Typical NAT/PAT Configuration Comparison for ASA 8.4

A little while back, I posted an article that took a very simple ASA configuration and migrated it to 8.4. This article takes it a step further and focuses on NAT and PAT, as well as the related access control list changes. This only addresses typical static and dynamic source address translation scenarios. Policy based NAT and DMZ configuration will be address in future articles. This is an area of significant change in ASA 8.4.

For this configuration challenge, we will meet following configuration requirements:

  • 192.168.1.x/24 should use the outside interface IP for Dynamic PAT
  • 192.168.1.2 TCP Port 80 will have a static PAT translation to 1.1.1.3 Port 80
  • 192.168.1.3 will have a static NAT (one-to-one) translation to 1.1.1.3

Note: The last two requirements overlap. The desire is that only traffic to TCP port 80 on 1.1.1.3 be delivered to 192.168.1.2. All other traffic coming in to 1.1.1.3 will go to 192.168.1.3.

For those familiar with ASA version 8.2 and earlier, the relevant configuration excerpts are found below.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
static (inside,outside) tcp 1.1.1.3 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) 1.1.1.3 192.168.1.3 netmask 255.255.255.255

//ACL Entries–Note the translated addresses

access-list outside_access_in extended permit tcp any host 1.1.1.3 eq www
access-list outside_access_in extended permit tcp any host 1.1.1.3 eq smtp
access-list outside_access_in extended permit tcp any host 1.1.1.3 eq https
access-list outside_access_in extended permit icmp any host 1.1.1.3

access-group outside_access_in in interface outside

If you reproduce this configuration, it is imperative that the static translations be entered in the exact order. By doing so, the static NAT configuration is implemented with the exception of the the previously entered static PAT entry.

ciscoasa(config)# static (inside,outside) tcp 1.1.1.3 80 192.168.1.2 80
ciscoasa(config)# static (inside,outside) 1.1.1.3 192.168.1.3
WARNING: mapped-address conflict with existing static
TCP inside:192.168.1.2/80 to outside:1.1.1.3/80 netmask 255.255.255.255

Comparing NAT and access-list configuration to the 8.4 equivalent, major changes are apparent. After performing an upgrade of the 8.2 configuration, the following is an excerpt that represents the 8.4 NAT and ACL configuration.

//object definitions

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.2
host 192.168.1.2
object network obj-192.168.1.3
host 192.168.1.3

//NAT Assignments

object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.1.2
nat (inside,outside) static 1.1.1.3 service tcp www www
object network obj-192.168.1.3
nat (inside,outside) static 1.1.1.3

//ACL Interface Binding

access-group outside_access_in in interface outside

//ACL Entries–Note the real IP address

access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq https
access-list outside_access_in extended permit icmp any host 192.168.1.3

As you can quickly see ASA 8.4 radically changes the NAT configuration. A good way to get a grasp of the differences is to go through the upgrade process between 8.2 and 8.4 with known working configurations.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Security, Technology and tagged , , , . Bookmark the permalink.

9 Responses to Typical NAT/PAT Configuration Comparison for ASA 8.4

  1. George says:

    Very helpful write up!
    Thanks Paul.

  2. ouki says:

    I tried this 8.4.x configuration and it did not work for me.

    object network obj-192.168.1.2
    nat (inside,outside) static 1.1.1.3 service tcp www www
    object network obj-192.168.1.3
    nat (inside,outside) static 1.1.1.3

    The static NAT “nat (inside,outside) static 1.1.1.3″ takes over all the ports including www. The www traffic still gets Nat’d to 192.168.1.3 instead of .2. Please advise. I am running 8.4.(4)9 on ASA5510.

    • Paul Stewart says:

      My experience is that it works as long as they are entered in that order. I would make sure both are deleted and re-enter them in the order you show above. I always get a warning but it works. Now there could be some difference in the particular version you are running. If you have already done this, I not sure what I can recommend. Thanks for the feedback.

      • ouki says:

        Already tried deleting both and entering in different order. Regardless the order I put in, the 192.168.1.3 object always takes the first place like below. It’s probably why it is always overwriting the other statement. Could be just my code version’s bug.

        object network obj-192.168.1.3
        nat (inside,outside) static 1.1.1.3

        object network obj-192.168.1.2
        nat (inside,outside) static 1.1.1.3 service tcp www www

  3. Erehwon says:

    I keep seeing configs examples with PAT configured to send two different ports to two different servers. But what if you needed 80,443,25,21 open to a single server? Is there a way to group object services into one command? I know you can’t add multiple NAT entries to an auto nat object so my question is thus:

    Instead of doing:

    object network server_80
    host 192.168.1.1
    nat (inside,outside) static interface service tcp 80 80

    object network server_443
    host 192.168.1.1
    nat (inside,outside) static interface service tcp 443 443

    object network server_25
    host 192.168.1.1
    nat (inside,outside) static interface service tcp 25 25

    object network server_21
    host 192.168.1.1
    nat (inside,outside) static interface service tcp 21 21

    Can you do something like:

    object-group service server_ports
    service-object tcp destination eq 21
    service-object tcp destination eq 25

    service-object tcp destination eq 80

    service-object tcp destination eq 443

    object network server_25
    host 192.168.1.1
    nat (inside,outside) static interface object-group server_ports server_ports

    • Paul Stewart says:

      I have not tried that in the new syntax. I’ll add that to my list of stuff to test.

      • martin says:

        Hi Paul,
        Although I implemented ACLs explicitly to avoid rpf check by incoming traffic, packets are still blocked by the NAT.

        ASA 8.4.2
        Please see configuration below; I used a simplified topology:

        20.0.0.2 R2—–outside(ASA)inside—-R1 10.10.10.1

        *******************************************
        R1
        username cisco password 0 cisco

        interface FastEthernet0/0
        ip address 10.10.10.1 255.255.255.252
        duplex auto
        speed auto

        !Default route to send traffic to R2
        ip route 0.0.0.0 0.0.0.0 10.10.10.2

        line vty 0 4
        login local
        transport input telnet
        !

        *******************************
        R2

        username cisco password 0 cisco

        interface FastEthernet0/0
        ip address 20.0.0.2 255.255.255.252
        duplex auto
        speed auto

        ! To reply to icmp traffic from R1
        ip route 0.0.0.0 0.0.0.0 20.0.0.1

        line vty 0 4
        login local
        transport input telnet

        *******************************
        ASA 8.4.2
        !
        interface GigabitEthernet0
        nameif inside
        security-level 100
        ip address 10.10.10.2 255.255.255.252
        !

        interface GigabitEthernet1
        nameif outside
        security-level 0
        ip address 20.0.0.1 255.255.255.252
        !

        !To allow traffic between interfacec of same security level
        same-security-traffic permit inter-interface

        object network Outside
        host 40.0.0.221

        object network ServerGroup1
        host 10.10.10.1

        object network ServerGroup1
        nat (inside,outside) static Outside service tcp 8443 https

        timeout xlate 3:00:00

        route outside 0.0.0.0 0.0.0.0 20.0.0.2 1

        access-group outside_access_in in interface outside

        access-list outside_access_in extended permit tcp any host 10.10.10.1 eq 8443
        access-list outside_access_in extended permit tcp any host 10.10.10.1 eq https

        ******************************************************************************
        WITH ACL(!) at ASA

        outside to inside

        ciscoasa# packet-tracer input outside tcp 20.0.0.2 443 10.10.10.1 8443 detaile$

        Phase: 1
        Type: ROUTE-LOOKUP
        Subtype: input
        Result: ALLOW
        Config:
        Additional Information:
        in 10.10.10.0 255.255.255.252 inside

        Phase: 2
        Type: ACCESS-LIST
        Subtype: log
        Result: ALLOW
        Config:
        access-group FW in interface outside
        access-list FW extended permit tcp 20.0.0.0 255.255.255.252 any range https 8443
        Additional Information:
        Forward Flow based lookup yields rule:
        in id=0xbc3082e0, priority=13, domain=permit, deny=false
        hits=2, user_data=0xb9466bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=20.0.0.0, mask=255.255.255.252, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

        Phase: 3
        Type: IP-OPTIONS
        Subtype:
        Result: ALLOW
        Config:
        Additional Information:
        Forward Flow based lookup yields rule:
        in id=0xbc125b98, priority=0, domain=inspect-ip-options, deny=true
        hits=14, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

        Phase: 4
        Type: NAT
        Subtype: rpf-check
        Result: DROP
        Config:
        object network ServerGroup1
        nat (inside,outside) static Outside service tcp 8443 https
        Additional Information:
        Forward Flow based lookup yields rule:
        out id=0xbc306378, priority=6, domain=nat-reverse, deny=false
        hits=8, user_data=0xbb8c08e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8443, dscp=0x0
        input_ifc=outside, output_ifc=inside

        Result:
        input-interface: outside
        input-status: up
        input-line-status: up
        output-interface: inside
        output-status: up
        output-line-status: up
        Action: drop
        Drop-reason: (acl-drop) Flow is denied by configured rule

        *******************************************
        Inside to outside

        ciscoasa# packet-tracer input inside tcp 10.10.10.1 8443 20.0.0.2 www detailed

        Phase: 1
        Type: ROUTE-LOOKUP
        Subtype: input
        Result: ALLOW
        Config:
        Additional Information:
        in 20.0.0.0 255.255.255.252 outside

        Phase: 2
        Type: ACCESS-LIST
        Subtype:
        Result: ALLOW
        Config:
        Implicit Rule
        Additional Information:
        Forward Flow based lookup yields rule:
        in id=0xbc0feb50, priority=2, domain=permit, deny=false
        hits=7, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

        Phase: 3
        Type: IP-OPTIONS
        Subtype:
        Result: ALLOW
        Config:
        Additional Information:
        Forward Flow based lookup yields rule:
        in id=0xbc101db0, priority=0, domain=inspect-ip-options, deny=true
        hits=7, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

        Phase: 4
        Type: NAT
        Subtype:
        Result: ALLOW
        Config:
        object network ServerGroup1
        nat (inside,outside) static Outside service tcp 8443 https
        Additional Information:
        Static translate 10.10.10.1/8443 to 40.0.0.221/443
        Forward Flow based lookup yields rule:
        in id=0xbc306178, priority=6, domain=nat, deny=false
        hits=7, user_data=0xbb8c08e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=10.10.10.1, mask=255.255.255.255, port=8443
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

        Phase: 5
        Type: IP-OPTIONS
        Subtype:
        Result: ALLOW
        Config:
        Additional Information:
        Reverse Flow based lookup yields rule:
        in id=0xbc125b98, priority=0, domain=inspect-ip-options, deny=true
        hits=16, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

        Phase: 6
        Type: FLOW-CREATION
        Subtype:
        Result: ALLOW
        Config:
        Additional Information:
        New flow created with id 16, packet dispatched to next module
        Module information for forward flow …
        snp_fp_tracer_drop
        snp_fp_inspect_ip_options
        snp_fp_tcp_normalizer
        snp_fp_translate
        snp_fp_adjacency
        snp_fp_fragment
        snp_ifc_stat

        Module information for reverse flow …
        snp_fp_tracer_drop
        snp_fp_inspect_ip_options
        snp_fp_translate
        snp_fp_tcp_normalizer
        snp_fp_adjacency
        snp_fp_fragment
        snp_ifc_stat

        Result:
        input-interface: inside
        input-status: up
        input-line-status: up
        output-interface: outside
        output-status: up
        output-line-status: up
        Action: allow

        ciscoasa#

      • Based on a quick glance of the configuration, I think the packets would have to be destined to 40.0.0.221. The nat should then translate them them to the private address. You would need a policy NAT exemption or send packets to the global address.

  4. Pingback: Cisco ASA CX 9.1 Update | The Networking Nerd

Leave a Reply