Manual Nat (twice Nat) Answers
There seems to be a large number of the subject queries in one form or another. Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products. I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.
What I would like to suggest to the experts and to those with the ability to give advice to document editers is to include far more ADSM web gui examples and discussion for manual nat. The tools are all there - in the nat rules editing page, the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing). What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries. In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics. With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios. I personally feel a bit embarrassed to be asking basic questions and appreciate the responses but with improvements in docs and forum answers the number of such questions should drop. At the very least I and others like me will get better edumecated. To be clear am not looking for the easy cookie cutter right answers, I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands. In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .
Thanks.
Examples below of what I am talking about (note examples are simple embedded NAT object (port forwarding rules). I can finally handle external users requiring access to internal servers. :-) But that is just the surface.
I have added the packet tracing jpegs for further context. There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic. What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).
Hi,
I've personally always preferred using CLI over GUI. Probably comes due to the fact I started with old Cisco switches and routers.
When I first used a Cisco PIX the switch from switches/routers was a bit hard. The configuration format in 6.x was totally different from the IOS. After I upgraded the first PIX to software 7.0 it was abit more familiar already. Interfaces were now configured like in the switches and routers. Also the permitting traffic through the device used access-lists.
I was just beginning to handle all the different NAT setups (atleast the ones we run into) and then came 8.3 (and 8.4) which totally changed the NAT configuration format
I still find myself configuring the NAT through CLI. I use the CLI because I like beeing able to see the whole device configuration without jumping from tab to tab and clicking drop down menus. I mostly use ASDM to edit existing configurations or something that might not be as familiar with. Though my goal usually is to learn to configure the same from the CLI after I've done it a couple of times from GUI interface.
If you're only using ASDM GUI to configure the ASA, I suggest you go "Tools -> Preferences" and from there enable the option "Preview commands before sending them to the device" This will basicly show you all configurations that you are going to apply in the CLI format. I think this preview setting is off by default.
EDIT2: One really helpfull thing is also the fact that you can get help for almost every configuration page on the ASDM GUI. I think theres almost always a direct "Help" button that opens information about the configuration page in question and clarifies all the options you have on the page. Again, as I haven't used much ASDM, I dont know if they clarify the things you are asking for.
The first 2 pictures to my understanding illustrate the configuration of a port forwarding using the "outside" interfaces address.
The first pictures Translated Address just refers that you are going to use the "outside" interfaces IP address (whatever it might be) to configure a NAT. The ASDM has a habit of giving names to IP addresses which can confuse you. The same line might as well contain an IP address in numeric format if you for example had a small public subnet at your disposal for NAT translations.
The second pictures source/destination interface just basically tells you the interfaces between which the NAT is beeing performed. Either of these can also be specified as "any".
I'll give you a couple of examples
EXAMPLE 1
The below configuration basicly tells the ASA that it will PAT all outbound (outside) traffic from the source networks defined in the object-group to the outside interface address. It also tells that the source interface can be any interface on the ASA.
So basically if you keep adding interfaces to an ASA that need (Or networks behind them) default PAT translations when they use the Internet, you can just keep adding "network-object x.x.x.x y.y.y.y" statements with the new networks under the object-group and the ASA will do PAT for them. You wont have to configure any additional NAT statements.
object-group network DEFAULT-PAT-SOURCE-NETWORKS
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE-NETWORKS interface
EXAMPLE 2
The below configuration basically tells the ASA that the DMZ server will be visible to other hosts behind other ASA interface with the same NAT ip of "1.2.3.4". This could apply to situations where you want to access the DMZ server with the same public IP address from both the Internet and the LAN.
This could help with situations where your LAN uses public DNS and that DNS points to the servers public IP address. With this NAT configuration even though you LAN hosts are connecting to a public IP address the device will still be accessible from the LAN since you're NATing the DMZ server towards all interfaces.
object-network DMZ-PUBLIC-STATIC
description Static Public IP for DMZ server
host 192.168.10.10
nat (dmz,any) static 1.2.3.4 dns
The UN-NAT section to my understanding just tells you that a connection coming from outside to a NAT IP is basically forwarded to the actual lan host IP address and not the public IP the user was originally connecting to.
To be honest I don't really know how to configure well with the ASDM as I usually just use the CLI. Because of that I'm sometimes at a loss on how to configure the most simple things because I've only done them on the CLI.
Hope some of this was helpfull to you
EDIT: Didn't realize I wrote so much
- Jouni
Similar Messages
-
Some how I have ended up with multiple network objects for the same network example
obj-192.168.1.0
obj-192.168.1.0-1
obj-192.168.1.0-2
All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?
If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)
I would for example guess that the following configuration
object network obj-172.16.0.0-05
subnet 172.16.0.0 255.254.0.0
nat (inside,TM) static 172.16.0.0
Before was this
static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0
In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.
In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.
- Jouni -
Identifying Manual NAT in ASDM
Hi Everyone,
Below is the screenshot from Cisco LEarning Website for ASA Practice test.
Correct answer is Manual NAT polices .
Need to know what should i look for in ASDM that will tell me it is Manual NAT?
Regards
MAhesh
Message was edited by: mahesh parmarIt is manual because the screenshot shows that there are no Network Object NAT rules. So the displayed NAT rule is of type #3 in the list below.
In ASA 8.3 or later there are 3 types of NAT rules you can add:
1. Manual NAT before Network-object NAT
2. Network-Object NAT (network-object NAT is also known as AutoNAT)
3. Manual NAT after Network-object NAT.
If you looked at the cli, it would have the keyword "after-auto" in the NAT rule. -
Example of Manual NAT to implement NAT exemption
Hi Everyone,
Below is from Cisco LEarning Network site
Referring to the Cisco ASA NAT configuration below
object network one
subnet 10.1.1.0 255.255.255.0
object network two
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static one one destination static two two
Need to understand how below answer is correct?
This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.
Regards
MAheshHi Mahesh,
Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.
In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.
The above configuration could correspond to the following on the 8.2 software
access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
And as you have already mentioned the 8.3+ format is
object network one
subnet 10.1.1.0 255.255.255.0
object network two
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static one one destination static two two
In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.
Now lets look at the above "nat" statement in all of its parts
nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
inside = Is the source interface for the NAT as its mentioned first
outside = Is the destination interface for the NAT its mentioned second
source = Simply specifies that the source parameters for this NAT configuration will follow
static = Defines that were doing a Static type of NAT
one = Defines the real source network
one = Defines the mapped source network
destination = Simply specifies that the destination parameters for this NAT configuration will follow
static = Defines that the destination is static. It can only be static
two = Defines the mapped destination network
two = Defines the real destination network
And the key things to notice from the configuration.
Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.
I am not really sure if I explained the above in the best way I could. Hope it makes any sense
- Jouni -
Moving Manual NAT to section 3 (after auto nat)
Hi All,
We have 3 sections of NAT
1>Manual NAT
2>Auto NAT
3>Manual NAt after Auto.
Lets say on ASA we config Manual and Auto Nat.
Now Order of NAT is
1>Manual
2>Auto
If i move the Manual NAT to section 3 of NAT which is Manual NAT after auto NAT.
Now Order of NAT is
2>Auto
3>Manual NAT after Auto.
Now when i try to do Process Manual NATafter auto section number 3 it does not work as it hits Auto NAt and does not go down.
Need to know the reason behind this?
Regards
MAheshAlso as a little side note,
There is also difference in the ordering of the NAT configurations depending on the Section
Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.
So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.
You can see the current order of the Auto NAT rules with the command
show nat
- Jouni -
Ipsec-manual, NAT-Traversal?
Is there a way in IOS to enabled NAT-Traversal (ESP-UDP) for manually keyed IPsec tunnels?
Thus far, it looks to me like IKE is required for the NAT detection.
In Linux, I can manually create ESP-UDP SA's, I was hoping to be able to do the same in IOS.It allows ipsec to work through nat?
How did your last post turn out? -
Manual NAT to override Auto NAT
Hi, i've an ASA with this relevant config:
ASA Version 9.1(1)
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
object network obj-192.168.2.20
host 192.168.2.20
object network obj-1.1.1.2
host 1.1.1.2
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https
object network obj-192.168.2.20
nat (inside,outside) static obj-1.1.1.2
Now i have to allow access to a web server from a specific Internet Address 2.2.2.2.
Both web server and all other inbound access are made via a different IP Address 1.1.1.2
I'm having some problems configuring this second item, and I need help.
Which is the best way to overcame this problem.
TIA
FRHello Fran,
Not sure what you mean:
I mean you already have the policies in place for this:
object network obj-192.168.2.20
nat (inside,outside) static obj-1.1.1.2
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4
access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https
Now i have to allow access to a web server from a specific Internet Address 2.2.2.2.
Both web server and all other inbound access are made via a different IP Address 1.1.1.2
So now a user on the outside 2.2.2.2 will be accessing your webserver,
Is your server 192.168.2.20 and also what do you mean by
Both web server and all other inbound access are made via a different IP Address 1.1.1.2
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura -
Importing Computer Manually Appears Twice? Since SP1
Hi,
I am trying to setup some new machines on the system. I have manually imported the computer and mac address. These machine are in AD. I then PXE boot them and image no problems.
Since going to SP1 if i do the above 2 of the same machines appear in SCCM. I think one is from the manual import and the other from the disovery.
Why is it doing this please?
ThanksYes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ -
Dynamic PAT and Static NAT issue ASA 5515
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- BhalHi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni -
Policy NAT 8.6(1)2 Windows Server Cluster
We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
AndrewHi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
I am trying to do the following on an ASA 5505 with Security Plus licensing.
public IP ASA private IP ASA
199.185.3.25 <-------192.168.1.254
^
|--------192.168.2.254
^
|-------- 192.168.3.254
I want the 192.168.1.0/24 and 192.168.2.0/24 to NAT to the internet.
I can get the first subnet to work. I can get hosts on each of the two subnets ping each other. However, if I try to ping an external site 4.2.2.2., the first subnet works, the second one does not.
I am enclosing the running-configuration from IOS 8.4. Any insights as to what I'm missing to get the second network to be able to send and receive packets to an internet connection?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.01.05 21:03:36 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
ASA Version 8.4(6)
hostname INFOASA01
names
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 4
interface Ethernet0/2
switchport access vlan 5
interface Ethernet0/3
switchport access vlan 2
interface Ethernet0/4
switchport access vlan 2
interface Ethernet0/5
switchport access vlan 2
interface Ethernet0/6
switchport access vlan 2
interface Ethernet0/7
switchport access vlan 2
interface Vlan1
nameif outside
security-level 25
pppoe client vpdn group PPP
ip address pppoe setroute
interface Vlan2
nameif inside
security-level 75
ip address 192.168.1.254 255.255.255.0
interface Vlan3
description Wireless
shutdown
no nameif
no security-level
no ip address
interface Vlan4
description home-network
nameif inside-46
security-level 50
ip address 192.168.3.224 255.255.255.0
interface Vlan5
nameif inside5
security-level 75
ip address 192.168.2.254 255.255.255.0
interface Vlan98
description VPN client
no nameif
security-level 90
ip address 192.168.98.254 255.255.255.0
interface Vlan99
no nameif
no security-level
no ip address
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_25
host 192.168.1.249
object network obj_143
host 192.168.1.249
object network obj_1677
host 192.168.1.249
object network obj_444
host 192.168.1.249
object network obj_443
host 192.168.1.246
object network obj_22
host 192.168.1.249
object network obj_21
host 192.168.1.247
object network obj_8009
host 192.168.1.249
object network obj_39833
host 192.168.1.88
access-list smtp extended permit tcp any host 66.18.210.142 eq smtp
access-list smtp extended permit tcp any host 192.168.1.249 eq smtp
access-list smtp extended permit tcp any host 192.168.1.249 eq imap4
access-list smtp extended permit tcp any host 192.168.1.249 eq 1677
access-list smtp extended permit tcp any host 192.168.1.249 eq https
access-list smtp extended permit tcp any host 192.168.1.246 eq https
access-list smtp extended permit tcp any host 192.168.1.247 eq ftp
access-list smtp extended permit tcp any host 192.168.1.249 eq ssh
access-list smtp extended permit tcp any host 192.168.1.249 eq 8009
access-list smtp extended permit tcp any host 192.168.1.88 eq 3389
no pager
logging asdm informational
mtu outside 1460
mtu inside 1500
mtu inside-46 1500
mtu inside5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network obj_25
nat (inside,outside) static interface service tcp smtp smtp
object network obj_143
nat (inside,outside) static interface service tcp imap4 imap4
object network obj_1677
nat (inside,outside) static interface service tcp 1677 1677
object network obj_444
nat (inside,outside) static interface service tcp https 444
object network obj_443
nat (inside,outside) static interface service tcp https https
object network obj_22
nat (inside,outside) static interface service tcp ssh 40022
object network obj_21
nat (inside,outside) static interface service tcp ftp ftp
object network obj_8009
nat (inside,outside) static interface service tcp 8009 8009
object network obj_39833
nat (inside,outside) static interface service tcp 3389 39833
access-group smtp in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
snmp-server location Home1
snmp-server contact network admin
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 3
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PPP request dialout pppoe
vpdn group PPP localname **********************
vpdn group PPP ppp authentication chap
vpdn username *********.com password ***** store-local
dhcpd auto_config inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ***** password ******* encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d2e31f51f0af551900f9fb8b5dd3ea72
: end
INFOASA01(config)# packet-tracer input inside5 tcp 192.168.2.200 12345 4.2.2.2 12345
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5605, packet dispatched to next module
Result:
input-interface: inside5
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
INFOASA01(config)#packet-tracer input inside5 tcp 192.168.1.200 12345 4.2.2.2 12345
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.200/12345 to 199.185.3.25/12345
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5633, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
INFOASA01(config)# icmp debug icmp tra
debug icmp trace enabled at level 1
INFOASA01(config)# ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=0 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=1 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=2 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=3 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=4 len=56
b ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=140 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=140 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=141 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=141 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=142 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=142 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=143 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=143 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
no debug icmp tra
debug icmp trace disabled.
INFOASA01(config)#Hello Paul,
Yes, there is a order within the NAT on 8.3 and higher
1) Manual Nat or Twice Nat
2) Object Nat (the one being used here)
3) After-Auto Nat
Inside the Object-Nat the order will be done automatically by the firewall taking place the static entries and more specific.
So if you enter that command you will be translating only the subnet within the obj_any 5 from the inside5 to the outside.
Hope I was clear hehe
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Nat (inside,outside) static 200.x.x.x
Hi Everyone,
Say we have webserver which has internal IP of 172.16.10.10
If we need outside users from internet who need to access the webserver on IP say 200.x.x.x
We can config the NAT as below also
nat (inside,outside) static 200.x.x.x
Regards
MaheshHi Mahesh,
I would usually configure a normal Static NAT as Network Object NAT
You first configure a "object network " under which you configure the source IP for the NAT configuration with the "host" command. Finally you enter the "nat" command inside/under the "object network ".
object network STATIC
host 172.16.10.10
nat (inside,outside) static 200.x.x.x
Depending on how the rest of the NAT configuration is built, some other NAT rule might override this but personally I have not had problem with configuring Static NAT this way.
You also have an option to configure the NAT in the following way
object network SERVER-REAL
host 172.16.10.10
object network SERVER-MAPPED
host 200.x.x.x
nat (inside,outside) source static SERVER-REAL SERVER-MAPPED
As you can see the difference from the first way I mentioned is the fact that we use Manual NAT / Twice NAT to configure this Static NAT. We create 2 "object network " which define the real and the mapped IP address. We then use those objects in the actual "nat" configuration.
The difference with the above 2 NAT configurations is that the Network Object NAT s on lower priorty in the ASA NAT rules compared to the above Manual NAT.
- Jouni -
Hello,
I have a setup where i need users accessing 10.6.17.10:80 or 10.6.17.80:443 to be directed to 10.6.17.10:4443.
10.6.17.10 is a server behind an interface called "application"
requests will be coming from "outside" interface or i want this to work regardless of the source interface (any)
this outside interface is local, i mean source ip addresses will all be private, we're talking within the network.
my configuration is as below:
object network A10-Lync
host 10.6.17.10
nat (Application,any) static A10-Lync service tcp https 4443Hi Murali,
Your answer is very close, but not complete. I'm very familiar with the NAT Rule Order. I didn't think that was the problem. The actual problem is how Object NATs and Twice NATs are implemented. I didn't realize once a Twice NAT (manual nat) is matched no other rules are checked. Here is the information at this Link under How source and destination NAT is implemented. I was under the impression that Twice NAT were processed the same way Object NATs were.
So that was the problem, but what is the solution? That is for Cisco to allow parameters in nat statements. Otherwise we have to create 6 objects and two different nat statements in order to get this working. If they would allow parameters for port numbers, we would only use 3 object (like i have) and two nat statements. The other reason why Cisco needs to allow this, is because how ugly a "working" statement looks.
How to Port Forward to Hosts without a return route:
nat (outside,inside) source dynamic any NATTED_IP_OBJECT destination static interface SERVER1_OBJ service TCP_801_OBJ TCP_80_OBJ
Real. Translated.
Confused?!? You should be... I know what i'm trying to do is a very rare objective. That is get packets to a few hosts that do not have a return route (or default Gateway). But I personally wrote this statement just 2 days ago and it still doesn't look right, but it works. :) And works without translating all source IPs on traffic to hosts that do have a return route (aka NORMAL setup.. haha).
I hope someone finds this helpful. About 40 mins to find a working statement. -
Static NAT Question - Public to Inside ASA 9.1x
Hi All.. I'm having hard time wrapping my head around the post 8.2 nat statements, please help.
I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server). It also need to be able to push the stream to a specific IP address as well. I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
Remote Public IP's: 77.88.99.11
Local Public IP: 12.12.12.1
Ports required:
object-group service srvgp-stream-remote
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destionation eq 8088
service-object tcp destination eq 1935
service-object udp destination range 6970 9999
service-object udp destination range 30000 65000
service-object udp destination eq 554
I can get this to work:
object network server-external-ip
host 12.12.12.1
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip service tcp 8088 8088
access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax. Additionally, would this provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
Any help is greatly appreciated.With that many ports, you should use the public IP exclusively for the Webserver:
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip
If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote -
Problems getting static NAT to work between two internal lans
Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
Manual NAT Policies (Section 1)
1 (office) to (inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3
2 (inside) to (office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
interface GigabitEthernet0/0
nameif inside-ld5
security-level 100
ip address 10.20.15.2 255.255.255.0
interface GigabitEthernet0/6
nameif office
security-level 100
ip address 10.20.11.9 255.255.255.0
object network inside-ld5
subnet 10.20.15.0 255.255.255.0
object network inside-office
subnet 10.20.11.0 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookupHi Kevin,
because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
Best Regards,
Jan
Maybe you are looking for
-
Query to find the list of users having access to a particular scenario
Hi, I am learning Hyperion Planning 9.2 x version. I wanted to know the query to find the list of users having access to Plan Iteration - 1 scenarion. As I am new to Hyperion Essbase and Hyperion Planning, I am assuming these ideas work out to get th
-
Could'nt delete file after processing sender file in windows environment ?
Hi, I have problem with sender file adapter in windows 2003 server, because the file adapter cannot delete the file after processing, seems like permission problem. but then i have set full controll access to the pi7adm (sap instance admin). but the
-
10.10.3 won't downlad to my MacBook Pro (13-inch, Early 2011)
I've tried 7 times and each time get a failed certificate error dialogue box and am redirected to download it again. (Also Numbers downloaded, but keeps telling me I need to download it. As does other software updates. This has also happened with an
-
Hi, We need the tables name/ FM from where we will get details informtion about Restricted Key Figure.
-
P800 "Not Enough Memory" error when trying to use Contacts
Now even after I reset my P800 from iSync I get this 'Not enough memory' error when I try to use my contact list. This is getting really frustrating! I want to downgrade...