4 Replies Latest reply: Feb 27, 2019 5:01 AM by Juergen Ilse CCNA R&S RSS

    ASA NAT

    Tyson

      REQUIREMENT:

      1. When the file server with the inside local address of 10.100.0.3 goes to the outside, it uses the auto NAT rule that translates the address to the ASA's outside interface (10.0.0.50) via PAT.

      2. When a device on the outside goes to 10.0.0.51, that traffic is sent to the server (new traffic flow that is unrelated to the flow initiated by the file server)

       

      PROCEDURE: Attempted to do this using object NAT and then an after-auto manual NAT statement:

       

      object network NETWORK_10.100.0.0_24

      subnet 10.100.0.0 255.255.255.0

      nat (any, OUTSIDE) dynamic interface

      object network HOST_10.100.0.3

      host 10.100.0.3

      object network HOST_10.0.0.51

      host 10.0.0.51

      !

      nat (OUTSIDE,INSIDE) after-auto source static any any destination static HOST_10.0.0.51 HOST_10.100.0.3

      !

      access-list OUTSIDE_access_in extended permit ip any object HOST_10.100.0.3

      access-group OUTSIDE_access_in in interface OUTSIDE

       

      PROBLEM: the file server is still using the 10.0.0.51 address instead of the 10.0.0.50 address. I would assume that since the static NAT entry specifically calls to be after the auto NAT that this would make it so traffic sourced from the file server to the outside would translate to 10.0.0.50 and traffic sourced from outside towards the file server would have to reach 10.0.0.51 but this isn't what is actually happening. When I do a packet-tracer in the CLI, I notice the static NAT entry is invoked which has me confused as to why.

       

      Any ideas where I'm going wrong here? Just trying to get a better grasp on this. Thanks.

        • 1. Re: ASA NAT
          Sergey

          Tyson,

           

          You are correct, because the auto NAT statement is higher up in the list, the return traffic from server will always hit it first and will use auto NAT. I think the best you can do is create a specific NAT entry for a port on the server and place it higher up. So, that if traffic is originating from a certain port, which typically will be only in response to client request, then use address .51. And the default will be caught by your auto NAT entry.

          • 2. Re: ASA NAT
            waninae39

            why use static? the auto nat rule will send the traffic to the correct source when it replies

            • 3. Re: ASA NAT
              Juergen Ilse CCNA R&S

              waninae39 schrieb:

               

              why use static? the auto nat rule will send the traffic to the correct source when it replies

              The auto nat rule is not static but dynamic, and dynamic nat is unidirectional, so without an additional static nat rule, the server wouldn't be accessible from outside ...

              I wouldn't do that with an "after-auto" manual nat rule. My solution would have been an "unidirectional" manual nat rule:

               

              nat (outside,inside) source static any any destination static HOST_10.0.0.51 HOST_10.100.0.3 unidirectional

               

              Manual static nat rules are bidirectional by default, but you can add the keyword "unidirectional", so that the rule will only be applied for connections initiated from outside to inside in this case. Seems to be also a solution ... But i would restrict the nat rule to a specific service, if only 1 service should be reachable from outside, for example:

               

              object service HTTP

                   service tcp destination eq 80

              nat (outside,inside) source static any any destination static HOST_10.0.0.51 HOST_10.100.0.3 service HTTP  HTTP unidirectional

               

              [editt]

              Even if i would have done it with an "after-auto" nat rule, i would have used an "unidirectional" nat rule, just because i usually restrict nat rules to the absolutely necessary ...

               

              Btw: there may also be a solution without manual nat rules:

               

              object network NETWORK_10.100.0.0_24

                 subnet 10.100.0.0 255.255.255.0

                 nat (any, OUTSIDE) dynamic interface

              object service HTTP-SOURCE

                   service tcp source eq 80

              object network HOST_10.100.0.3

                 host 10.100.0.3

                 nat (inside,outside) static interface service HTTP-SOURCE HTTP-SOURCE

               

              I haven't tested this one, but i think, it should work. There are several "tricks" used here: first order of object nat rules:

              1. static before dynamic (that is something, that is currently missing in my document about nat on ASA, i have to find time to rewrite some parts of it )

              2. if the rules are the same type of nat rules: most specific objects first

              3  if the rules are same type of nat rules, objects with lowest start address go first

              4. if the nat rule have same type and objects have same content, use alphabetical order of object names

               

              The first nat rule would be enough to let the second object nat rule have preference over the first object nat rule, but the second criteria would give the second object nat rule preference ... The second trick is to use not the desired service but the "answer traffic fromn that service". Since static nat rules are bidirectional by default, not only connections initiated from 10.100.0.3 to outside with source port 80 will be natted, but also connections from outside to the outside interface address of outside interface and destination port 80 ...

              But as i wrote above: i haven't tested this variant (even if i'm sure, it will work as described here).

              • 4. Re: ASA NAT
                Juergen Ilse CCNA R&S

                Now we have found 3 different solutions, one with  an "after-auto" manual nat rulein addition to the original dynamic object nat rule, one with an unidirectional manual nat rule in the first section of nat rules and last but not least a solution with 2 different object nat rules. are there any other ideas as answer to the original requirement? I have no further ideas. Have anyone labbed those 3 solutions? Would be interesting, if all 3 really work as expected or if we made some mistakes in that 3 solutions ...