Search This Blog

Tuesday 31 January 2012

Static NAT and Cisco ASA 8.4

I like the Cisco ASA appliances and I like Cisco CLI but sometimes I don't always get the syntax I need right first time and I spend some time scratching my head on how to do something.  One of these was the changes to NAT in the 8.3 ASA and above.

All I wanted to do was allow inbound access to a SMTP and HTTP Server for a customer, now on IOS this would take me a few minutes for the NAT statement and then a few more for the Zone Based Firewall and Class Maps.  But this is ASA and things are different, and in 8.3 they are even more different!

So my configuration is

Internal Server - 172.22.0.5
Outside Interface - 78.xx.xx.xx
Services Requires - SMTP & HTTPS

So the first change is that 8.3 uses network objects to define IP addresses and ports, this is so you can change the object and not the rules, in a big configuration this is going to help a lot.

I need to define my internal server

object network obj-server
host 172.22.0.5
exit

Next I need to define an object for my services of SMTP and HTTPS

object service obj-smtp
service tcp source eq smtp
exit
object service obj-https
service tcp source eq https
exit

Now this is important as it creates an object for traffic that has the source port of 25 and 443.  Once this is done a Static NAT is required to translate the traffic from anywhere on the Internet to our Internal Server.

nat (Inside,Internet) 1 source static obj-server interface service obj-smtp
nat (Inside,Internet) 2 source static obj-server interface service obj-https

We will now have a translation from the Inside host to the Internet Interface on port 25 and 443, but there are no rules allowing this traffic and as we are going from a lower security interface to a higher this will be dropped.

So we need to use an Access Control List to allow the traffic.

access-list acl-Internet-To-Inside extended permit tcp any host 172.22.0.5 eq smtp
access-list acl-Internet-To-Inside extended permit tcp  any host 172.22.0.5 eq https

Then the final step is to assign this ACL to the Internet Interface in an inbound direction.

access-group acl-Internet-To-Inside in interface internet

On a remote server I try a telnet to my Internet Interface IP address of port 25 and I connect, a show nat command will display the translations that are created

Manual NAT Policies (Section 1)
1 (Inside) to (Internet) source static obj-smtp interface   service smtp smtp
    translate_hits = 0, untranslate_hits = 8

Its a very simple system once you get used to it but it is different from IOS and ASA 8.2 and lower.




1 comment:

  1. Hey, great article you may also find this article useful as well if you are trying to learn 8.3 onwards...

    http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat.html

    ReplyDelete