ASA PAT not working

BobSutan

[H]F Junkie
Joined
Apr 5, 2000
Messages
10,186
Does anyone have the CLI commands to perform port translation on ASA 9.1.3? I've got an ISE that needs to send CoA requests to an Aruba WLC, but they're not using the same ports since Cisco isn't RFC compliant. The ISE is sending to UDP 1700 and the WLC is listening on UDP 3799.

Let's say the ISE is 1.1.1.1 and the interface it connects to is named ISE_DMZ and the WLC is 2.2.2.2 the interface it connects to is WLC_DMZ. Can you create the CLI commands necessary to accomplish this task? I've tried for a week now and it's just happening.
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,658
So you're going from DMZ to DMZ? In order for you to be able to use PAT you would need to have NAT between the two DMZs. You would end up needing to have NAT from your outside to inside, and then another NAT between the DMZ interfaces.

You would need something like this:

Interface Ethernet0/0
nameif outside
security-level 0
ip address *external IP*
!
Interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
Interface Ethernet0/2
nameif ISE_DMZ
security level 50
ip address 1.1.1.2 255.255.255.0
!
Interface Ethernet0/3
nameif WLC_DMZ_Interface
security level 50
ip address 2.2.2.1 255.255.255.252

same-security-traffic permit inter-interface
access-list WLC_DMZ extended permit udp 1.1.1.1 1.1.1.2 eq 1700
global (ISE_DMZ) 1 interface
NAT (WLC_DMZ_Interface) 0 access-list WLC_DMZ

static (WLC_DMZ,ISE_DMZ) udp 1.1.1.2 1700 2.2.2.2 3799 netmask 255.255.255.255
access-group WLC_DMZ in interface ISE_DMZ



Then instead of sending the traffic from the ISE to 2.2.2.2, you would send it to 1.1.1.2 and the port forward would take it from the source of 1.1.1.2:1700 and send it to 2.2.2.2:3799.


I'm honestly not sure if what I typed up would actually work or not but basically you're just taking the same setup that is used on the ASA by default from outside to inside for NAT and applying it for ISE_DMZ (outside) to WLC_DMZ (Inside). You could probably change the security levels so that ISE_DMZ is less trusted (say 49) then you wouldn't need same-security-level command.

Ideally it would be a much simpler process if you could either change the listener port or the port which is being used to send traffic. (Guessing you've looked into that already)
 

MysticRyuujin

Limp Gawd
Joined
Oct 1, 2013
Messages
507
Your config is for pre-8.2 (I think)

I don't have an ASA in front of me and I'm too lazy to look, might have to reverse the port numbers haha but I think this will work:

object network WLC
host 2.2.2.2
nat (WLC_DMZ,ISE_DMZ) static 2.2.2.2 service tcp 3799 1700
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,658
Your config is for pre-8.2 (I think)

I don't have an ASA in front of me and I'm too lazy to look, might have to reverse the port numbers haha but I think this will work:

object network WLC
host 2.2.2.2
nat (WLC_DMZ,ISE_DMZ) static 2.2.2.2 service tcp 3799 1700
You would be correct. I wasn't sure if you can still use that on newer devices or not but I'm not familiar with the new syntax. Just seeing if I can come up with a starting point or another method that the OP hasn't tried yet for my own fun. I know that the people who would know for sure are more than $100 an hour lol.
 

BobSutan

[H]F Junkie
Joined
Apr 5, 2000
Messages
10,186
ADSM isn't off the table if you've got instructions or screen-shots for that. I asked for CLI because I happen to prefer it over ADSM.
 

Jay_2

2[H]4U
Joined
Mar 20, 2006
Messages
3,583
The thing about ASDM is it shows you the CLI commands it uses.
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
8,833
ASA is very powerful and yet one of the most retarded fuckin firewalls ever created. I would use ASDM. I abandoned ASA for something that makes sense.... IOS Zone Firewall.
 
Top