Saturday, April 20, 2013

Port Address Translation and NAT in Cisco ASA 9.1

I spent way too much time on this issue not to make an entry about it... hopefully this will save someone else the 12 hours of my life that Cisco snatched away from me with this little gem.

I recently had the (dis)pleasure of upgrading an older Cisco ASA 5510 from ASA 8.3 to the latest release... ASA 9.1. The system was stuck several revisions behind due to the memory limitations they imposed after 8.3, which required adding 1GB of memory to the system. The upgrade went well enough, no errors and internet access worked fine on first boot... however... it was quickly noted that outgoing email wasn't working. A bit of poking around revealed that the customer's spam filtering smart host, which was situated in the DMZ, was not sending email over the IP it was NAT'ed to... it was sending it out over the interface IP instead, causing SPF failures and mail rejection.

I spent hours building and rebuilding the NAT (which is completely different from the syntax in 8.3 mind you, so there was some learning curve here)... the lack of documentation online for our particular situation only exacerbated the problem. The key here was that the customer had a single external IP address that was previously responsible for both SMTP and HTTPS traffic... however... they had two internal hosts, a spam filter for SMTP in the DMZ, and an Exchange server for HTTPS in the LAN. In 8.3, it was a simple matter of doing a dynamic PAT for each host, assigning the IP that we wanted to NAT to and specifying the port it should use, with a matching ACL. Not so in 9.1!

Anyway, I'll spare you the endless futile attempts to figure out what eventually worked... and jump right into the code. First, I had to create TWO objects for each host that I wanted to have a PAT to (you'll see why in a minute):

object network Barracuda 
   host 192.168.12.3
object network Exchange 
   host 192.168.11.11 
object network Exchange-SPAT 
   host 192.168.11.11 
object network Barracuda-SPAT 
  host 192.168.12.3
 
Next, I set up my access control lists:

access-list outside_in extended permit tcp any4 object Exchange eq https
access-list outside_in extended permit tcp any4 object Barracuda eq smtp
access-list DMZ_access_in extended permit tcp object Barracuda object Exchange eq smtp

 Finally, I created my NATs:
!
object network Barracuda
nat (DMZ,OUTSIDE) dynamic ExchangeExtIP
object network Exchange
nat (INSIDE,OUTSIDE) dynamic ExchangeExtIP
object network Exchange-SPAT
nat (INSIDE,OUTSIDE) static ExchangeExtIP service tcp https https
object network Barracuda-SPAT
nat (DMZ,OUTSIDE) static ExchangeExtIP service tcp smtp smtp
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
nat (DMZ,OUTSIDE) after-auto source dynamic any interface


So... see what I did there? In the NAT statements, I ended up having to NAT the ip of each server TWICE... once as dynamic to the external IP address I wanted it to be NAT'ed to in the first two nat statements, and then again to the same ip as the first NAT, except this time specifying the incoming port for each server as static. Clear as mud? Yeah, same for me.

Apparently, this causes the incoming traffic to utilize the second two NAT statements (effectively the PAT statement from the 8.3), but the other two regular NAT statements are required to have the machines use the same IP for outgoing traffic.

The final two NAT statements above are just my regular interface dNAT entries, telling all other LAN and DMZ devices to utilize the interface IP for outgoing traffic.

Hopefully this helps someone else out there!
Posted by at
Labels: , , , , , ,

7 comments:

  1. AnonymousNovember 29, 2013 at 7:13 AM

    THANKS, You just made my Friday!!!
    I spent 1day to figure out this port forwarding, read and tried many solutions unsuccessfully. Would like to bill Cisco for that one day:)

    ReplyDelete
  2. UnknownDecember 2, 2013 at 6:37 AM

    Great post! Very helpful!

    ReplyDelete
  3. AnonymousJanuary 17, 2014 at 5:39 AM

    I'm having a bigger problem with static NAT, I want to NAT some addresses from one interface to another interface for specific destination addresses and only these addresses to have acces to them, initiated from destination to source. It might seem simple at first look but believe me I've lost 2 days till now trying to figure out a possible solution.. still don't have one. On the old version 8.2.1, everything worked like a charm... On this new version (9.1.4) It's almost impossible to make a simple...NAT... I also would like to charge Cisco for these lost days...

    ReplyDelete
  4. AnonymousApril 6, 2014 at 10:20 AM

    Thanks so much,
    Spent 2 days turning around, thanks Cisco too !

    ReplyDelete
  5. AnonymousJune 25, 2014 at 4:58 AM

    You saved my life...I have just bought a new cisco ASA to replace an old one. With the old Nat configuration the firewall was impossible to work right. I have searched any cisco source which includes examples and I could not make the firewall NAT to work right. Propably cisco did not change the commands like in veriso 8.3 but changed the way we use them...I should not bill Cisco ...I should sue them...Excellent work ...10/10 PLUS!

    ReplyDelete
  6. AnonymousFebruary 12, 2015 at 7:17 AM

    Thanks a ton, this is exactly what I needed!

    ReplyDelete
  7. UnknownFebruary 9, 2016 at 8:33 AM

    Excellent. Appreciate the time spent scratching your head for the solution. You really helped.

    ReplyDelete

Subscribe to: Post Comments (Atom)