Hi Laz,
thanks a lot for your reply.
What part in the syntax tells the router that this is only applicable for outside to inside communication?
The (DMZ,OUTSIDE) part, or what?
Regards
Florian
Hello Florian
According to Cisco, concerning the implementation of Network Object NAT:
When a packet enters the adaptive security appliance, both the source and destination IP addresses and ports are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.
Let’s take a look at your example:
ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.3.3
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 10022
For traffic originating outside and coming in, the following must be matched in order for this translation to take place:
* destination address of outside interface
* destination port of TCP 10022
For this same NAT rule to allow a translation to occur for traffic originating inside and going out, the following must be matched:
* source address of 192.168.3.3
* source port of 22
Translation will occur in this case, however, (as is the case with most services) port 22 is a listening port. It is designed to listen for incoming requests. The client server model is set up such that clients choose a random TCP port (somewhere between 49152–65535) and connect with the specific port of the service, 22 in this case being SSH. Although you can configure port 22 to initiate sessions, it is rarely done.
I hope this has been helpful!
Laz
Hi Laz,
thanks a lot for your help!
So here just the port number makes the difference?
And what is the “(DMZ,OUTSIDE)” for? Does this statement have anything to do with the direction the NAT rule works? Cant find anything about this.
Thanks
Florian
Hello florian
As mentioned in the Cisco quote, the command will function in both directions, however, the appropriate IP addresses and ports must be used in order for the transmission to match the NAT object and to successfully be translated.
As for the (DMZ,OUTSIDE) portion of the command, it must have the following syntax:
**nat** [(real_ifc,mapped_ifc)] …
The real_ifc is the real interface, that is the interface pointing towards the server/device for which you are configuring static NAT. The mapped_ifc is the mapped interface, that is, the interface to which you are implementing the NAT translation.
You can find more information about NAT on an ASA at this Cisco Documentation.
I hope this has been helpful!
Laz
1 Like
Is there ever a scenario where you would need to configure NAT from outside to inside ie “nat (outside,inside)”? It seems like you could do pretty much everything you need with the “(inside,outside)” direction.
thank you.
Hello Bruce
Although it is true that the vast majority of NAT configurations are indeed nat (inside,outside), there are situations where the nat(outside,inside) scenario is useful. One such example is if you have a web server that is on the Internet that you want users on the inside of a network to access using an internal private address.
This example can be seen in the following Cisco documentation on pages 2 to 4 in a section titled “NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)”
I hope this has been helpful!
Laz
hello
in this topology i have few questions.
can I telnet from router R2 to R1 like
telnet 192.168.1.10 80 ? ( with port number)
if yes then i don’t know why i can’t.
I can telnet 192.168.1.10 ( just with IP but not with Port number)
I enabled IP HTTP SERVER on R1 already.
when I tried with port number it says it’s open but the connection never established.
I can telnet from R1 to R2 with and without port number and I can get access of R2 easily.
Thanks
Ankit
Hello Aniket
Yes, this is a valid command, you can add the port number you wish to use at the end of the command. However, in order for it to function, you require the Telnet server to be functioning and listening at the same port number that you are typing.
The command telnet 192.168.1.10 will use the default port number of 23. Because R1 is listening for Telnet sessions on this port, when you issue this command, it will work. By using the command telnet 192.168.1.10 80, you are instructing Telnet to attempt to create a Telnet session with R1 on port 80. But R1 is not running a Telnet server on port 80, but on port 23, so the attempt will fail.
The reason it said that the port is open is that port 80 is indeed open because you enabled the http server. Port 80 is used by the web or http server. So if you were to open a web browser and enter the IP address of R1, you would see the management web page of the device.
So when you connect to open ports, you must also use the appropriate application to access the desired feature. A web browser using HTTP should be used to connect to port 80 and a Telnet client to connect to Telnet.
It is possible to change the default ports used by particular applications if you choose to.
I hope this has been helpful!
Laz
Thanks for your reply.
everything works internally now but when I tried to telnet from R3 to R1 using port 80 it says port is open but connection never established.
when I tried SSH into R2 from router R3 it won’t work.
ASA configuration:
interface GigabitEthernet0/0
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
object network web-server
host 192.168.1.10
object network ssh-server
host 192.168.1.20
access-list dmz-server extended permit tcp any host 192.168.1.10 eq www
access-list dmz-server extended permit tcp any host 192.168.1.20 eq ssh
object network web-server
nat (dmz,outside) static interface service tcp www www
object network ssh-server
nat (dmz,outside) static interface service tcp ssh ssh
access-group dmz-server in interface outsidehi,
I have 1 public IP that I need to PAT for 40 ports to the inside. Some are 1 to 1 port (pub to priv), some are multiple to 1. Some need redirected ports. Do I have to create a network obj for each translation of multiple pub to 1 inside IP?
Example
outside int to inside IP of 10.10.10.50 need ports 554, 2000, 3000, 2222 translated
do I
object network obj-10.10.10.50-554
host 10.10.10.50
nat (inside,outside) static interface service tcp rtsp rtsp
object network obj-10.10.10.50-2000
host 10.10.10.50
nat (inside,outside) static interface service tcp 2000 2000
Or is there a way to do it under 1 network object or no network object?
Thanks for your insight
Hello Ankit
Once again, Telnet uses port 21 and all Telnet servers will listen in on port 21. You attempted to Telnet to port 80, but the server is not listening on port 80 for Telnet sessions. The port is indeed open, but the server is expecting web requests there. This is why the connection will never be established.
At first glance it doesn’t seem like your ASA is blocking the SSH connection. I suggest you try to connect from R1 to R2 using SSH to see if the SSH configuration is correct on R2. If that works correctly, you can begin troubleshooting other issues on the ASA that may not be in the config that you shared.
I hope this has been helpful!
Laz
Hello
I am having other issue now. I am trying to access mail.csm-compressor.com from my internal network but for some reason I can’t access it. Everything else works fine. I can access outside of our network.
It’s manage by google or gmail.
Please explain a bit about BVI interface. like major difference between BVI and Vlan.
because we are using BVI interface for inside and dmz network.
If you have any idea about that please let me know.
Hello Ankit
In order for us to help you out with the accessibility of the external sites, you’ll have to give us a little more information about your topology and your setup.
As for the BVI interface, take a look at this post:
I hope this has been helpful!
Laz
We are configuring new ASA 5506 and this is our topology.
we are having some serious issue to access remote desktop from outside.
nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside
we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.
Now we have few server that we would like to access from outside so we were trying to open ports.
we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.
So we don’t have any idea what we are doing wrong.
If some can help me ASAP because we are planning to deploy ASAP.
Thanks Ankit
Hi Ankit,
Do you still have issues with this? You don’t need more than this config:
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface
ASA1(config)#access-list OUTBOUND_INBOUND extended permit tcp any object SSH_SERVER eq 22
ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.1.100
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static interface service tcp 22 10022Which translates all traffic on the INSIDE to the public IP address on your OUTSIDE interface. It also forwards TCP 10022 to a SSH server listening on TCP 22 on the INSIDE.
Rene
Hello Rene,
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 3
nameif vlan2_1
security-level 100
!
interface GigabitEthernet1/7
bridge-group 2
nameif dmz_6
security-level 50
!
interface GigabitEthernet1/8
bridge-group 2
nameif dmz_7
security-level 50
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface BVI2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface BVI3
nameif vlan2
security-level 100
ip address 10.2.0.1 255.255.255.0
for some reason we can’t use out inside interface.
we have to use inside_1. if we try with inside it deletes our rule or access list. Don’t know why.
we were using ASA 9.8 before. i heard there was bug for bvi so i upgrade to 9.9.2 but still same problem.
I tried with above configuration too. it didn’t help either.
Thanks
Hi Ankit,
The bridge group implementation on the ASA 5506 is a bit of a pain. Do you only use one INSIDE interface? If so, I would suggest to get rid of the bridge-group and clean it up. This is what I do on a new ASA 5506:
Remove all bridge group info from the interfaces:
interface GigabitEthernet1/2
no nameif
no bridge-group 1
interface GigabitEthernet1/3
no nameif
no bridge-group 1
interface GigabitEthernet1/4
no nameif
no bridge-group 1
interface GigabitEthernet1/5
no nameif
no bridge-group 1
interface GigabitEthernet1/6
no nameif
no bridge-group 1
interface GigabitEthernet1/7
no nameif
no bridge-group 1
interface GigabitEthernet1/8
no nameif
no bridge-group 1
Delete the BVI:
clear configure interface BVI1Delete all junk network objects:
no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7You can then configure one of the interfaces as the INSIDE interface, no need to use the BVI.
Rene
Hello Rene,
I’ve been reading the ASA NAT port forwarding lesson and the corresponding comments which have indeed help me in better understanding on how a i.e. DMZ NAT port forwarding should be done. However none of the provided examples have been working on my 5512-x box, until I came a cross this post from cisco - https://community.cisco.com/t5/firewalls/asa-8-4-port-forward-problem/td-p/1780460 which basically adds additional parameters to the nat statement. Would you be able to explain the difference between the two approaches?
Bear in mind the version of the 5512 is 9.1(2). Simple setup with:
interface GigabitEthernet0/0.101
description Outside VLAN101
no shutdown
vlan 101
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
description LAN
no shutdown
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
interface GigabitEthernet0/5
description DMZ Network
nameif DMZ
security-level 10
ip address 10.0.0.1 255.255.255.0
Inside (security level 100)
nat (inside,outside) after-auto source dynamic any interface description Inside -> Outside PAT
nat (DMZ,outside) after-auto source dynamic any interface description DMZ -> Outside PATApproach 1 (works):
Approach #1 (does work)
!Minecraft server Object - real IP
object network Minecraft01
host 10.0.0.15
! Patting the host on port 25565 ports
object service tcp_25565
service tcp destination eq 25565
object service udp_25565
service udp destination eq 25565
nat (oustide,DMZ) source static any any destination static interface Minecraft01 service tcp_25565 tcp_25565
nat (oustide,DMZ) source static any any destination static interface Minecraft01 service udp_25565 udp_25565
!Allowing the Real ip in my outside interface via ACL
access-list outside_access_in extended permit tcp any host 10.0.0.15
access-list outside_access_in extended permit udp any host 10.0.0.15
access-group outside_access_in in interface outsideApproach #2 (Does not work):
object network Minecraf01
host 10.0.0.15
!
access-list outside_access_in extended permit tcp any host 10.0.0.15 eq 25565
access-list outside_access_in extended permit udp any host 10.0.0.15 eq 25565
!
nat (DMZ,OUTSIDE) static interface service tcp 25565 25565
nat (DMZ,OUTSIDE) static interface service udp 25565 25565
access-group outside_access_in in interface outsideThank you in advance.
Filip
Hi Filip,
Late reply from my end, just in case I checked this. On ASA 9.X:
ASA1# show version
Cisco Adaptive Security Appliance Software Version 9.8(2)I have a simple setup with an INSIDE and OUTSIDE interface:
ASA INSIDE: 192.168.1.254
ASA OUTSIDE: 192.168.2.254
There is a host on 192.168.1.1 on the INSIDE, another host with 192.168.2.2 on the OUTSIDE.
This still works for me:
object network WEB_SERVER
host 192.168.1.1
nat (INSIDE,OUTSIDE) static interface service tcp 80 80
access-list WEB_SERVER extended permit tcp any host 192.168.1.1 eq 80
access-group WEB_SERVER in interface OUTSIDEQuick test:
R2#telnet 192.168.2.254 80
Trying 192.168.2.254, 80 ... OpenWhat does packet-tracer tell you?
ASA1# packet-tracer input OUTSIDE tcp 192.168.2.2 12345 192.168.2.254 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WEB_SERVER
nat (INSIDE,OUTSIDE) static interface service tcp www www
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 192.168.2.254/80 to 192.168.1.1/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WEB_SERVER in interface OUTSIDE
access-list WEB_SERVER extended permit tcp any host 192.168.1.1 eq www
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network WEB_SERVER
nat (INSIDE,OUTSIDE) static interface service tcp www www
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16, packet dispatched to next module
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allowIn your case, you could try:
ASA1(config)# packet-tracer input OUTSIDE tcp 1.2.3.4 12345 10.0.0.15 25565About your other question:
This is a good question, let me explain. The ASA supports Auto NAT and Manual NAT.
Auto NAT
- We configure this within a network object. That’s the only place where you can configure it.
- It can only make NAT decisions based on source traffic.
- It can only translate source traffic.
Manual NAT
- We configure this globally.
- It can make NAT decisions based on source and/or destination traffic.
- It can translate source and/or destination traffic.
My example is Auto NAT. Your example is Manual NAT.
With a simple port forward, Auto NAT is quick and simple. For more complex translations, you need to use Manual NAT.
With Auto NAT, NAT statements order themselves. With Manual NAT, you have to do this yourself.
If you use both Auto NAT and Manual NAT, you also have to consider the ASA’s preference:
1: Manual NAT
2: Auto NAT
It is possible to change the order so that Manual NAT statements are processed after Auto NAT.
In your case where you probably have one server behind your ASA, it really doesn’t matter much whether you use Auto or Manual NAT.
Hope this helps!
Rene
I am confused about this sentence
nat (DMZ,OUTSIDE) static interface service tcp 22 10022
it should no be nat (OUTSIDE,DMZ) static interface service tcp 22 10022 since we are translating traffic from OUTSIDE TO THE DMZ and not the other way?
Normally when A firewall makes a PAT translation yo specify that traffic that goes from the inside to the outside is translated to the outside interface, hence
object network host
host 192.168.1.1
nat(inside,outside) dynamic interface
could you clarify this for me? thanks