topic Re: nat and route issue in Network Security

nat and route issue

elite2010 — Fri, 21 Feb 2020 14:57:53 GMT

Hi,

I have the below topology

asa fw running in active standby mode

R1 and R2 are routers which is conneced to isp's
In R1 and R2 hsrp is running

R1

interface gi0/1
ip address 4.4.4.2 255.255.255.252 -connected to isp router 1

interface GigabitEthernet0/2
ip address 1.1.1.2 255.255.255.0 (connected to sw1 from switch to asa1 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!

router bgp 60000

network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

R2

interface gi0/1
ip address 4.4.4.5 255.255.255.252 -connected to isp router 2

interface GigabitEthernet0/2
ip address 1.1.1.3 255.255.255.0 (connected to sw2 from switch to asa2 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!

router bgp 60000

network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

Asa outside interface ip

1.1.1.3 255.255.255.0

I did a static nat 2.2.2.100 to 192.168.2.10 ( Verified route from asa inside interface )

It did not work .

From R1 did a traceroute to 2.2.2.100 . Which shows a loop

Tracing the route to 2.2.2.100
VRF info: (vrf in name/id, vrf out name/id)
1 (1.1.1.3) 0 msec 0 msec 0 msec (R2 -gi0/1 whcih is connected to ASA 2 through sw2 )
2 4.4.4.6[AS XXXX] 4 msec 0 msec 4 msec (connection to ISP from R2 )
3 4.4.4.1 [AS XXXX] 0 msec 0 msec 0 msec (connection to ISP from R1 )
4 4.4.4.2 [AS XXXX] 0 msec 0 msec 4 msec (R1 -gi0/1 whcih is connected to ASA 1 through sw1 )
5 (1.1.1.3) 0 msec 0 msec 0 msec
6 4.4.4.6[AS XXXX] 4 msec 4 msec 0 msec
7 4.4.4.1 [AS XXXX] 4 msec 4 msec 0 msec
8 4.4.4.2 [AS XXXX] 4 msec 0 msec 4 msec

On the ROUTER R1 ,arp shows the 2.2.2.100's mac address can reach through R2'S gi0/1 . (2.2.2.100 mac address in the arp table is the iinterface GI0/1's mac address )

Itried to clear the arp table but no use

Thansks

Re: nat and route issue

Francesco Molino — Sat, 16 Dec 2017 00:42:09 GMT

Hi

If i understood correctly, 2.2.2.0/24 is a subnet you're using on asa for natting, am i right?

If yes, the static route on R1 and R2 is correct but advertising this network from R1 and R2 through bgp isn't correct. Why are you advertising this subnet on bgp?

Can you share your asa config please?

Re: nat and route issue

elite2010 — Sun, 17 Dec 2017 06:25:11 GMT

Hi,

If yes, the static route on R1 and R2 is correct but advertising this network from R1 and R2 through bgp isn't correct.
can you explain please ?

I have removed most of the configuration part .I hope the below configuration part is enough .

ASA route

route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router )
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet )
route Inside 192.168.0.0 255.255.0.0 172.16.3.1 1

interface Gi0/9
nameif Inside
security-level 100
ip address 172.16.3.5 255.255.255.0 standby 172.16.3.6

interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 1.1.1.4 255.255.255.0

object network obj-192.168.2.10
nat (Inside,Outside) static 2.2.2.100

access-list Outside_in extended permit object-group O-HTTPS-HTTP any object obj-192.168.2.10

Thanks

Re: nat and route issue

Francesco Molino — Sun, 17 Dec 2017 16:32:06 GMT

When i said it is not correct, I mean why you would advertise a subnet from R1 when it belongs to ASA and R1 has a static route to it.
If you want to do it through bgp, then you would advertise it from asa and remove static route on R1 and R2.

Can you share your configs (r1, r2 and asa)?

Re: nat and route issue

elite2010 — Sun, 17 Dec 2017 19:54:35 GMT

Hi,

This is in production network .

So I have sanitized the configuration .

It would be great

If you tell me which part of configuration required from asa and routers .

And you said "When i said it is not correct, I mean why you would advertise a subnet from R1 when it belongs to ASA and R1 has a static route to it.
If you want to do it through bgp, then you would advertise it from asa and remove static route on R1 and R2."

What about the 1.1.1.0 network asa outside and router interface which is connected to asa outside .

Thanks

I just summarized routing part of all asa and both routers below

ASA route

route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router )
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet )
route Inside 192.168.0.0 255.255.0.0 172.16.3.1 1

R1

interface gi0/1
ip address 4.4.4.2 255.255.255.252 -connected to isp router 1

interface GigabitEthernet0/2
ip address 1.1.1.2 255.255.255.0 (connected to sw1 from switch to asa1 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!

router bgp 60000

network 1.1.1.0 mask 255.255.255.0 (ROUEER INTERFACE AND ASA OUTSIDE INTERFACE ARE IN THIS SUBNET)
network 2.2.2.0 mask 255.255.255.0 (This is additional subnet )
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

R2

interface gi0/1
ip address 4.4.4.5 255.255.255.252 -connected to isp router 2

interface GigabitEthernet0/2
ip address 1.1.1.3 255.255.255.0 (connected to sw2 from switch to asa2 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!

router bgp 60000

network 1.1.1.0 mask 255.255.255.0 (ROUEER INTERFACE AND ASA OUTSIDE INTERFACE ARE IN THIS SUBNET)
network 2.2.2.0 mask 255.255.255.0 (This is additional subnet )
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

Thanks a lot

Re: nat and route issue

Francesco Molino — Sun, 17 Dec 2017 21:32:04 GMT

What I'm actually saying is that you need to advertise under bgp only subnets that belongs to the device.

For example, if 1.1.1.0/24 is used on R1, R2 and ASA, you can advertise this subnet in bgp from all 3 services using network command.
On ASA you'll need to advertise 2.2.2.0/24 as it belongs to ASA NAT statements.

But again, as you're using static routes on R1 and R2 to reach this subnet, you don't need to advertise it in bgp unless you have a specific reason to do so.

Re: nat and route issue

elite2010 — Mon, 18 Dec 2017 03:29:45 GMT

Hi,

"For example, if 1.1.1.0/24 is used on R1, R2 and ASA, you can advertise this subnet in bgp from all 3 services using network command.
On ASA you'll need to advertise 2.2.2.0/24 as it belongs to ASA NAT statements. "

1.1.1.0 is used in R1,R2,and ASA and also for ASA NAT ,

2.2.2.0 is only for NAT .

"But again, as you're using static routes on R1 and R2 to reach this subnet, you don't need to advertise it in bgp unless you have a specific reason to do so. "

If I am not advertising , how can a host which resides in internet can reach the 2.2.2.0/24 network .

If I just remove "route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet ) "

and keep "route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router ) " this alone , does it help ?

route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router )
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet )

Thanks

Re: nat and route issue

Francesco Molino — Mon, 18 Dec 2017 04:10:55 GMT

Sorry we were talking about static and bgp and i totally forget that you were doing bgp with your ISP.
I'm sorry my bad.

Let do it from the beginning.
You're doing bgp between R1 and ISP, and asa has static route.
2.2.2.0 is the subnet used for nat on ASA.
I reviewed your first post with a laptop instead of my phone and you're redistributing this static route into bgp. By reading it quickly, i missed something. You can do a redistribute static instead of network advertisement but both are ok.
Now why in asa, you have a route:
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1
Can you explain why did you put this route add 2.2.2.0/24 is a local subnet.

Re: nat and route issue

elite2010 — Mon, 18 Dec 2017 06:18:35 GMT

My understanding is below

an internet host 8.8.8.1 is requesting 2.2.2.10

ASA translating 192.168.2.10 to 2.2.2.10
Then asa checking the route table for 8.8.8.0

route Outside 0.0.0.0 0.0.0.0 1.1.1.1 (1.1.1.1 Hsrp standby ip which is configured on the router )
route Inside 10.0.0.0 255.255.0.0 172.16.3.1 1
route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet )
route Inside 192.168.0.0 255.255.0.0 172.16.3.1 1

It finds the default route .

Yea why do I need route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1 (second subnet ) ?

But Even if it is there , it does not make any difference ?
I mean it does not harm whole setup ?

Thanks

Re: nat and route issue

Francesco Molino — Mon, 18 Dec 2017 13:42:18 GMT

Let's remove that route outside 2.2.2.0 that is useless for now.

Can you do a show ip bgp 2.2.2.0 and show ip route 2.2.2.0 on R1 and R2?

Can you try to ping 2.2.2.0 from R1 and R2 sourcing with interface facing ASA? Do the same test but sourcing with WAN interface.

Re: nat and route issue

elite2010 — Tue, 19 Dec 2017 18:31:19 GMT

Hi,

here is the sh ip bgp

---------------------------------------------------------
R1#
R1#sh ip bgp 2.2.2.0
BGP routing table entry for 2.2.2.0/24, version 11261
Paths: (1 available, best #1, table default)
Advertised to update-groups:
5
Refresh Epoch 1
Local
0.0.0.0 from 0.0.0.0 (4.4.4.2) 4.4.4.2 is the interface ip which is connected to isp
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
rx pathid: 0, tx pathid: 0x0
R1#
R1#
R1#
----------------------------------------
R2
neighbor 4.4.4.9 remote-as X2X7X

R2 #sh ip bgp 2.2.2.0
BGP routing table entry for 0.0.0.0/0, version 2
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
X2X7X Y4Y1
4.4.4.9 from 4.4.4.9 (9.9.9.9) 4.4.4.9 is the interface ip which is connected to isp
Origin IGP, localpref 100, valid, external, best
rx pathid: 0, tx pathid: 0x0

I could not do the ping since Icmp were not permitted on the asa

Sorry for that

Thanks

Re: nat and route issue

Francesco Molino — Tue, 19 Dec 2017 22:49:52 GMT

You missed the output of sh ip route 2.2.2.0
Can you validate that the forwarding path is your ASA and not ISP?
Do you want to have ISP on R1 primary and ISP on R2 secondary ?

Also to avoid any issues, in your design, you have a static route on each routers going to ASA to reach subnet 2.2.2.0/24, and you don't want to learn this subnet from any BGP peer. To achieve that, you can use the following sample config:

ip prefix-list DENY seq 5 permit 2.2.2.0/24
!
route-map DENY deny 10
match ip add prefi DENY
route-map DENY permit 20

router bgp xxx
neigh xx.xx.xx.xx route-map DENY in

Re: nat and route issue

elite2010 — Wed, 20 Dec 2017 06:17:47 GMT

Hi,

Also to avoid any issues, in your design, you have a static route on each routers going to ASA to reach subnet 2.2.2.0/24, and you don't want to learn this subnet from any BGP peer. To achieve that, you can use the following sample config:

Sorry I did not get your point .
Can you validate that the forwarding path is your ASA and not ISP?

Yes its to asa

sh ip route 2,2.2.2
Routing entry for 2.2.2.2
Known via "static", distance 1, metric 0 (connected)
Advertised by bgp 60000
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet0/2
Route metric is 0, traffic share count is 1

Can you describe the bgp (Sh ip bgp 2.2.2.0 )output provided

What If I Want to load balance between these two routers .(ASa is active standby )

Thanks

Re: nat and route issue

Francesco Molino — Wed, 20 Dec 2017 14:10:05 GMT

What I meant is R1 and R2 has a static route to 2.2.2.0/24. You're advertising this subnet on the Internet and that's fine. However, You don't want to learn this subnet back through BGP on R1 and R2 because the static route will always take precedence. That's why I'm saying you can filtrer inbound on R1 and R2 to not learn that subnet. Is that clear?

Regarding your BGP output:

ON R1:

- it shows that the subnet 2.2.2.0/24 on BGP is a local route. You can see this by checking the weight for example. If you don't modify anything, a learned route will have a weight of 0 and locally originated route will have a weight of 32768. This BGP attribute is local to the router to make its routing decision. The higher the weight is, the higher is route preferred.

- You can also see in the output 0.0.0.0 which means that is a local originated route

ON R2:

- The subnet 2.2.2.0/24 learned over BGP has been advertised by the BGP peer with IP address 4.4.4.9, which has also the RID 9.9.9.9

However you can see the difference with R1 where it officially didn't learn the subnet 2.2.2.0/24 and goes through the default route:

R2 #sh ip bgp 2.2.2.0
BGP routing table entry for 0.0.0.0/0, version 2

If you do a sh ip bgp 2.2.2.0/24 on R2 it should says % Network not in table

This is normal as you have the same AS BGP on R1 and R2. Peering is done between R1 and ISP, and between R2 and ISP. When ISP sends the update to R2, R2 sees its own AS in the AS-PATH attribute and the loop prevention mechanism in eBGP is dropping that subnet.

However, as you have a static route for this subnet and advertising it, it should show the same output as R1. But before, apply the route-map to deny inbound this subnet to be learned in BGP from their neighbor.

If you share all your config in a text file for your devices, I would be able to reproduce your issue in LAB and come with a config update.

Re: nat and route issue

elite2010 — Sat, 23 Dec 2017 19:10:04 GMT

Hi ,

I have attached the configuration and topology

Re: nat and route issue

Francesco Molino — Sun, 24 Dec 2017 00:05:47 GMT

I copy paste your exact config and I'm not able to do a traceroute on 2.2.2.100 because your acl outside is allowing only http and https:

R1#traceroute 2.2.2.100

Type escape sequence to abort.
Tracing the route to 2.2.2.100

1 * * *
2 * * *
3 * * *
4 *

ASA logs:

3|Dec 23 2017 23:52:01|106014: Deny inbound icmp src Outside:1.1.1.2 dst inside:192.168.2.10 (type 8, code 0)
3|Dec 23 2017 23:52:02|106014: Deny inbound icmp src Outside:1.1.1.2 dst inside:192.168.2.10 (type 8, code 0)

However, if for testing i modify the acl into a permit ip any any, everything is working:

R1#traceroute 2.2.2.100

Type escape sequence to abort.
Tracing the route to 2.2.2.100

1 2.2.2.100 8 msec 4 msec *

The following route on ASA isn't needed: route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1