1 2 Previous Next 24 Replies Latest reply: Jan 29, 2019 5:02 PM by Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+ RSS

    ASA obj_any in NAT rules

    KashifRana

      Hello Experts

       

      I was doing the cleanup on Cisco ASA version 9.8, I found below weird nat statement and objects. I really appreciate if someone can explain below and let me know if I can delete them safely?

       

      object network obj_any

         subnet 0.0.0.0 0.0.0.0

         nat (inside,outside) dynamic obj-0.0.0.0

       

      object network obj_any-01

         subnet 0.0.0.0 0.0.0.0

         nat (inside,mgmt) dynamic obj-0.0.0.0

       

      Regards,

       

      KR

        • 1. Re: ASA obj_any in NAT rules
          Juergen Ilse CCNA R&S

          KashifRana schrieb:

           

          Hello Experts

           

          I was doing the cleanup on Cisco ASA version 9.8, I found below weird nat statement and objects. I really appreciate if someone can explain below and let me know if I can delete them safely?

           

          object network obj_any

             subnet 0.0.0.0 0.0.0.0

             nat (inside,outside) dynamic obj-0.0.0.0

           

          object network obj_any-01

             subnet 0.0.0.0 0.0.0.0

             nat (inside,mgmt) dynamic obj-0.0.0.0

          I never had the necessity to clean up such configuration, but i think, with object nat (auto nat) you may replace that 2 rules with just 1 with "any" as destination interface:

           

          object network obj_any

             subnet 0.0.0.0 0.0.0.0

             nat (inside,any) dynamic obj-0.0.0.0

           

          (until you do some "dirty tricks" for traffic entering and leaving the ASA via the inside interface, which would only be possible with "same-security-traffic permit intra-interface" configured). With twice nat (manual nat) rules, i wouldn't try to use "any" as destination interface in a nat rule: as it may lead to surprising and unwanted results ...

          • 2. Re: ASA obj_any in NAT rules
            KashifRana

            So essentially what below statement is doing? It is equivalent to 'NO-NAT'?

             

            object network obj_any

               subnet 0.0.0.0 0.0.0.0

               nat (inside,any) dynamic obj-0.0.0.0

            • 3. Re: ASA obj_any in NAT rules
              Juergen Ilse CCNA R&S

              I'm not sure, what that nat rule will do, but i'm pretty sure, that i would not have created such a nat rule ...

               

              After thinking again about that nat rule i think, it will maybe do identity nat for traffic from inside to outside and deny traffic from outside to inside (if not matched by a previous nat rule for traffic from outside to inside).

              • 4. Re: ASA obj_any in NAT rules
                T.J.

                Same boat as Juergen.  Unsure what that statement is actually doing, but maybe run a 'show nat' on the ASA and see if any hits are on it?  If it doesn't end up being a no-nat it's almost like someone is trying to NAT traffic on an interface but it's done incorrectly.  Or there's some odd way to configure it that isn't normal.

                 

                If this is an attempt or successful dynamic NAT config for outbound traffic I would expect to see something like 'nat (inside,outside) dynamic interface'

                 

                Again, just making an assumption it's supposed to be a dynamic NAT.  Haven't seen it.

                 

                Out of curiosity is the object obj-0.0.0.0 actually covering the subnet 0.0.0.0/0?  I've seen cases where someone configures an object with a name like that, but the name ends up being irrelevant and confusing.

                • 5. Re: ASA obj_any in NAT rules
                  Ankit

                  RDP.PNG

                  We are configuring new ASA 5506 and this is our topology.
                  we are having some serious issue to access remote desktop from outside.

                   

                  nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside


                  we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.

                  Now we have few server that we would like to access from outside so we were trying to open ports.
                  we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.


                  So we don’t have any idea what we are doing wrong.

                  If some can help me ASAP because we are planning to deploy ASAP.

                   

                  Thanks Ankit

                  • 6. Re: ASA obj_any in NAT rules
                    Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                    Sharing your configuration would be of a great help to help you finding out what would be the issue. Regarding the traffic from inside to the internet, you don't have to place it in section 1 rather it should be in section 3. You can do that by adding the keyword after-auto right before source dynamic etc etc, example:

                     

                    nat (any,outside) after-auto source dynamic any-inside-networks interface description Allow Inside to Ouside

                    • 7. Re: ASA obj_any in NAT rules
                      Juergen Ilse CCNA R&S

                      Ankit schrieb:

                       

                      RDP.PNG

                      We are configuring new ASA 5506 and this is our topology.
                      we are having some serious issue to access remote desktop from outside.

                       

                      nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside


                      we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.

                      Now we have few server that we would like to access from outside so we were trying to open ports.
                      we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.


                      So we don’t have any idea what we are doing wrong.

                      If some can help me ASAP because we are planning to deploy ASAP.

                      I think, if you look at the log of your cisco, you may see some messages about "asymmetric nat rules" for every tried connection from outside to inside ... As this rule is the first rule, it will be applied first, and that leads to a deny of any traffic from outside to inside, because there is no translation rule from outside tp inside, that may be applied before that dynamic nat rule ...

                      So you either need static nat rules for accessing your inside servers from outside, that are placed *before* that nat rule, or you may move that existing nat rule to the third section ("after-auto") of nat rules (which will also lead to a situation, where all net rules from the first section, especially the static nat rules for accessing your inside servers from outside would be applied *before* that existing nat rule, or you may replace your existing nat rule with an object nat rule that will do the same. If you have only the "inside" and "outside" interfaces on your ASA, that object nat rule (that looked a little bit strange) may do the job as replacement of your existing nat rule:

                       

                      object network obj_any

                         subnet 0.0.0.0 0.0.0.0

                         nat (inside,outside) dynamic interface

                       

                      That will nat all your inside ip networks (which are part of 0.0.0.0/0) to be natted behin outside interface ip address for traffic from inside to outside.

                       

                      If you want to place your new satic nat rules for accessing inside servers from outside at line 1 of your ruleset, you may do that with explicitely specifying the line number for your nat rule:

                       

                      object service RDP

                           service tcp destination eq 3389

                      object network INSIDE-RDP-SERVER

                           host x.x.x.x

                      nat (outside,inside) 1 source static any any destination static interface INSIDE-RDP-SERVER service RDP RDP

                       

                      The "1" would place this new nat rule as rule number 1 (i.e. the first rule) in your nat ruleset (and all existing rules will become new incrremented line numbers). Maybe this (with explicitely specifying the line number for the nat rule) is what you searched for (because

                      without specifying the line number, nat rules are always placed at the end of the section of your ruleset).

                      • 8. Re: ASA obj_any in NAT rules
                        Ankit

                        nat (outside,inside_1) source static vpn-network vpn-network description Allow VPN to Inside

                        nat (outside,outside) source dynamic vpn-network interface description Allow VPN to Outside

                        nat (dmz_6,outside) source static any any destination static vpn-network vpn-network no-proxy-arp route-lookup description Allow VPN to DMZ6

                        nat (vlan2_1,outside) source static Obj_10.2.0.201 interface service RemotePhone201 RemotePhone201 description Allow 5080-5081 from Outside to Vlan2_1

                        nat (vlan2_1,outside) source static Obj_10.2.0.202 interface service RemotePhone202 RemotePhone202 description Allow 10020-10051 from Outside to Vlan2_1

                        nat (any,outside) source dynamic any-inside-networks interface

                        !

                        object network HNW-TS3-tcp-rdp

                        nat (inside_1,outside) static interface service tcp 3389 3389

                        object network HWGR-FS1-tcp-rdp

                        nat (inside_1,outside) static interface service tcp 3395 3389

                        object network HWGR-AP1-tcp-rdp

                        nat (inside_1,outside) static interface service tcp 3397 3389

                        object network HWN-PT1-tcp-https

                        nat (dmz_6,outside) static interface service tcp https https

                        object network HWN-PT1-tcp-http

                        nat (dmz_6,outside) static interface service tcp www www

                        object network HNW-PT1-tcp-rdp

                        nat (inside_1,outside) static interface service tcp 3393 3389

                        object network HWN-PT1-udp-https

                        nat (dmz_6,outside) static interface service udp 443 443

                         

                         

                         

                         

                         

                         

                         

                         

                        access-list outside_access_in extended permit object RDP-HNW-TS3 any object HNW-TS3-tcp-rdp

                        access-list outside_access_in remark Allow http from Outside to HNW-PT1

                        access-list outside_access_in extended permit object http-service any object HWN-PT1-tcp-http

                        access-list outside_access_in remark Allow https from Outside to HNW-PT1

                        access-list outside_access_in extended permit object https-service any object HWN-PT1-tcp-https

                        access-list outside_access_in remark Allow UDP/HTTPS from Outside to HNW-PT1

                        access-list outside_access_in extended permit object udp-https-destination any object HWN-PT1-udp-https

                        access-list outside_access_in remark Allow Outside to HNW-FS2 for RDP

                        access-list outside_access_in extended permit object RDP-HNW-FS2 any object HNW-FS2-tcp-Rdp

                        access-list outside_access_in remark Allow Outside to HNGR-FS1 for RDP

                        access-list outside_access_in extended permit object RDP-HWGR-FS1 any object HWGR-FS1-tcp-rdp

                        access-list outside_access_in remark Allow Outside to HWGR-TS1 for RDP

                        access-list outside_access_in extended permit object RDP-HWGR-TS1 any object hwgr-ts1

                        access-list outside_access_in remark Allow Outside to HWGR-AP1 for RDP

                        access-list outside_access_in extended permit object RDP-HWGR-AP1 any object HWGR-AP1-tcp-rdp

                        access-list outside_access_in remark Allow Outside to HNW-PT1 for RDP

                        access-list outside_access_in extended permit object RDP-HNW-PT1 any object HNW-PT1-tcp-rdp

                        access-list outside_access_in remark Allow Unifi Controller for HNW-FS2

                        access-list outside_access_in extended permit object unifi-inform-service any object HNW-FS2-inside

                        access-list outside_access_in remark Allow Ports 5080-5081 from Outside to Vlan2_1

                        access-list outside_access_in extended permit object RemotePhone201 any object Obj_10.2.0.201

                        access-list outside_access_in remark Allow Ports 10020-10051 from Outside to Vlan2_1

                        access-list outside_access_in extended permit object RemotePhone202 any object Obj_10.2.0.202

                        access-list outside_access_in remark Allow ssh from VPN to Inside

                        access-list outside_access_in extended permit tcp object vpn-network any eq ssh

                        access-list outside_access_in remark Allow ICMP from VPN to Inside

                        access-list outside_access_in extended permit icmp object vpn-network any

                        access-list outside_access_in remark Allow IP from VPN to Inside

                        access-list outside_access_in extended permit ip object vpn-network any

                        access-list outside_access_in remark Allow UDP from VPN to Inside

                        access-list outside_access_in extended permit udp object vpn-network any

                        access-list dmz_6_access_in remark Allow RDP from Inside to dmz

                        access-list dmz_6_access_in extended permit object RemoteDesktop object-group any-inside-networks object-group any-dmz-networks

                        access-list dmz_6_access_in remark Allow port 137-139 from Inside to dmz

                        access-list dmz_6_access_in extended permit tcp object-group any-inside-networks object-group any-dmz-networks object-group NetBios

                        access-list dmz_6_access_in remark Allow port 3050 from Inside to dmz

                        access-list dmz_6_access_in extended permit object Port-3050 object-group any-inside-networks object-group any-dmz-networks

                        access-list dmz_6_access_in remark Allow port 80 from Inside to dmz

                        access-list dmz_6_access_in extended permit object http-service object-group any-inside-networks object-group any-dmz-networks

                        access-list dmz_6_access_in remark Allow port 443 from Inside to dmz

                        access-list dmz_6_access_in extended permit object https-service object-group any-inside-networks object-group any-dmz-networks

                        access-list dmz_6_access_in remark Allow File share access from DMZ to FS1 and FS2

                        access-list dmz_6_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group SMB inactive

                        access-list dmz_6_access_in remark Allow Domain from HNW-PT1 to telus-dns

                        access-list dmz_6_access_in extended permit udp object HNW-PT1-dmz object-group telus-dns eq domain

                        access-list dmz_6_access_in remark Block all traffic from dmz to inside

                        access-list dmz_6_access_in extended deny tcp object-group any-dmz-networks object-group any-inside-networks object-group AnyService inactive

                        access-list dmz_6_access_in remark Allow all outgoing traffic

                        access-list dmz_6_access_in extended permit tcp object-group any-dmz-networks any object-group AnyService

                        access-list dmz_6_access_in extended permit ip any any

                        access-list dmz_access_in remark Allow File share access from DMZ to FS1 and FS2

                        access-list dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group SMB inactive

                        access-list dmz_access_in extended permit ip any any

                        access-list inside_1_access_in extended permit ip any any

                        access-list inside_access_in extended permit ip any any

                        access-list vlan2_access_in extended permit ip any any

                        access-list vlan2_1_access_in extended deny ip object-group any-vlan2-network object-group any-inside-networks

                        access-list vlan2_1_access_in extended permit tcp object-group any-vlan2-network any object-group AnyService

                        access-list Local_Lan_Access standard permit host 0.0.0.0

                        access-list AnyConnect_Client_Local_Print extended deny ip any4 any4

                        access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

                        access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

                        access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

                        access-list AnyConnect_Client_Local_Print remark Windows' printing port

                        access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

                        access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

                        access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

                        access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

                        access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

                        access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

                        access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

                        access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

                         

                         

                        interface GigabitEthernet1/1

                        nameif outside

                        security-level 0

                        ip address dhcp setroute

                        !

                        interface GigabitEthernet1/2

                        bridge-group 1

                        nameif inside_1

                        security-level 100

                        !

                        interface GigabitEthernet1/3

                        bridge-group 1

                        nameif inside_2

                        security-level 100

                        !

                        interface GigabitEthernet1/4

                        bridge-group 1

                        nameif inside_3

                        security-level 100

                        !

                        interface GigabitEthernet1/5

                        bridge-group 1

                        nameif inside_4

                        security-level 100

                        !

                        interface GigabitEthernet1/6

                        bridge-group 3

                        nameif vlan2_1

                        security-level 100

                        !

                        interface GigabitEthernet1/7

                        bridge-group 2

                        nameif dmz_6

                        security-level 50

                        !

                        interface GigabitEthernet1/8

                        bridge-group 2

                        nameif dmz_7

                        security-level 50

                        !

                        interface Management1/1

                        management-only

                        no nameif

                        no security-level

                        no ip address

                        !

                        interface BVI1

                        nameif inside

                        security-level 100

                        ip address 192.168.0.1 255.255.255.0

                        !

                        interface BVI2

                        nameif dmz

                        security-level 50

                        ip address 192.168.1.1 255.255.255.0

                        !

                        interface BVI3

                        nameif vlan2

                        security-level 100

                        ip address 10.2.0.1 255.255.255.0

                         

                         

                        Thanks for reply guys.

                         

                        Here is our configuration and sorry for late reply.

                        • 9. Re: ASA obj_any in NAT rules
                          Ankit

                          I share my configuration.

                          if you can take a look and see is there anything i am doing wrong.

                           

                          Thanks

                          Ankit

                          • 10. Re: ASA obj_any in NAT rules
                            Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                            You have three bridge interfaces, BVI1 (inside), BVI2 (dmz) and BVI3 (vlan2). In this case when you reference the interfaces in the NAT rules you should use the BVI nameif, not the physical interfaces themselves. Try to change that please and see if it works.

                            • 11. Re: ASA obj_any in NAT rules
                              Ankit

                              Hello Aref,

                               

                              Thanks for your reply again.

                               

                              I already did but it won't take those BVI intefaces name for some reason. When I tried to configure for NAT and Access List with those names it just won't take it. Gives me error every time.

                              • 12. Re: ASA obj_any in NAT rules
                                Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                                You are welcome.

                                 

                                What ASA code is running on that box? I have seen similar issues on a 5506-X and I could fix it upgrading the code. I don't remember the code I used to fix that issue, but I believe it was 9.8.x.

                                • 14. Re: ASA obj_any in NAT rules
                                  Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                                  Would it be an option to upgrade to 9.9.x? Like I said I cannot really remember what code I used when I could fix similar issues, but now I think it was 9.9.x.

                                  1 2 Previous Next