Cisco ASA 5505 NAT question

I am using Cisco ASA 5505 with 8.4.  When I used my previous version 8.2 and had the static entry of static (inside,outside) x.x.x.22 192.168.1.15 netmask 255.255.255.255 and if I went to that server and ran a What's my IP address on the internet I would receive the x.x.x.22 address.
With 8.4 I have the:
object network server1
 host 192.168.1.15
 object network server1
 nat (any,any) static x.x.x.77 service tcp x x

If I do the Whats my IP from that I get the IP address of the firewall x.x.x.74

Is there a way I can get it to show the static address?
gbohrmanAsked:
Who is Participating?
 
ffleismaSenior Network EngineerCommented:
You can try the following:
configure terminal
! 
object network obj_any
 no nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic obj_any interface
!
object network server1
 host 192.168.1.15
!
object network server1
 nat (inside,outside) static x.x.x.77 service tcp x x
!
object network server1_external
 host x.x.x.77
!
nat (inside,outside) source static server1 server1_external unidirectional
!

Open in new window

Line 3-4 removes the existing PAT (NAT overload) to outside interface
Line 6, is similar to what Line 3-4 is previously doing. NAT obj_any to interface (which is outside). The "after-auto" keyword means to place this NAT statement at the bottom even if new NAT statements are created.
Line 8-12 is the port forwarding NAT that translates x.x.x.77 to 192.168.1.15 when x.x.x.77 is accessed via port x from outside (internet)
Line 14-17 is the NAT statement specifying to NAT source 192.168.1.15 to x.x.x.77 when trying to access outside (internet)
Hope this helps, give it a try and hopefully you would be able to resolve your issue.
0
 
ffleismaSenior Network EngineerCommented:
the correct static NAT you should use is the following:
object network server1
 host 192.168.1.15
 object network server1
 nat (inside,outside) static x.x.x.77

Open in new window

take note of the nat (inside,outside), you might have named your internal and external interfaces different from inside/outside. You can keep this as "nat (any,any)" but it would be a better practice to always indicate the NAT interface to avoid future issues.
there is no need for "service tcp x x" unless you wish to do port-forwarding, without it will just be fine for regular static NAT
Depending on your existing NAT configuration, an existing NAT is on top of this static NAT, that is why your 192.168.1.15 server is being NATed to .74 instead of .77. You'll probably have to re-arrange the order of your NAT. If you do a "show run nat" you will notice a NAT statement on top of this static NAT that is causing 192.168.1.15 to be NATed to .74 (I'm guessing .74 is your outside interface, and you are doing a PAT/NAT overload for 192.168.1.x to your outside interface).
0
 
gbohrmanAuthor Commented:
I will switch to inside,outside for better practice. That is what they are called.

I actually am doing port forward to that ip address. Would I add that line?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
ffleismaSenior Network EngineerCommented:
yes you'll need that line if you are doing port-forwarding

example port 80 to retain same port 80 to internal 192.168.1.15
object network server1
 host 192.168.1.15
!
object network server1
 nat (inside,outside) static x.x.x.77 service tcp www www

Open in new window


example port 8080 to port 80 internal 192.168.1.15
object network server1
 host 192.168.1.15
!
object network server1
 nat (inside,outside) static x.x.x.77 service tcp 8080 www

Open in new window


and dont forget about adding a permissive ACL on the outside interface. Order of operation is a bit different on pre 8.3 and 8.3 above.
access-list outside_access_in extended permit ip any host 192.168.1.15
!
access-group outside_access_in in interface outside
!

Open in new window

notice the ACL references the internal IP and not the external one x.x.x.77, this is the behaviour in 8.3 above. NAT operation comes first (meaning packet destination gets translated first from x.x.x.77 to 192.168.1.15) after NAT ACl gets applied hence ACL references the internal IP.

Hope this helps!
0
 
gbohrmanAuthor Commented:
Below is my config.  I don't have the access-lists. Perhaps that is my issue.  I'd like to add:
object network server1
 host 192.168.1.15
!
object network server1
 nat (inside,outside) static x.x.x.77 service tcp 8080 8080 and have it show that its return address is .77 not .74 (outside interface).

SHOW RUN:
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 15.15.67.74 255.255.255.248
!
boot system disk0:/asa847-23-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain1
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network local_192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network remote_192.168.3.0
 subnet 192.168.3.0 255.255.255.0
object network rachelnj
 host 192.168.1.138
object network susan
 host 192.168.1.122
object network darlene
 host 192.168.1.217
object network valerie
 host 192.168.1.77
object network gb
 host 192.168.1.44
object network richter
 host 192.168.1.17
object network remote_192.168.75.0
 subnet 192.168.75.0 255.255.255.0
object network remote_192.168.200.0
 subnet 192.168.200.0 255.255.255.0
access-list outside extended permit ip any any
access-list outside_cryptomap_3 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.3.0 remote_192.
168.3.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.200.0 remote_19
2.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.75.0 remote_192
.168.75.0 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network user1
 nat (any,any) static 15.15.67.78 service tcp 3389 3389
object network user2
 nat (any,any) static 15.15.67.78 service tcp 3391 3391
object network user3
 nat (any,any) static 15.15.67.78 service tcp 3392 3392
object network user4
 nat (any,any) static 15.15.67.78 service tcp 3393 3393
object network user5
 nat (any,any) static 15.15.67.78 service tcp 3390 3390
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.251.67.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 15.15.67.130
crypto map outside_map 3 set ikev1 transform-set ESP-DES-MD5
crypto map outside_map 10 match address outside_cryptomap_2
crypto map outside_map 10 set pfs group1
crypto map outside_map 10 set peer 14.14.119.62
crypto map outside_map 10 set ikev1 transform-set ESP-DES-MD5
crypto map outside_map 25 match address outside_cryptomap_1
crypto map outside_map 25 set pfs group1
crypto map outside_map 25 set peer 13.13.64.78
crypto map outside_map 25 set ikev1 transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto ca server
 shutdown
 cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
 issuer-name CN=ciscoasa
 smtp from-address admin@ciscoasa.null
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
tunnel-group 15.15.67.130 type ipsec-l2l
tunnel-group 15.15.67.130 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 13.13.64.78 type ipsec-l2l
tunnel-group 13.13.64.78 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 14.14.119.62 type ipsec-l2l
tunnel-group 14.14.119.62 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:aff1f1f7c715099419200203a15d0f06
: end
0
 
ffleismaSenior Network EngineerCommented:
This is your NAT config (Ctrl+F nat on notepad or "show run nat" in CLI)
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.3.0 remote_192.
168.3.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.200.0 remote_19
2.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.75.0 remote_192
.168.75.0 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network user1
 nat (any,any) static 15.15.67.78 service tcp 3389 3389
object network user2
 nat (any,any) static 15.15.67.78 service tcp 3391 3391
object network user3
 nat (any,any) static 15.15.67.78 service tcp 3392 3392
object network user4
 nat (any,any) static 15.15.67.78 service tcp 3393 3393
object network user5
 nat (any,any) static 15.15.67.78 service tcp 3390 3390

Open in new window

This is an ordered list that is processed from top to bottom.
Whenever you add a new NAT statement it is inserted at the very bottom.
Line 8-9, that is the line that is coming in front of your static NAT. Line 8-9 means, any source (including 192.168.1.x) is NATed to the outside interfaceHence your server is being NATed to x.x.x.74
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.74 255.255.255.248

Open in new window

When you add a new static NAT statement, the new statement is added at the very bottom. What you can do, is remove the existing NAT then add the new static NAT and re-add the NAT you have remove. Just like below.
configure terminal
! 
object network obj_any
 no nat (inside,outside) dynamic interface
!
object network server1
 nat (any,any) static x.x.x.77 service tcp x x
!
object network obj_any
 nat (inside,outside) dynamic interface

Open in new window

Line 3-4 removes the PAT overload
Line 6-7 adds the static NAT
Line 9-10 re-adds the PAT overload

Hope that makes sense.

With regards to the outside ACL, you already have an existing access-group
access-list outside extended permit ip any any
!
access-group outside in interface outside

Open in new window

Since this is already "any any", you don't have to add an ACL anymore since this is allowing any-any traffic.
I do recommend to limit this to specific ports as doing an "any any" is often bad practice
Hope this helps, let me know if you have further questions, I'll be glad to help out!
0
 
ffleismaSenior Network EngineerCommented:
I've overlook one thing, the port forwarding mentioned above handles the traffic coming from the internet going to x.x.x.77, but the traffic from internal server to the internet will need an additional NAT statement for it to be visible as x.x.x.77 to the internet. here is the complete config you should do.
configure terminal
! 
object network obj_any
 no nat (inside,outside) dynamic interface
!
object network server1
 nat (any,any) static x.x.x.77 service tcp x x
!
object network server1_external
 host x.x.x.77
!
nat (inside,outside) source static server1 server1_external
!
object network obj_any
 nat (inside,outside) dynamic interface

Open in new window

Lines 3-4, removes the PAT to outside interface, we will re-add it later at Lines 14-15 to ensure it comes to the bottom of the NAT list and is processed last.
Lines 6-7, adds the port forwarding configuration. External users accessing destination IP x.x.x.77 via port x gets UN-NAT to server 192.168.1.15 port x
Lines 9-10, creates an object to be used on Line 12 NAT statement
Line 12, this is the configuration that NATs source 192.168.1.15 (server1) to x.x.x.77 (server1_external) when it is accessing the internet.
Lines 14-15, re-adds the PAT to outside interface we have previously removed at Lines 3-4
Your final config when you do a "show run nat" would look like something below.
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.3.0 remote_192.
168.3.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.200.0 remote_19
2.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.75.0 remote_192
.168.75.0 no-proxy-arp route-lookup
!
object network user1
 nat (any,any) static 15.15.67.78 service tcp 3389 3389
object network user2
 nat (any,any) static 15.15.67.78 service tcp 3391 3391
object network user3
 nat (any,any) static 15.15.67.78 service tcp 3392 3392
object network user4
 nat (any,any) static 15.15.67.78 service tcp 3393 3393
object network user5
 nat (any,any) static 15.15.67.78 service tcp 3390 3390
object network server1
 nat (any,any) static x.x.x.77 service tcp x x
!
nat (inside,outside) source static server1 server1_external
!
object network obj_any
 nat (inside,outside) dynamic interface

Open in new window

0
 
gbohrmanAuthor Commented:
This is helping tremendously and I believe I have followed everything correctly but that system can not get to the internet now.  Gateway looks good, DNS is resolving. All other hosts on the network are ok.
show run nat:
LakewoodASA(config-network-object)# show run nat
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.3.0 remote_192.
168.3.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.200.0 remote_19
2.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static local_192.168.1.0 local_192.168.1.0 destination static remote_192.168.75.0 remote_192
.168.75.0 no-proxy-arp route-lookup
nat (inside,outside) source static gentran gentran_external
!
object network obj_any
 nat (inside,outside) dynamic interface
object network rachelnj
 nat (any,any) static 66.251.67.78 service tcp 3389 3389
object network susan
 nat (any,any) static 15.15.15.78 service tcp 3391 3391
object network darlene
 nat (any,any) static 15.15.15.78 service tcp 3392 3392
object network valerie
 nat (any,any) static 15.15.15.78 service tcp 3393 3393
object network gb
 nat (any,any) static 15.15.15.78 service tcp 3390 3390
object network gentran
 nat (any,any) static 15.15.15.77 service tcp 5080 5080
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.