Cisco ASA Auto and Manual NAT discussion
- May 22nd, 2013
- Posted in Networking
- Write comment
I’ve recently done more thinking about Cisco’s NAT changes and wanted to jot down a couple of examples of solving NAT problems in both Auto NAT (Network Object NAT) and Manual NAT (Twice NAT.)
Branch Office example with one public static IP Address which is assigned to the outside interface of your ASA FW. If you need to do static NAT w/ port-address-translation to several internal servers on your DMZ (static PAT) you’ll find this one handy. If any of your servers need to have more than one port forwarded to the internet, I prefer to go w/ Manual NAT versus Auto NAT due to readability.
Example using Auto NAT: object network myWebServer host 10.1.1.1 nat (dmz,outside) static interface service tcp http http object network myDNSServer host 10.1.1.2 nat (dmz,outside) static interface service udp domain domain object network myWebServer-01 // I've got to declare it multiple times??!! This feels WRONG!! host 10.1.1.1 nat (dmz,outside) static interface service tcp https https object network myEmailServer host 10.1.1.3 nat (dmz,outside) static interface service tcp smtp smtp Example using Manual NAT: object network myWebServer host 10.1.1.1 object service http service tcp source eq www object service https service tcp source eq 443 nat (dmz,outside) source static myWebServer interface service http http nat (dmz,outside) source static myWebServer interface service https https
If you ask me, in this scenario, Manual NAT is a better solution vs Auto NAT. I’m rather disappointed that Cisco doesn’t allow group service objects to be used in Manual NAT yet but at least I’m not having to create bogus network objects multiple times when I’m using Manual NAT.
Here’s another example of using NAT at a small branch office when you’ve got 2 Public static IPs with one being used on the ASA’s outside interface and the other IP being used amongst multiple servers in a DMZ.
Example using Auto NAT: object network STATIC209_165_201_11 host 209.165.201.11 object network myDNSServerUDPDNS host 10.1.1.1 nat (dmz,outside) static STATIC209_165_201_11 service udp domain domain object network myDNSServerTCPDNS host 10.1.1.1 nat (dmz,outside) static STATIC209_165_201_11 service tcp domain domain object network myWWWServer host 10.1.1.3 nat (dmz,outside) static STATIC209_165_201_11 service tcp http http NOTE: See how we're using the 2nd public IP address vs. the outside's interface? Example using Manual NAT: object network STATIC209_165_201_11 host 209.165.201.11 object network myDNSServer host 10.1.1.1 object network myWWWServer host 10.1.1.3 object service udpdns service udp source eq domain object service tcpdns service tcp source eq domain object service tcphttp service tcp source eq http nat (dmz,outside) source static myDNSServer STATIC209_165_201_11 service udpdns udpdns nat (dmz,outside) source static myDNSServer STATIC209_165_201_11 service tcpdns tcpdns nat (dmz,outside) source static myWWWServer STATIC209_165_201_11 service tcphttp tcphttp
To me at least, Manual NAT is more readable when starring at configs and tracking down bugs.
Here’s a couple useful links:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_rules.html
http://www.fir3net.com/Cisco-ASA/cisco-asa-83-no-nat-nat-exemption.html
http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat.html
http://tunnelsup.com/tup/2011/06/24/nat-for-cisco-asas-version-8-3/
http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp51777 (static NAT/PAT migration examples.)
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html (Cisco ASA new Features by Release.)
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html (Some very good config examples from Cisco.)
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_overview.html#wp1118157 (Cisco’s NAT Rule Table.)
Hello and thanks for the post. I was curious why you used “source” instead of destination when defining your services:
service tcp source eq http