Fix: ASA checks real IP of host with dynamic NAT

hknutzen · Jun 18, 2024 · 16ab14f · 16ab14f
1 parent 9de68bc
commit 16ab14f
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 12 deletions.
diff --git a/go/pkg/pass1/check-dyn-nat-rules.go b/go/pkg/pass1/check-dyn-nat-rules.go
@@ -2,6 +2,7 @@ package pass1
 
 import (
 	"net/netip"
+	"slices"
 	"sort"
 )
 
@@ -218,6 +219,11 @@ func (c *spoc) checkDynamicNatRules() {
 						if _, found := objNat[natTag]; found {
 							return
 						}
+						if r.model.aclUseRealIP {
+							if slices.Contains(natIntf.bindNat, natTag) {
+								return
+							}
+						}
 						ruleTxt := "rule"
 						if reversed2 {
 							ruleTxt = "reversed rule for"

diff --git a/go/testdata/ipv6/nat_ipv6.t b/go/testdata/ipv6/nat_ipv6.t
@@ -966,8 +966,8 @@ network:Test =  {
 }
 router:C = {
  {{.}}
- model = ASA;
- interface:Test = { ip = ::a09:101; hardware = inside;}
+ model = IOS;
+ interface:Test = { ip = ::a09:101; hardware = inside; nat:C = { ip = ::109:20b; }}
  interface:Trans = { ip = ::a00:1; hardware = outside; bind_nat = C;}
 }
 network:Trans = { ip = ::a00:0/120; }
@@ -2068,9 +2068,9 @@ router:asa1 = {
  policy_distribution_point = host:h3;
  interface:n2 = { ip = ::a01:201; hardware = n2; }
 }
-router:asa2 = {
+router:r2 = {
  managed;
- model = ASA;
+ model = Linux;
  interface:n2 = { ip = ::a01:202; hardware = n2; }
  interface:n3 = { ip = ::a01:302; hardware = n3; bind_nat = dyn; }
 }
@@ -2079,7 +2079,7 @@ service:s = {
  permit src = host:h3; dst = user; prt = tcp 22;
 }
 =ERROR=
-Error: interface:asa1.n2 needs static translation for nat:dyn at router:asa2 to be valid in rule
+Error: interface:asa1.n2 needs static translation for nat:dyn at router:r2 to be valid in rule
  permit src=host:h3; dst=interface:asa1.n2; prt=tcp 22; of service:s
 =END=
 
@@ -2234,7 +2234,7 @@ router:r1 = {
 network:t = { ip = ::a04:400/126; }
 router:r2 = {
  managed;
- model = ASA;
+ model = Linux;
  routing = manual;
  interface:t = {ip = ::a04:402; hardware = t; bind_nat = b;}
  interface:b = {ip = ::a02:201; hardware = b;}
@@ -3685,6 +3685,44 @@ access-list outside_in extended deny ip any6 any6
 access-group outside_in in interface outside
 =END=
 
+############################################################
+=TITLE=ASA checks real IP of host with dynamic NAT
+=PARAMS=--ipv6
+=INPUT=
+network:Test =  {
+ ip = ::a09:100/120;
+ nat:C = { ip = ::109:200/120; dynamic;}
+ host:h3 = { ip = ::a09:103; }
+}
+router:C = {
+ managed;
+ model = ASA;
+ interface:Test = { ip = ::a09:101; hardware = inside; }
+ interface:Trans = { ip = ::a00:1; hardware = outside; bind_nat = C;}
+}
+network:Trans = { ip = ::a00:0/120; }
+router:filter = {
+ managed;
+ model = ASA;
+ interface:Trans = {
+  ip = ::a00:2;
+  hardware = inside;
+ }
+ interface:X = { ip = ::a08:301; hardware = outside; }
+}
+network:X = { ip = ::a08:300/120; }
+service:s1 = {
+ user = network:X;
+ permit src = user; dst = host:h3; prt = tcp 80;
+}
+=OUTPUT=
+-- ipv6/C
+! outside_in
+access-list outside_in extended permit tcp ::a08:300/120 host ::a09:103 eq 80
+access-list outside_in extended deny ip any6 any6
+access-group outside_in in interface outside
+=END=
+
 ############################################################
 =TITLE=ASA uses real IP, more than 2 effective NAT
 =PARAMS=--ipv6

diff --git a/go/testdata/nat.t b/go/testdata/nat.t
@@ -929,8 +929,8 @@ network:Test =  {
 }
 router:C = {
  {{.}}
- model = ASA;
- interface:Test = { ip = 10.9.1.1; hardware = inside;}
+ model = IOS;
+ interface:Test = { ip = 10.9.1.1; hardware = inside; nat:C = { ip = 1.9.2.11; }}
  interface:Trans = { ip = 10.0.0.1; hardware = outside; bind_nat = C;}
 }
 network:Trans = { ip = 10.0.0.0/24; }
@@ -2002,9 +2002,9 @@ router:asa1 = {
  policy_distribution_point = host:h3;
  interface:n2 = { ip = 10.1.2.1; hardware = n2; }
 }
-router:asa2 = {
+router:r2 = {
  managed;
- model = ASA;
+ model = Linux;
  interface:n2 = { ip = 10.1.2.2; hardware = n2; }
  interface:n3 = { ip = 10.1.3.2; hardware = n3; bind_nat = dyn; }
 }
@@ -2013,7 +2013,7 @@ service:s = {
  permit src = host:h3; dst = user; prt = tcp 22;
 }
 =ERROR=
-Error: interface:asa1.n2 needs static translation for nat:dyn at router:asa2 to be valid in rule
+Error: interface:asa1.n2 needs static translation for nat:dyn at router:r2 to be valid in rule
  permit src=host:h3; dst=interface:asa1.n2; prt=tcp 22; of service:s
 =END=
 
@@ -2164,7 +2164,7 @@ router:r1 = {
 network:t = { ip = 10.4.4.0/30; }
 router:r2 = {
  managed;
- model = ASA;
+ model = Linux;
  routing = manual;
  interface:t = {ip = 10.4.4.2; hardware = t; bind_nat = b;}
  interface:b = {ip = 10.2.2.1; hardware = b;}
@@ -3574,6 +3574,43 @@ access-list outside_in extended deny ip any4 any4
 access-group outside_in in interface outside
 =END=
 
+############################################################
+=TITLE=ASA checks real IP of host with dynamic NAT
+=INPUT=
+network:Test =  {
+ ip = 10.9.1.0/24;
+ nat:C = { ip = 1.9.2.0/24; dynamic;}
+ host:h3 = { ip = 10.9.1.3; }
+}
+router:C = {
+ managed;
+ model = ASA;
+ interface:Test = { ip = 10.9.1.1; hardware = inside; }
+ interface:Trans = { ip = 10.0.0.1; hardware = outside; bind_nat = C;}
+}
+network:Trans = { ip = 10.0.0.0/24; }
+router:filter = {
+ managed;
+ model = ASA;
+ interface:Trans = {
+  ip = 10.0.0.2;
+  hardware = inside;
+ }
+ interface:X = { ip = 10.8.3.1; hardware = outside; }
+}
+network:X = { ip = 10.8.3.0/24; }
+service:s1 = {
+ user = network:X;
+ permit src = user; dst = host:h3; prt = tcp 80;
+}
+=OUTPUT=
+-- C
+! outside_in
+access-list outside_in extended permit tcp 10.8.3.0 255.255.255.0 host 10.9.1.3 eq 80
+access-list outside_in extended deny ip any4 any4
+access-group outside_in in interface outside
+=END=
+
 ############################################################
 =TITLE=ASA uses real IP, more than 2 effective NAT
 =INPUT=