topic Re: NAT problem in Network Security

NAT problem

denilson.mota — Fri, 21 Feb 2020 15:13:15 GMT

Hi experts,

My remote users inside mpls need to access a webserver, them I create a NAT from the mpls ip to real webserver ip on the interface were my remote users is connected to then I create a record in dns server point to mpls IP. Till now all working fine my remote users able to connect the server trough the dns and also mpls ip.

The problem is all internal users (LAN) can't connect but if I create a local record in the local host file point to real ip webserver its work or if I use the real Ip directly on browser its work. Please help figure out why can't connect directly to webserver trough the record i have created point to mpls ip (same for remote users). The NAT it suppose affect the users in the mpls only i think.

Thank you,

Re: NAT problem

Ajay Saini — Tue, 30 Jan 2018 08:18:53 GMT

Hello,

The reason why it does not work for internal users is that they are trying to hit the mapped ip. This will be dropped on ASA and is expected. You can configure a u-turning scenario wherein the request will come to ASA internal interface and ASA will proxy and send it back inside rather than sending it outside.

If you can attach the running config, I can suggest some changes.

If you dont want to modify this setup, you can then make hostfile changes which you have already figured out. Can you also confirm where is your dns server, internal or external? If it is external, we can use dns doctoring to make it work.

HTH

Re: NAT problem

denilson.mota — Tue, 30 Jan 2018 08:46:04 GMT

Hi Ajay,

Thank you for your reply.

Attached find the scenario draft and the capture traffic, my remote users able to access service y.y.y.1 because they go to core router and from them they have a route to our ASA FW 99.6, and the NAT is on the same interface, same happen for the service x.x.x.1 g to core router and have route to 99.4.

My LAN users able to access service y.y.y.1 because the default gateway have a static route to 99.6 and from them have a NAT, but can't access the service x.x.x.1 because our FW 99.4 don't now the x.x.x.1 and send to the cloud. I have create a route to send from the LAN to core router and he knows x.x.x.1 because have a static route to 99.4. Is like send from FW to core and come back to FW on the right interface were the NAT is applied but also not working. Please see attach and help.

Thank you

Re: NAT problem

Ajay Saini — Wed, 31 Jan 2018 04:59:46 GMT

Hello,

This is an interesting problem and a more tricky workaround. The idea is to u-turn the traffic, because for lan users traffic can not go to core router and come back through same route. Its a firewall design to drop such traffic.

I requested a running config, but the things we need to achieve this is like this:

create a NAT on 10.0.0.1 interface something like:

NAT (inside,inside) static <public ip 99.4> <private ip>

Also, create a source NAT such that when lan user hits the public ip address 99.4, it goes to inside interface of the firewall. FW will proxy arp for the destination ip due to NAT I mentioned above and send it back as a u-turned traffic. The souce of LAN will be PATted to inside interface so that reply traffic comes back through same path.

Also, add the command below to allow u-turn.

same-security-traffic per intra-interface

Try this in a downtime and test it out.

HTH
AJ

Re: NAT problem

denilson.mota — Wed, 31 Jan 2018 06:44:07 GMT

Hi Ajay,

Thank you once again for your reply.

Yes this is an interesting scenario and am stack to make this work.

My lan user subnet is 10.0.1.0/24 connected to my ASA 10.0.1.1, the mpls IP is located on mpls core router that send to my ASA on mpls interface 10.0.99.4. As i told you the remote users have no problem as they come via our mpls interface on ASA then NAT happen to real server. As per your explanation I have to NAT my inside interface to inside interface like this:

NAT (inside,inside) static 41.76.7.25 10.0.10.50 ---->(mean nat my mpls ip to real server on inside interface is this correct) then

NAT (inside,inside) source static 41.76.7.25 10.0.1.0 destination static (this is correct)

Can I try this scenario in PRODUCTION without any downtime? Please suggest according.

the command --> same-security-traffic permite intra-interface and

same-security-traffic permite inter-interface is already there.

Thank you,

Re: NAT problem

Ajay Saini — Wed, 31 Jan 2018 08:42:22 GMT

You would also need to PAT the inside lan user to inside interface so that reply traffic comes back to the ASA interface and there is no asyemtric routing. For the same:

object network obj-test

subnet <inside subnet>

nat(inside,inside) source dynamic any interface

try it out and see if it works. I would have taken the risk in a live environment.

Good luck.

HTH

Re: NAT problem

denilson.mota — Wed, 31 Jan 2018 09:07:44 GMT

I'm a bit confuse now, can you please send me the commands I have to run into ASA with the correct IP assuming my lan subnet (10.0.1.0/24) and my mpls IP 41.76.7.25, can I use only one host for test purpose lets say 10.0.1.24. There is need any acl for permit the traffic?

Please see if this command are correct before insert:

NAT (inside,inside) static 41.76.7.25 10.0.10.50

NAT (inside,inside) source static 41.76.7.25 10.0.1.0 destination static

object network NTADMIN
subnet 10.0.1.24 255.255.255.255

nat(inside,inside) source dynamic any interface

Thank you!

Re: NAT problem

Ajay Saini — Wed, 31 Jan 2018 09:28:54 GMT

NAT (inside,inside) source static 10.0.10.50 41.76.7.25

object network NTADMIN
host 10.0.1.24
nat (inside,inside) dynamic interface

Please try this. We dont need an ACL since the traffic is never going to cross the interface, it will always get u-turned from inside interface.

HTH

Re: NAT problem

denilson.mota — Wed, 31 Jan 2018 09:35:06 GMT

for this last line "nat (inside,inside) dynamic interface" you mean
nat (inside,inside) source dynamic any interface correct?

Re: NAT problem

denilson.mota — Wed, 31 Jan 2018 09:49:54 GMT

I did but still not open the service, see the capture attached.