ASA PAT not working

Discussion in 'Networking & Security' started by BobSutan, Oct 1, 2014.

  1. BobSutan

    BobSutan [H]ardForum Junkie

    Messages:
    9,410
    Joined:
    Apr 5, 2000
    Does anyone have the CLI commands to perform port translation on ASA 9.1.3? I've got an ISE that needs to send CoA requests to an Aruba WLC, but they're not using the same ports since Cisco isn't RFC compliant. The ISE is sending to UDP 1700 and the WLC is listening on UDP 3799.

    Let's say the ISE is 1.1.1.1 and the interface it connects to is named ISE_DMZ and the WLC is 2.2.2.2 the interface it connects to is WLC_DMZ. Can you create the CLI commands necessary to accomplish this task? I've tried for a week now and it's just happening.
     
  2. Jay_2

    Jay_2 2[H]4U

    Messages:
    3,583
    Joined:
    Mar 20, 2006
    why not use ASDM?
     
  3. /usr/home

    /usr/home [H]ardness Supreme

    Messages:
    6,164
    Joined:
    Mar 18, 2008
    This.
     
  4. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,530
    Joined:
    Aug 18, 2011
    So you're going from DMZ to DMZ? In order for you to be able to use PAT you would need to have NAT between the two DMZs. You would end up needing to have NAT from your outside to inside, and then another NAT between the DMZ interfaces.

    You would need something like this:

    Interface Ethernet0/0
    nameif outside
    security-level 0
    ip address *external IP*
    !
    Interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    Interface Ethernet0/2
    nameif ISE_DMZ
    security level 50
    ip address 1.1.1.2 255.255.255.0
    !
    Interface Ethernet0/3
    nameif WLC_DMZ_Interface
    security level 50
    ip address 2.2.2.1 255.255.255.252

    same-security-traffic permit inter-interface
    access-list WLC_DMZ extended permit udp 1.1.1.1 1.1.1.2 eq 1700
    global (ISE_DMZ) 1 interface
    NAT (WLC_DMZ_Interface) 0 access-list WLC_DMZ

    static (WLC_DMZ,ISE_DMZ) udp 1.1.1.2 1700 2.2.2.2 3799 netmask 255.255.255.255
    access-group WLC_DMZ in interface ISE_DMZ



    Then instead of sending the traffic from the ISE to 2.2.2.2, you would send it to 1.1.1.2 and the port forward would take it from the source of 1.1.1.2:1700 and send it to 2.2.2.2:3799.


    I'm honestly not sure if what I typed up would actually work or not but basically you're just taking the same setup that is used on the ASA by default from outside to inside for NAT and applying it for ISE_DMZ (outside) to WLC_DMZ (Inside). You could probably change the security levels so that ISE_DMZ is less trusted (say 49) then you wouldn't need same-security-level command.

    Ideally it would be a much simpler process if you could either change the listener port or the port which is being used to send traffic. (Guessing you've looked into that already)
     
  5. MysticRyuujin

    MysticRyuujin Limp Gawd

    Messages:
    507
    Joined:
    Oct 1, 2013
    Your config is for pre-8.2 (I think)

    I don't have an ASA in front of me and I'm too lazy to look, might have to reverse the port numbers haha but I think this will work:

    object network WLC
    host 2.2.2.2
    nat (WLC_DMZ,ISE_DMZ) static 2.2.2.2 service tcp 3799 1700
     
  6. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,530
    Joined:
    Aug 18, 2011
    You would be correct. I wasn't sure if you can still use that on newer devices or not but I'm not familiar with the new syntax. Just seeing if I can come up with a starting point or another method that the OP hasn't tried yet for my own fun. I know that the people who would know for sure are more than $100 an hour lol.
     
  7. SpaceHonkey

    SpaceHonkey Gawd

    Messages:
    983
    Joined:
    Jan 25, 2007
    Agreed. I'm tired of seeing people eschew ASDM for no good reason. In fact, there are some functions that you must use ASDM for like DAP.
     
  8. BobSutan

    BobSutan [H]ardForum Junkie

    Messages:
    9,410
    Joined:
    Apr 5, 2000
    ADSM isn't off the table if you've got instructions or screen-shots for that. I asked for CLI because I happen to prefer it over ADSM.
     
  9. Jay_2

    Jay_2 2[H]4U

    Messages:
    3,583
    Joined:
    Mar 20, 2006
    The thing about ASDM is it shows you the CLI commands it uses.
     
  10. tangoseal

    tangoseal [H]ardness Supreme

    Messages:
    7,482
    Joined:
    Dec 18, 2010
    ASA is very powerful and yet one of the most retarded fuckin firewalls ever created. I would use ASDM. I abandoned ASA for something that makes sense.... IOS Zone Firewall.