Static NAT ASA

Hello Experts,

I just finished one project where I moved the exchange server to the new remote site thanks to you (port forwarding). Now, there is another exchange server that I need to move (Static NAT 1 to 1) Just learned about it. Our network engineer left and I have to finish several projects that he was working on and then look to hire someone. I am not network guy, so please include as much details as possible.

Former network engineer did leave a text file for this change...I just would like to make sure what needs to be configured in which order...or if the order in this text file is good...and also in which configuration mode the commands should be typed...For example, in config t, under the object group...etc...(in order)...

Firewall: ASA
Version 8.6

Trying to move 2nd exchange server to our other site. New IPs. Static NAT 1 to 1. Several IPs from the outside that need access. Several ports to be opened and ACLs to be assigned. Please see below the configuration that needs to be implemented.


object network objInternal-192.168.1.9
host 192.168.1.9

object network objExternal-62.x.x.1
host 62.x.x.1

nat (inside,outside) source static objInternal-192.168.1.9 objExternal-62.x.x.1

object-group service IN_TRAFFIC tcp
port-object eq https
port-object eq smtp

object-group network Cloud_IPS
network-object host 22.x.x.x
network-object host 23.x.x.x

object-group network Cloud_IPS_2
network-object host 24.x.x.x
network-object host 25.x.x.x

object-group network Nodes_Ex (same IP as above for objExternal)
network-object host 62.x.x.1

object-group network Nodes_In (same IP as above for objInternal)
network-object host 192.168.1.9

access-list access_interface_out extended permit tcp object-group Cloud_IPS
object-group  Nodes_In eq smtp
access-list access_interface_out extended permit tcp object-group Cloud_IPS_2

object-group Nodes_In object-group IN_TRAFFIC

access-list access_interface_out extended permit tcp any4 object-group Nodes_In eq https

Also, do i need any additional command to apply these ACLs to the outside interface?

Thank you.

Zeke
Zeke2016Asked:
Who is Participating?
 
ffleismaSenior Network EngineerCommented:
I've done a working simulation on GNS3, your configuration will look something like this.
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
!
object network OBJ_EXTERNAL_IP_1.1.1.3
  host 1.1.1.3
!
object network OBJ_INTERNAL_IP_192.168.1.100
  host 192.168.1.100
!  
object network OBJ_INTERNAL_192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
!
!
nat (inside,outside) 1 source static OBJ_INTERNAL_IP_192.168.1.100 OBJ_EXTERNAL_IP_1.1.1.3
nat (inside,outside) 2 source dynamic OBJ_INTERNAL_192.168.1.0-24 interface
!
!
access-list inside_access_in line 1 extended permit icmp object OBJ_INTERNAL_192.168.1.0-24 any echo 
access-list inside_access_in line 2 extended permit ip object OBJ_INTERNAL_192.168.1.0-24 any 
!
access-list outside_access_in line 1 extended permit icmp any object OBJ_INTERNAL_192.168.1.0-24 echo-reply 
access-list outside_access_in line 2 extended permit tcp any object OBJ_INTERNAL_IP_192.168.1.100 eq https 
access-list outside_access_in line 3 extended permit tcp any object OBJ_INTERNAL_IP_192.168.1.100 eq smtp 
!
!
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

Open in new window

Line 22, 192.168.1.100 is statically NATed to 1.1.1.3
Line 23, All other host in 192.168.1.0/24 are dynamically PAT to 1.1.1.1 (outside interface)
Line 26, permits all host in 192.168.1.0/24 icmp/echo (ping) going out to any (internet)
Line 27, permits all host in 192.168.1.0/24 any ip/tcp/udp traffic going out to any (internet). You may want to limit this to specific ports only (http,https,dns,etc.) which would require multiple lines
Line 29, allows icmp/echo-reply from any (internet) to all hosts in 192.168.1.0/24. Second piece of the puzzle to allow ping
Line 30, allows https traffic from any (internet) to 192.168.1.100 (1.1.1.3 is UN-NATed to 192.168.1.100 before the ASA looks into ACL rules)
Line 31, allows smtp traffic from any (internet) to 192.168.1.100 (1.1.1.3 is UN-NATed to 192.168.1.100 before the ASA looks into ACL rules)
If all these looks fairly similar to what you are doing, here are the few things you can look into when static NAT is applied.
check DNS resolution, if you are using an external DNS, you'll need to allow the traffic from the server to external DNS. Also note that the public IP of the server is now changed at this point.
Test "telnet 46.228.47.114 80" to verify internet connectivity without relying on DNS or ping. Ping is clunky in that it needs to be allowed both ways outgoing (icmp/echo) + incoming (icmp/echo-reply).
Packet-tracer output should look something similar to below:
ciscoasa# packet-tracer input inside tcp 192.168.1.100 80 8.8.8.8 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object OBJ_INTERNAL_192.168.1.0-24 any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static OBJ_INTERNAL_IP_192.168.1.100 OBJ_EXTERNAL_IP_1.1.1.3
Additional Information:
Static translate 192.168.1.100/80 to 1.1.1.3/80

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 172, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#

Open in new window

Line 11-18, Phase 2 ACL should allow the traffic, if failing here issue is on ACL
Line 27-34, Phase 4 NAT should reflect that your server is now being NATed to the new public IP
Final action should be allow
Sorry for the long post, hope this give you more troubleshooting insights and be successful next time around. Let me know how it goes and I'll be glad to help you out!
0
 
ffleismaSenior Network EngineerCommented:
looks fine Zeke, except maybe for
access-list access_interface_out extended permit tcp any4 object-group Nodes_In eq https
"access-list access_interface_out", I'm guessing this is the ACL permitting incoming https traffic to the server. Is your server accessible  externally via https? If so, you might need to change this ACL name to the name of the ACL pertaining to incoming traffic to your outside interface.
0
 
ffleismaSenior Network EngineerCommented:
I have cleaned it up for you, there was a few duplicate ACL that were unnecessary.
object network OBJ_INTERNAL_192.168.1.9
host 192.168.1.9
!
object network OBJ_EXTERNAL_62.x.x.1
host 62.x.x.1
!
object-group network OBJG_Cloud_IPS_1
network-object host 22.x.x.x
network-object host 23.x.x.x
!
object-group network OBJG_Cloud_IPS_2
network-object host 24.x.x.x
network-object host 25.x.x.x
!
object-group service OBJG-SG_IN_TRAFFIC tcp
port-object eq https
port-object eq smtp
!
!
nat (inside,outside) 1 source static OBJ_INTERNAL_192.168.1.9 OBJ_EXTERNAL_62.x.x.1
!
!
access-list outside_access_in line 1 extended permit tcp object-group OBJG_Cloud_IPS_1 object OBJ_INTERNAL_192.168.1.9 object-group OBJG-SG_IN_TRAFFIC
access-list outside_access_in line 2 extended permit tcp object-group OBJG_Cloud_IPS_2 object OBJ_INTERNAL_192.168.1.9 object-group OBJG-SG_IN_TRAFFIC
!
access-group outside_access_in in interface outside

Open in new window

Verify the ACL name (outside_access_in) by "show run access-group". "access-group outside_access_in in interface outside", use the existing ACL name pertaining to your internet facing interface.
"nat (inside,outside) 1 " was done to ensure that the NAT configuration comes in at the top of any existing NAT configurations.
Also, ensure that the external IP (62.x.x.x) you are using for the static NAT is not being used else where (outside interface/or other NAT conifguration)
"access-list outside_access_in extended line 1", this is done to ensure that the ACL configured is placed in front of any existing ACL that might deny packets. If you are not blocking anything, you can do it without the line number "access-list outside_access_in extended permit"
You can even combine the object-group IPS and do away with just one ACL.
object-group network OBJG_Cloud_IPS
 network-object host 22.x.x.x
 network-object host 23.x.x.x
 network-object host 24.x.x.x
 network-object host 25.x.x.x
!
access-list outside_access_in line 1 extended permit tcp object-group OBJG_Cloud_IPS object OBJ_INTERNAL_192.168.1.9 object-group OBJG-SG_IN_TRAFFIC

Open in new window

0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
Zeke2016Author Commented:
Thank you very much.

And if i wanted all ports under "IN_TRAFFIC" group to be allowed for ObjInternal-192.168.1.9 can i do the following acl?

access-list access_interface_out extended permit tcp object ObjInternal-192.168.1.9 object-group IN_TRAFFIC

Yes, the server will need to be accessible from the outside via https.
0
 
ffleismaSenior Network EngineerCommented:
object-group network OBJG_ALLOWED_FROM_OUTSIDE
 network-object host x.x.x.x
 network-object y.y.y.y.y m.m.m.m.m
!
object network ObjInternal-192.168.1.9
 host 192.168.1.9
!
object-group service IN_TRAFFIC tcp
port-object eq https
port-object eq smtp
!
access-list access_interface_out extended permit tcp object-group OBJG_ALLOWED_FROM_OUTSIDE object ObjInternal-192.168.1.9 object-group IN_TRAFFIC

Open in new window

The object and object-groups can be discussed as:
An object pertains to a single value. Network object ObjInternal-192.168.1.9 = 192.168.1.9
A network object-group pertains to a group of IP. Network object-group OBJG_ALLOWED_FROM_OUTSIDE = host X.X.X.X, Y.Y.Y.Y m.m.m.m
A service object-group pertains to a group of ports. Service object-group IN_TRAFFIC = tcp443, tcp25.
The ACL is divided into 7 parts:
access-list access_interface_out extended permit tcp object-group OBJG_ALLOWED_FROM_OUTSIDE object ObjInternal-192.168.1.9 object-group IN_TRAFFIC

Open in new window

ACL name = access_interface_out
Action = permit or deny
Protocol = IP/TCP/UDP/etc
Source IP = object-group OBJG_ALLOWED_FROM_OUTSIDE
Source port, usually blank since ACL is more concerned with the destination port. If not specified means any
Destination IP = object ObjInternal-192.168.1.9
Destination port = object-group IN_TRAFFIC
Keeping those in mind, source IP/port and destination IP/port can be specific values, an object or an object-group. So in the end, the ACL can be a single line using objects and object-groups or individual lines using specific IP/port value. If planned and named properly, objects and object-groups can neat up the configuration for ease of tshooting or it can be a nightmare as reading each ACL line you'll have to reference the object/object-group configuration. Either way, it's up to the admin.

Hope this gives you a helpful insight, let me know if you have further questions and I'll be glad to help out.
0
 
Zeke2016Author Commented:
Thanks. And if i wanted to for source ip...i could use "any" instead of creating a object group and adding ips, correct?
0
 
ffleismaSenior Network EngineerCommented:
yes that its correct
0
 
Zeke2016Author Commented:
So, I had issues with this change. It seems that as soon as I did the static NAT command, the internet access on the server would get shut down and i wasnt able to get to the outside. I added all ACLs afterwards as well but still had no luck. Any ideas?
0
 
ffleismaSenior Network EngineerCommented:
Few things i can think of:
The order of your current NAT configuration. Existing NAT configuration might be causing the issue when the static is placed in. Di you do the static NAT specifying the number "nat (inside,outside) 1"?
Is the public IP you are binding with static NAT not being used in any other NAT configuration? Also is this public IP part of your outside interface subnet or it is the outside interface itself?
If you can provide a sanitized configuration I might be able to look into it:
show run nat
show run object (only those being used in NAT statements)
show run object-group
You can also provide a packet-tracer output when the static NAT is in place. It would give us an idea where it is failing (ACL,NAT,route)
packet-tracer input inside in tcp INTERNAL_SERVER_IP 80 8.8.8.8 80
0
 
Zeke2016Author Commented:
I'm not there now...will provide it asap. For the time being just to give u more details...

Yes, i did put "1".
The IP is not being used anywhere else.
It's part of the outside interface subnet.

I did packet tracer and everything was "allow" no drops. It even said allow translation from private to public.

Please note: Without the static nat rule, i can get out using the outside interface (dynamic nat).
0
 
ffleismaSenior Network EngineerCommented:
Hmmm, if packet-tracer was fine. I'm assuming that there was no issue with the ACL or NAT.

How did you test the internet connectivity?
ping 8.8.8.8, if not working icmp/echo on inside interface and icmp/echo-reply on outside might not be in place.
ping www.yahoo.com, this might show if issue could be due to DNS and same with icmp/echo and icmp/echo-reply being blocked.
telnet 46.228.47.114 80, that is telnet to yahoo.com via http. If this fails then issue is with the ASA (ACL or NAT)
0
 
Zeke2016Author Commented:
Hi Ffleisma,

Here is some more configuration from the firewall that might help resolve the issue:

- Please note that i did not include ACLs for the two translations that are in place since those have been there and working.  I am concerned with "objInternal-192.168.1.9 objExternal-62.x.x.3" as this is the one I am trying to add and still had no luck. I included the configuration that i put in for the project as well as a little bit of additional configuration that is currently in the firewall that I believe could show the potential issue.

Thank you so much.

xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4

interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 62.x.x.1 255.255.255.192
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.252.0

object network objInternal-192.168.1.9
host 192.168.1.9

object network objExternal-62.x.x.3
host 62.x.x.3

object network objOP-192.168.1.20
host 192.168.1.20

object network objOPS-192.168.1.21
host 192.168.1.21

object network objOP-62.x.x.20
host 62.x.x.20

object network objOPS-62.x.x.21
host 62.x.x.21

object network obj_ALL
 subnet 0.0.0.0 0.0.0.0

object-group network OBJG_Cloud_IPS_1
network-object host 22.x.x.x
network-object host 23.x.x.x

object-group network OBJG_Cloud_IPS_2
network-object host 24.x.x.x
network-object host 25.x.x.x

object-group service OBJG-SG_IN_TRAFFIC tcp
port-object eq https
port-object eq smtp

access-list NoNat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list access_interface_in extended permit icmp any4 any4
access-list access_interface_out extended permit icmp any4 any4
access-list inside_access_in line 1 extended permit any object objInternal-192.168.1.9 any
access-list outside_access_in line 1 extended permit tcp object-group OBJG_Cloud_IPS_1 object objInternal-192.168.1.9 object-group OBJG-SG_IN_TRAFFIC
access-list outside_access_in line 2 extended permit tcp object-group OBJG_Cloud_IPS_2 object objInternal-192.168.1.9 object-group OBJG-SG_IN_TRAFFIC

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static
obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

nat (inside,outside) 1 source static objInternal-192.168.1.9 objExternal-62.x.x.3
nat (inside,outside) source static objOP-192.168.1.20 objOP-62.x.x.20
nat (inside,outside) source static objOP-192.168.1.21 objOPS-62.x.x.21
!
object network obj_ALL
 nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 62.x.x.1 1
timeout xlate 2:00:00
timeout pat-xlate 0:00:20
0
 
ffleismaSenior Network EngineerCommented:
looking at the configuration you provided, the NAT should be fine, but I do see some error on the ACL, this might be a typo from your end.
access-list inside_access_in line 1 extended permit any object objInternal-192.168.1.9 any

Open in new window

The correct statement should be "access-list inside_access_in line 1 extended permit ip object objInternal-192.168.1.9 any"
To allow PING specifically, you'll need to add the following:
access-list inside_access_in line 1 extended permit icmp object objInternal-192.168.1.9 any echo
!
access-list outside_access_in line 1 extended permit icmp any object objInternal-192.168.1.9 echo-reply

Open in new window

Also you have other static NAT configurations for 192.168.1.20 & 192.168.1.21, you can reference the ACL for those and add similar ACL for 192.168.1.9.

Lastly, when the static NAT configuration is added:
can server "telnet 46.228.47.114 80"?
is the server using an external DNS?
0
 
Zeke2016Author Commented:
Hello,

Thank you for your help and time ffleisma.

- I will be going over at the end of next week to give it another try. And i will try to do the telnet.
- It is using external DNS.

Do i need to do any clearing with xlate or conn?

Thank you so much.

Zeke
0
 
Zeke2016Author Commented:
Additionally, in one of the above replies you mentioned the following:

"check DNS resolution, if you are using an external DNS, you'll need to allow the traffic from the server to external DNS. Also note that the public IP of the server is now changed at this point."

Having the following ACL in place, it would take care of that, too, correct?

access-list inside_access_in line 1 extended permit ip object objInternal-192.168.1.9 any

Thanks
0
 
ffleismaSenior Network EngineerCommented:
Yup, the "allow ip" rule should be able to catch the DNS as well.

Since you mentioned that the packet tracer output was doing fine, I tend to suspect DNS. The packet-tracer output should be able to provide a clue to where it might be failing. Also you are right, clearing the xlate can help to ensure that NAT bindings are renewed.

If the packet-tracer went fine and you can do a telnet via port 80, then I think it would be less likely an issue with the firewall configuration. Hopefully you would be able to accomplish your project next time around.
0
 
Zeke2016Author Commented:
Great solution that provided all details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.