me to create and define two objects, both of which point to the same IP/server and do it that way, and I can create an object group with multiple ports, but the NAT won't use the group. That's rather bizarre to me.

So I have the second outside IP address defined as an object, and I have the server NIC address defined as an object,
I have the ports each defined, and then a group defined using the port objects,
Later there is an access list like this that will use the ports group:
access-list WAN_access extended permit object-group vpn-ports any object vpn_gateway

 

Then below that, there is:
object network vpn_gateway
 nat (inside,WAN) static vpn-out
access-group WAN_access in interface WAN

This is how the ASDM put it, not in the same order as you had it, and not how I was putting things manually but the way things are ordered in the configuration is still a mystery to me with all the this before that and so on.

I think what helped to confuse me was all of the other posts and articles on the web speaking to this same sort of topic - and the fact that a lot of them had the versions mixed up. I'd read a question where someone had 8.3 or later, but a response would come back which I later discovered wasn't for that version but was for 8.2 for example. Then I'd read posts about doing this exact same thing in 8.2 and someone would pop in and toss a totally different code into the mix which I later discovered was part for 8.2 and part for 8.3 and wouldn't work at all because  of the mixing. So bottom line, too much of what's out there on this exact topic is not correct, or not TOTALLY correct, because people are failing to READ what the original question posted had as the VERSION Amazing how folks coming in to help fail to catch the VERSION the person with the question is running and they continue on as if the world is using the same version they are. (I see that on our car forum daily - no one bothered to read that it was a 6 cylinder and not a V8 so they go on as if they have it covered....wrong engine folks ;-)    )

Thanks - it isn't kicking errors, I've not had a chance to TEST yet, but it does seem to make sense now and your response makes sense compared to what I know now.

(Now to figure out how to add a second subnet to the existing server for internal use without confusing things!)

145
Views
0
Helpful
2
Replies
CreatePlease to create content