Is it possible to do NAT Exemption by port on ASA 8.3?

Hello,
Here is the scenario that I'm trying to solve. I have an IPSEC VPN that just strips off port 80 and 443 traffic from and internal network when the destination is the internet.
This VPN works fine until NAT gets involved. After I configured a dynamic hide NAT for the internal network then the traffic to the VPN no longer matches crypto map. This I was expecting as I know that NAT processing takes place before IPSEC. What I was not expecting is how difficult it would be to exclude my IPSEC VPN traffic from getting NATed.
The difficulty is in that the destination IP has to be ANY since it is the internet, and also that it should only be port 80 and 443 that are excluded from NAT. I do want any other traffic to still be processed by the dynamic hide.
So the traffic that I want to exclude from NAT would look like this:
internal-net --> ANY on TCP Port 80 or 443 Exclude from NAT.
It seems so simple but I cannot find any examples of someone successfully doing this, and I also do not see that it is not possible. I’ve played around with many double NAT statements but any combination that I put in results in the firewall saying, “ERROR: NAT unable to reserve ports”.
Any help on this would be greatly appreciated!
Eric

Hi,
The general format to configure NAT0 would be
object network LAN
subnet
object network REMOTE-LAN
subnet
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
But if I understood you correctly, you want to configure NAT0 for traffic from your LAN that has destination address "any" and destination port/service of TCP/80 or TCP/443?
This would mean that you are are trying to tunnel all of this Web traffic to a remote site where it will eventually get passed to the Internet through NAT?
Have you tried the following NAT configuration yet
object network LAN
subnet
object network REMOTE-LAN
subnet
object service WWW
service tcp destination eq www
object service HTTPS
service tcp destination eq https
nat (inside,outside) source static LAN LAN service WWW WWW
nat (inside,outside) source static LAN LAN service HTTPS HTTPS
This should match any traffic with a destination port TCP/80 and TCP/443 to "any" destination network. It would also at the same time keep the source address original (NAT0 / Identity NAT)
What you have to notice with this setup that this applies to ALL this kind of traffic. If you have DMZs on the local ASA you will have to configure additional NAT configuration before these configurations so that the LAN -> DMZ WWW/HTTPS traffic is not involved or forwarded to the L2L VPN.  So there are some things to take consideration
There is also another variation of the above configuration and depending on your actual software level (the different software levels after 8.3) the ASA might match the above NAT configuration differently.
Hope this helps
- Jouni

Similar Messages

  • Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

    I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption.  According to the guide above, the migration of nat exemption will look like this:
    access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
    nat (inside) 0 access-list inside_nat0_outbound
    object network obj-vLan201
    subnet vLan201 255.255.255.0
    object network obj-172.19.252.0
    subnet 172.19.252.0 255.255.255.0
    nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
    My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?
    access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0
    nat (inside) 0 access-list inside_nat0_outbound
    object network obj-vLan201
    subnet vLan201 255.255.255.0
    object network obj-172.19.252.0
    subnet 172.19.252.0 255.255.255.0
    object network obj-172.19.253.0
    subnet 172.19.253.0 255.255.255.0
    nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
    nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0
    Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.
    Thanks,
    -Mathew

    Hi,
    Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.
    If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.
    Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.
    But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.
    - Jouni

  • Does adding tcp udp ports on the nat exempt accesslist which is binded to nat 0 statement remove the entire nat 0 statement itself?

    Hi Experts,
    Is the above statement true?. I learnt later that adding tcp and udp ports on the nat 0 statements are supported . But does it take away the entire nat statement? Please answer my question at the earliest.
    Regards
    Krishna

    Krishna,
    "NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. NAT exemption also does not support connection settings, such as maximum TCP connections."
    Reference
    So, since the documentation clearly says that this rule does not consider any ports in the ACL, then one should not be testing unsupported configurations.
    If one adds an ACL with specific ports, then unexpected results may be expected.
    My suggestion, dont add any ACL entry with specific ports to your NAT exempt statement.
    Thanks.
    Portu.
    Please rate any helpful posts

  • Static NAT or NAT exemption?

    So my situation is kind of unique. I'm currently configuring an ASA5510 (ver. 8.4) to replace an OpenBSD router box. My company was originally given a /24 of public IP's.....yes it's weird. We are currenly working on eliminating the public vlan in our office. Currently half the company is using these public IPs for their computers and half are on a private vlan. We also have several servers on the public vlan. Everything is connected to a layer 3 switch that routes between these computers. When we first implement the ASA we want to leave the servers on the public vlan and have them still accessible from the outside by the same IP address. Currently the OpenBSD box just doesn't NAT the public vlan.
    We were looking at 2 solutions.
    1. NAT the server IPs to itself. ie. if the server has an IP of 80.80.80.2 then the nat statement would looke something like:
    nat (inside,outside) 80.80.80.2 80.80.80.2
    This is what we think would work best.
    2. We create a nat exemption rule for that entire public vlan.
    Is our theory correct that option 1 works best? Any other suggestions? We do not want to implement a DMZ because we have such sensitive data and only our web server could exist in our DMZ. My company is small....the simpler the solution, the better.

    only difference in these options are that static identity nat would create a xlate entry on the firewall however if you use nat exempt that would not create the xlate on the firewall.

  • Example of Manual NAT to implement NAT exemption

    Hi Everyone,
    Below is from Cisco LEarning Network site
    Referring to the Cisco ASA NAT configuration  below
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    Need to understand how below answer is correct?
    This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.
    Regards
    MAhesh

    Hi Mahesh,
    Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.
    In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.
    The above configuration could correspond to the following on the 8.2 software
    access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NAT0
    And as you have already mentioned the 8.3+ format is
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.
    Now lets look at the above "nat" statement in all of its parts
    nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
    inside = Is the source interface for the NAT as its mentioned first
    outside = Is the destination interface for the NAT its mentioned second
    source = Simply specifies that the source parameters for this NAT configuration will follow
    static = Defines that were doing a Static type of NAT
    one = Defines the real source network
    one = Defines the mapped source network
    destination = Simply specifies that the destination parameters for this NAT configuration will follow
    static = Defines that the destination is static. It can only be static
    two = Defines the mapped destination network
    two = Defines the real destination network
    And the key things to notice from the configuration.
    Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
    When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.
    I am not really sure if I explained the above in the best way I could. Hope it makes any sense
    - Jouni

  • Static NAT Question - Public to Inside ASA 9.1x

    Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.
    I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
    Remote Public IP's: 77.88.99.11
    Local Public IP: 12.12.12.1
    Ports required:
    object-group service srvgp-stream-remote
     service-object tcp destination eq www
     service-object tcp destination eq https
     service-object tcp destionation eq 8088
     service-object tcp destination eq 1935
     service-object udp destination range 6970 9999
     service-object udp destination range 30000 65000
     service-object udp destination eq 554
    I can get this to work:
    object network server-external-ip
     host 12.12.12.1
    object network webserver
     host 192.168.1.100
     nat (dmz,outside) static server-external-ip service tcp 8088 8088
    access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
    But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
    Any help is greatly appreciated.

    With that many ports, you should use the public IP exclusively for the Webserver:
    object network webserver
    host 192.168.1.100
    nat (dmz,outside) static server-external-ip
    If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
    nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

  • Is it possible to create a virtual TCP port and send data to it?

    Is it possible to create a virtual TCP port and send data to it?
    My application is this:   I am reading a constant stream of waveform data from a device via a LabVIEW VI set and I need to get that streaming data to a .NET application.  I can poll a TCP port in .NET easily so is there a way I can create a virtual TCP port in LabVIEW and send the data there?

    Have a look at the example called simple data server and simple data client and see what you can get from that. I'm not really familiar with TCP myself.
    Joe.
    "NOTHING IS EVER EASY"

  • Is it possible to install 3.0 USB port on HP 2000 412NR Notebook?

    Is it possible to install 3.0 USB port on HP 2000 412NR Notebook? Is there a usb board upgrade available?

    Hi,
    The following one has 2 USB 3.0 ports:
       http://www.pcmag.com/article2/0,2817,2422860,00.as​p
    Regards.
    BH
    **Click the KUDOS thumb up on the left to say 'Thanks'**
    Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

  • Is it possible to use Cisco 1721 AUX port to dial into MS-RAS?

    Is it possible to use Cisco 1721 AUX port with external modem to dial into Microsoft W2k-RAS server?

    Hello Thanks for the link. The place where I'm stuck is when the async is going through the LCP negotiation. the LCP Confreg sends but I dont' get back anything. Cisco documentation states "make sure autoselect PPP or Async mode dedicated are set but I'm actually dialing into a Microsoft RAS server. Do you know where these settings are?
    *Mar 1 05:38:04.782: As65 PPP: Phase is ESTABLISHING, Active Open
    *Mar 1 05:38:04.782: As65 PPP: No remote authentication for call-out
    *Mar 1 05:38:04.782: As65 LCP: O CONFREQ [Closed] id 43 len 20
    *Mar 1 05:38:04.782: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
    *Mar 1 05:38:04.782: As65 LCP: MagicNumber 0x314EFEBB (0x0506314EFEBB)
    *Mar 1 05:38:04.786: As65 LCP: PFC (0x0702)
    *Mar 1 05:38:04.786: As65 LCP: ACFC (0x0802)
    *Mar 1 05:38:06.782: As65 LCP: TIMEout: State REQsent
    *Mar 1 05:38:06.782: As65 LCP: O CONFREQ [REQsent] id 44 len 20
    *Mar 1 05:38:06.782: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
    *Mar 1 05:38:06.782: As65 LCP: MagicNumber 0x314EFEBB (0x0506314EFEBB)
    *Mar 1 05:38:06.782: As65 LCP: PFC (0x0702)
    *Mar 1 05:38:06.782: As65 LCP: ACFC (0x0802)
    *Mar 1 05:38:08.782: As65 LCP: TIMEout: State REQsent
    *Mar 1 05:38:08.782: As65 LCP: O CONFREQ [REQsent] id 45 len 20
    *Mar 1 05:38:08.782: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
    *Mar 1 05:38:08.782: As65 LCP: MagicNumber 0x314EFEBB (0x0506314EFEBB)
    *Mar 1 05:38:08.782: As65 LCP: PFC (0x0702)
    *Mar 1 05:38:08.782: As65 LCP: ACFC (0x0802)

  • HT4145 is it possible to use a sngle air port express both for streaming music to an audio system AND as a wireless base station

    is it possible to use a single air port express both for streaming music to an audio system AND as a wireless base station

    Yes you can - if it is your only router or it is after another Apple router - if you have a non-Apple router then it would have to be hard wired to create its' own wireless network.

  • Trusted RFC and Remote logon not possible due to Nat'd IP addresses

    Hi,
    We are trying to connect our SolMan 4 to our cusotmers ECC 6 and BI7 systems, the systems are off site and the IP addresses for the customers systems are nat'd when they come in and go out from our Network.
    The problem we get is that we cannot set up Trusted systems or Remote Logon to these systems due to issues with the Nating of the IP adresses. We can set up all standard RFC's after adding the the appropriate addresses into the hosts file and they work fine. But the trusted RFC does not set up properly and the BACK rfc from the satelite system does not get set up properly. What appears to happen is that when you try to start a remote session SAP goes to the satelite system and finds the Instance Name and the local IP address rather than the NAT'd IP address and try's to open a session from there. I found this by going into the trusted RFC in SM59 and then going to Extra's, System Information, Target System, this then tells me the Target System information, where it shows the System ID and IP address (which is the incorrect IP address).
    Anyone know how we can get the system to try to have the correct IP adress in the target system information so that we can get Remote Logon's to work??
    Cheers

    Hi Carl,
    Based on your explanation about Nating,, how will the RFC determine to connect to Solmans internal IP after it has been directed to the IP for the Router connection.
    I feel it is like configuring a jump of RFCs from one IP to another in a single chain.
    Can this be done ?? I mean we have to specify an IP in the RFC connection right.. so how will the automatic jumping of IPs be done.
    Sorry not answering the question but its very interesting and wanted to know.
    Also went trough note # 148832, might help.
    Regards,
    Kaustubh.
    Edited by: Kaustubh Krishna on Aug 13, 2009 12:17 PM

  • Is it possible to source NAT health checks?

    I am source natting the data traffic to the back end servers using a source group but I notice the health checks are not affected and they use the interface physical address. The way I found out is the service is down and the firewall was dropping the health checks. Does anyone know a way to source nat health checks? Either that or have them source from the redundant VIP address that is configured on the interface and not the "real" address. CCO and google produced nothing... thanks!

    you can't nat probes.
    The CSS will use its outgoing interface ip address as the source ip.
    Just make sure your firewall allows this traffic.
    Gilles.

  • Help with Slow access or NAT to Inside Interface on ASA 9.1

    I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
    In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
    Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
    However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
    So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
    Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
    Attached a diagram of what I am currently doing?
    Any help is appreciated.
    Thanks.
    P.S. Addresses in attached picture config are not real, but I know what they translate to.

    Hi,
    To me you it would seem that you are looking for a NAT configurations something like this
    object network SERVER-PUBLIC
    host 197.162.127.6
    object network SERVER-LOCAL
    host 10.0.1.25
    nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
    It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
    I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
    Hope this helps
    Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
    Ask more if needed
    - Jouni

  • Is it possible to connect two DVI / Display Port displays to a MacBookAir4,2 ?

    At Work I'm running Parallels: Windows 8.1 Pro
    Is it possible to run it the following way:
    onboard display: OS X
    Display 1: Windows 8.1 Pro - display 1
    Display 2: Windows 8.1 Pro - display 2
    At the moment I'm running onboard display: OS X
    and thunderbolt--> Display Port: Windows 8.1 Pro
    which Works fine.
    But I really need the extra display, but have been searching for a week, and I'm getting nowhere.
    Hope you Guys can help.
    Specs:
    MacBook Air - medio 2011
    CPU: 1.7GHz
    Mem: 4Gb
    GPU: Intel HD 3000 384Mb

    Hello tonnyfromholsted,
    Great question. Your MacBook Air includes one thunderbolt port. Each thunderbolt port can support up to one Mini Display Port display. Thus, your MacBook Air can only connect to one external display. Even when taking Thunderbolt Displays into consideration, this Mac still only supports one connected display. For more information, please refer to the following resource:
    Thunderbolt ports and displays: Frequently asked questions (FAQ) - Apple Support
    http://support.apple.com/en-us/HT204154
    2. How do I connect my Mini DisplayPort monitor or monitor using a Mini DisplayPort adapter to my Thunderbolt-equipped Mac when I have other Thunderbolt devices connected?
    When connecting a Mini DisplayPort display or a display using a Mini DisplayPort adapter to a Thunderbolt peripheral (except as described in question 24), make sure the display is connected at the end of the Thunderbolt chain. You can use only one Mini DisplayPort device in the Thunderbolt chain.
    Note: Systems with more than one Thunderbolt port, like an iMac, can have more than one Mini DisplayPort monitor or monitor connected with a Mini DisplayPort adapter connected as each Thunderbolt port can support one Mini DisplayPort display.
    Thanks,
    Matt M.

  • Static nat and service port groups

    I need some help with opening ports on my ASA using firmware 9.1.2.
    I read earlier today that I can create service groups and tie ports to those.  But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ? 
    I have the ACL -
    access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
    Can this statement
    object network obj-ExchangeSever-smtp
    nat (inside,outside) static interface service tcp smtp smtp
    reference the service port groups instead? 
    Thanks,
    Andrew

    Hi,
    Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
    Well you can for example configure this kind of "object-group"
    object-group service SERVER-PORTS
    service-object tcp destination eq www
    service-object tcp destination eq ftp
    service-object tcp destination eq https
    service-object icmp echo
    access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
    The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
    I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
    You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
    Hope this helps
    - Jouni

Maybe you are looking for

  • I can't get Photoshop CS6 to stop crashing every 5 minutes

    I've updated everything under the sun. I've tried Basic mode and tried everything else I can think of. Any help would be appreciated! System Info: Adobe Photoshop Version: 13.0.1 (13.0.1 20120808.r.519 2012/08/08:21:00:00) x64 Operating System: Windo

  • I cant convert my itunes to mp3 so that i can have them on my laptop?

    ive ttried converting to mp3 using the ways ive read about and nothing works. I just want to have them as an mp3 file so i can put them on my android tablet and on to a usb if i want to?

  • How to Execute different classes using editplus

    Consider a program like this class abc public static void main(String args[]) System.out.println("abc"); class bbc public static void main(String args[]) System.out.println("bbc"); In this program there are two classes when i compile this code in edi

  • Render xml.. too slow !!!

    so: I have a servlet , this servlet is divided in tree great sub-functions - getPost() gets data from POST - loadData() loads data inside the Object building a DOM - render() take from every class the xml ( in cascade) and then do a render the proble

  • User License Agreement in Java

    I have Plumtree 5.01 (Java) on Windows. What I need to do is depending on who the individual is that is logging into our portal (we have external/internal), I need to Pop-Up a web-page showing a license agreement and have then agree to it before lett