Posts Tagged ‘ASA5505’

Cisco ASA Auto and Manual NAT discussion

I’ve recently done more thinking about Cisco’s NAT changes and wanted to jot down a couple of examples of solving NAT problems in both Auto NAT (Network Object NAT) and Manual NAT (Twice NAT.)

Branch Office example with one public static IP Address which is assigned to the outside interface of your ASA FW. If you need to do static NAT w/ port-address-translation to several internal servers on your DMZ (static PAT) you’ll find this one handy. If any of your servers need to have more than one port forwarded to the internet, I prefer to go w/ Manual NAT versus Auto NAT due to readability.

Example using Auto NAT:

object network myWebServer
  host 10.1.1.1
  nat (dmz,outside) static interface service tcp http http

object network myDNSServer
  host 10.1.1.2
  nat (dmz,outside) static interface service udp domain domain

object network myWebServer-01 // I've got to declare it multiple times??!! This feels WRONG!!
  host 10.1.1.1
  nat (dmz,outside) static interface service tcp https https

object network myEmailServer
  host 10.1.1.3
  nat (dmz,outside) static interface service tcp smtp smtp

Example using Manual NAT:

object network myWebServer
  host 10.1.1.1
object service http
  service tcp source eq www
object service https
  service tcp source eq 443

nat (dmz,outside) source static myWebServer interface service http http
nat (dmz,outside) source static myWebServer interface service https https

If you ask me, in this scenario, Manual NAT is a better solution vs Auto NAT. I’m rather disappointed that Cisco doesn’t allow group service objects to be used in Manual NAT yet but at least I’m not having to create bogus network objects multiple times when I’m using Manual NAT.

Here’s another example of using NAT at a small branch office when you’ve got 2 Public static IPs with one being used on the ASA’s outside interface and the other IP being used amongst multiple servers in a DMZ.

Example using Auto NAT:

object network STATIC209_165_201_11
  host 209.165.201.11

object network myDNSServerUDPDNS
  host 10.1.1.1
  nat (dmz,outside) static STATIC209_165_201_11 service udp domain domain

object network myDNSServerTCPDNS
  host 10.1.1.1
  nat (dmz,outside) static STATIC209_165_201_11 service tcp domain domain

object network myWWWServer
  host 10.1.1.3
  nat (dmz,outside) static STATIC209_165_201_11 service tcp http http

NOTE: See how we're using the 2nd public IP address vs. the outside's interface?

Example using Manual NAT:

object network STATIC209_165_201_11
  host 209.165.201.11

object network myDNSServer
  host 10.1.1.1

object network myWWWServer
  host 10.1.1.3

object service udpdns
 service udp source eq domain 

 object service tcpdns
 service tcp source eq domain 

object service tcphttp
 service tcp source eq http

nat (dmz,outside) source static myDNSServer STATIC209_165_201_11 service udpdns udpdns
nat (dmz,outside) source static myDNSServer STATIC209_165_201_11 service tcpdns tcpdns
nat (dmz,outside) source static myWWWServer STATIC209_165_201_11 service tcphttp tcphttp

To me at least, Manual NAT is more readable when starring at configs and tracking down bugs.

Here’s a couple useful links:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_rules.html

http://osimatrix.wordpress.com/2011/03/29/cisco-asa-8-3-basic-nat-guide-simple-yet-practical-overview/

http://www.fir3net.com/Cisco-ASA/cisco-asa-83-no-nat-nat-exemption.html

http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat.html

http://tunnelsup.com/tup/2011/06/24/nat-for-cisco-asas-version-8-3/

http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp51777 (static NAT/PAT migration examples.)

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html (Cisco ASA new Features by Release.)

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html (Some very good config examples from Cisco.)

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_overview.html#wp1118157 (Cisco’s NAT Rule Table.)

 

 

Cisco ASA 5505 recovery

I recently upgraded my ASA5505 to 9.1(1) and had heard while I was configuring my ASA5515-x that an interim release, 9.1(1)4 was available. When I started using the newer release a lot of my problems went away thankfully so I decided to upgrade to 9.1(1)4 on the ASA5505. Well sure enough, I encountered an error and instead of trying to debug it I fell back into my “Windows” experience and did a reload on the device instead.

It would POST no problems but got hung on “Bootloading” and stayed there. So I finally decided after an hour of powering it off & on to try and do a full recovery by using rommon. I already had the tftp server ready so how hard can it be to upload an IOS image to the device?? I mean seriously? WHAT COULD POSSIBLY GO WRONG…

I logged in to rommon and set the initial variables:

ADDRESS=192.168.1.1

SERVER=192.168.1.2

GATEWAY=192.168.1.2

IMAGE=asa911-4-k8.bin

PORT=Ethernet0/0

I then attempted to ping the tftp server which is on 192.168.1.2. No love. The tftp server couldn’t ping the ASA either. Well this isn’t going well at all! After about an hour of messing around w/ settings and verifying good link connectivity I finally just issues “tftp” on the ASA5505 and the image loaded! W00T! Now came the fun part! That image I loaded was only in memory and not installed on the compact flash card! In fact, it couldn’t see the compact flash card at all (which was the problem. Appears that my FAT file system went tits up!) So w/o thinking I issued “reload” again. And I was right back at “Bootloading…” screen. This go around, I issued the “erase flash:” command while inside the rommon. Downloaded the image again from the tftp server. Once again, the IOS image is loaded in memory. This time I issued “format flash:” and I now could configure my ASA5505 to once again download the image from my tftp server and write it to my compact flash. I also did some initial configuration and wrote to memory.

 

Next reboot, I was up and running minus a couple of important things:

1) I was missing my activation key. I thankfully had it over on Cisco’s website since I upgraded the device to Security Plus years ago so I fetched it from here: http://www.cisco.com/web/go/license and looked for my devices available licenses. Once found, I applied it in global config mode and issued another reload.

2) I uploaded my saved config which I had saved previously. Things weren’t working as I had expected. I had to log into interface config mode and issue my “no shut” commands to rectify that situation! 😛

3) I also needed to generate an RSA key pair for ssh with “crypto key generate rsa” in global config mode.

4) There was something else but of course I have forgotten that!

 

See the links below for other good reference material.

https://supportforums.cisco.com/thread/153353 ( no config-register in case you’re continously booting in rommon)

http://www.tech21century.com/using-the-rommon-to-load-a-new-image-on-cisco-asa-firewall/ (URL says it all.)

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_trouble.html#wp1076206 (using rommon)

http://www.gomjabbar.com/2011/07/17/recovering-a-license-activation-key-for-the-cisco-asa/ (again, URL speaks volumes)

http://evilrouters.net/2011/12/16/how-to-upgrade-license-cisco-asa-firewall/ (ditto)

http://www.gomjabbar.com/2011/07/31/cisco-asa-device-management-%E2%80%93-ssh-keys-and-fingerprints/ (ssh keys)

 

 

 

Return top
 
Icons made by Freepik from www.flaticon.com is licensed by CC BY 3.0