Problems importing pre 8.3 ASA dynamic NAT

2011-12-02
2013-03-05
  • lightofgood
    lightofgood
    2011-12-02

    Hi,

    Does anybody have problems importing pre 8.3 ASA dynamic NAT configurations into FWBuilder?
    The static NAT configuration can be imported fine, but it seems the importer doesn't recognize dynamic NAT configurations and hence silently ignores them during the import process

    FWbuilder doesn't import the following NAT configuartions:

    1. Dynamic PAT
      nat (inside) 1 0 0
    global (outside) 1 interface

    2. Dynamic Policy NAT
    object-group network og-net-src
       network-object 192.168.1.0 255.255.255.0
       network-object 192.168.2.0 255.255.255.0
    object-group network og-net-dst
       network-object 192.168.200.0 255.255.255.0
    object-group service og-ser-src
       service-object tcp gt 2000
       service-object tcp eq 1500
    access-list NET6 extended permit object-group og-ser-src
                      object-group og-net-src object-group og-net-dst
    nat (inside) 10 access-list NET6
    global (outside) 10 192.168.100.100

    3. Outside NAT
    Outside NAT
    global (inside) 1 10.1.2.30-1-10.1.2.40
    nat (dmz) 1 10.1.1.0 255.255.255.0 outside
    static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255

    4. NAT and interface PAT together
    nat (inside) 1 10.1.2.0 255.255.255.0
    global (outside) 1 interface
    global (outside) 1 192.168.100.100-192.168.100.200

    5. NAT exemption

    More examples and details can be found on https://supportforums.cisco.com/docs/DOC-9129

    Thanks

     
  • Vadim Kurland
    Vadim Kurland
    2011-12-02

    ASA 8.3 has new format of the nat commands and (as far as I know) does not use global/nat/static commands anymore. Fwbuilder does not support import of the "new" nat commands yet, so if the configuration file you are trying to import says "ASA Version 8.3" at the top, fwbuilder won't import nat configuration. It can however import global/nat/static commands if the version is <8.3

     
  • lightofgood
    lightofgood
    2011-12-05

    Yes you're correct in that the old 8.2 global/nat/static commands aren't used the same way in version 8.3. In fact the link I've given you shows a list of version 8.2 CLI's on the left column, and the equivalent CLI in version 8.3

    However, the example CLI's I referenced in my post are all old version 8.2 CLI's. The static nat commands get imported correctly, but the different flavors of nat CLI's I've listed above do not get imported at all.

    For example this version 8.2 nat command doesn't get imported.
    nat (inside) 1 0 0
    global (outside) 1 interface

     
  • Vadim Kurland
    Vadim Kurland
    2011-12-05

    You are right, there is a problem with import of this specific "nat" command, it expects an ip address or access-list reference in the nat command where you have "0 0".   It can import "global (outside) 1 interface" correctly .

     
  • lightofgood
    lightofgood
    2011-12-05

    I've tried it with
    nat (inside) 1 10.0.0.0 255.255.255.0
    global (outside) 1 interface

    There's no parser errors while importing, but after the import, the firewall builder GUI doesn't show any entries under the NAT tab.

     
  • Vadim Kurland
    Vadim Kurland
    2011-12-06

    the last configuration should work. Could you send the config file you are trying to import to me ?

     
  • lightofgood
    lightofgood
    2011-12-06

    ASA Version 8.2(1)
    !
    !

    !-- Configure the outside interface.

    !
    interface eth1
    nameif outside
    security-level 0
    ip address 192.168.1.171 255.255.255.0
    !-- Configure the inside interface.
    !
    interface eth2
    nameif inside
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    !
    !
    ! NAT's
    !
    nat (inside) 1 10.1.1.0 255.255.255.0
    global (outside) 1 interface
    !
    !
    !
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.0.0 255.255.254.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ! Allow ssh
    access-list my-acl extended permit tcp any host 192.168.1.156 eq 22 log
    ! Disable tftp
    access-list my-acl extended permit udp any host 192.168.1.156 eq 69
    ! Default allow of rest
    access-list my-acl extended permit ip any any
    access-group my-acl in interface outside
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:6fffbd3dc9cb863fd71c71244a0ecc5f
    : end

     
  • Vadim Kurland
    Vadim Kurland
    2011-12-06

    please change the order of "global" and "nat" commands. Command "nat" refers to the global pool so the parser expects to have the definition of the pool when it sees reference to it

     
  • lightofgood
    lightofgood
    2011-12-06

    Thanks vkurland! Switching the global and nat order works.

    I've verified cases 1-4 with the new ordering and they all work.

    The only exception is case #3 where the outside keyword is present.
    Outside NAT global (inside) 1 10.1.2.30-1-10.1.2.40 nat (dmz) 1 10.1.1.0 255.255.255.0 outside static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255

    If you remove the outside keyword, then it'll import as expected. The use of outside NAT is documented in http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html It's essentially like a regular NAT from inside->outside but in the reverse direction, where now you're hiding the outside address from the inside network.

    I've also seems that you can't import NAT exceptions:
    access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any
    global (inside) 1 10.1.1.45
    nat (dmz) 1 10.1.2.0 255.255.255.0
    nat (dmz) 0 access-list EXEMPT

     
  • Vadim Kurland
    Vadim Kurland
    2011-12-06

    "nat outside" can be imported if it looks like this:

    nat (dmz) 2 10.2.2.0 255.255.255.0 outside 1000

    parser expects another parameter that defines maximum number of connections. This is probably a mistake as this parameter is optional, I'll fix it.

    you are right, nat exemption import does not work right now