topic Re: ASA NATing doesn't seem to work in Network Security

ASA NATing doesn't seem to work

mazin D — Wed, 27 May 2020 13:41:34 GMT

i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?

Re: ASA NATing doesn't seem to work

Aileron88 — Wed, 27 May 2020 21:45:41 GMT

Hi,

could you post your NAT and routing configuration.

Thanks

Re: ASA NATing doesn't seem to work

mazin D — Thu, 28 May 2020 09:23:20 GMT

thanks for the reply, please find attached the config, I have changed the original IP addresses.

Thanks,

Re: ASA NATing doesn't seem to work

Marius Gunnerud — Thu, 28 May 2020 20:03:19 GMT

If the following is correct: * the rules on the outside interface to allow traffic from any to Fortigate-IP on ICMP,http, https

Then this is the issue. You need to change this access rule to be towards CD-BFS-NORTH.

Re: ASA NATing doesn't seem to work

mazin D — Fri, 29 May 2020 08:28:32 GMT

Hi,

Thanks for the reply.

that's why I called my enquiry "ASA NATing doesn't seem to work".

when I change the destination in the rule to CD-BFS-NORTH , the traffic denied by ACL.

I have attached packet tracer for the rules when the destination CD-BFS-NORTH and Fortigate-IP.

my understanding that the ASA should first check the NAT before the interface ACL , but that doesn't seem to happen.

Can someone advise ?

Re: ASA NATing doesn't seem to work

Aileron88 — Fri, 29 May 2020 09:26:29 GMT

Hi,

What version of ASA code are you running?

Re: ASA NATing doesn't seem to work

mazin D — Fri, 29 May 2020 10:15:59 GMT

its 9.1(7)13

Re: ASA NATing doesn't seem to work

Marius Gunnerud — Fri, 29 May 2020 11:10:21 GMT

Is there a reason you are using twice NAT for this? Also, it is always a good practice to specify which interfaces you are NATing between and do not use the any keyword for interface selection. I would suggest changing the NAT to something like the following (change the interface names if needed):

nat (INSIDE,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

Re: ASA NATing doesn't seem to work

mazin D — Fri, 29 May 2020 11:20:22 GMT

Hi Marius,

thanks so much for the reply

there is no particular reason to do the twice NAT , I was just trying everything to make it work.

the command line you have suggested is already there:

(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

Regards,

Re: ASA NATing doesn't seem to work

Marius Gunnerud — Fri, 29 May 2020 12:37:44 GMT

Could you post a full running configuration for your ASA (remember to remove any public IPs, usernames and passwords).

Re: ASA NATing doesn't seem to work

mazin D — Fri, 29 May 2020 12:55:42 GMT

Hi Marius,

thanks for you help so far

this firewall is old one and the configuration file is very big, hiding all the secure info will take long time, I am more than happy to share the config partially, like show run interface , show run nat ..etc.

Regards

Re: ASA NATing doesn't seem to work

Aileron88 — Fri, 29 May 2020 13:53:14 GMT

Without seeing more config it's hard to 100% diagnose but it just looks like you have your NAT commands around the wrong way, because you're stating outside>any and not the other way around. I would suggest removing the twice NAT and just adding a rule for this server such as the one you've already mentioned, assuming that the Fortigate is behind the EVL_VPN interface.

(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

Run packet-tracer again and see if this NAT rule is hit. If you want to try it another way try changing your other rule around:

42 (OUTSIDE) to (<ZONE THAT CONTAINS FORTIGATE>) source static any any destination static CD-BFS-NORTH Fortigate-IP no-proxy-arp

Re: ASA NATing doesn't seem to work

Marius Gunnerud — Fri, 29 May 2020 14:30:42 GMT

Could you please provide the output of the following commands:

show run nat | include CD-BFS-NORTH

show run access-list | include CD-BFS-NORTH !(If you are using IPs instead of objects replace with IP)

Also, provide a brief description / diagram of your network and where the IPs are located that you are trying to NAT.

Re: ASA NATing doesn't seem to work

mazin D — Fri, 29 May 2020 14:58:05 GMT

Hi Both,

I have deleted the double Nating , and added CD-BFS-NORTH instead of Fortigate-IP in the rules, the firewall is denying the traffic.

please find attached the commands output and a little diagram

Thanks for your efforts to help

Re: ASA NATing doesn't seem to work

Marius Gunnerud — Fri, 29 May 2020 16:31:00 GMT

You still have twice NAT configured...unless this is the one you have removed.

nat (OUTSIDE,any) source static any any destination static Fortigate-IP CD-BFS-NORTH object network CD-BFS-NORTHW

I suggest removing this and replacing it with the command I provided earlier.

nat (EPL_VPN,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

It is a better practice to NAT from the inside to the outside unless there is a very specific reason for you to NAT from the outside.

Re: ASA NATing doesn't seem to work

mazin D — Sun, 31 May 2020 11:44:01 GMT

thanks for your help.

still getting the same issue. please find below the out put of packet tracer after removing the twice NAT:

-FW01/pri/act# show run nat | include CD-BFS-NORTH
object network CD-BFS-NORTH

FW01/pri/act# show nat | include CD-BFS-NORTH
1 (EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

FW01/pri/act# show access-list | i CD-BFS-NORTH
access-list OUTSIDE_INGRESS line 27 extended permit object-group DM_INLINE_SERVICE_11 any object CD-BFS-NORTH log informational interval 300 (hitcnt=0) 0x070a3eba

CD-24LH-FW01/pri/act# packet-tracer input ouTSIDE icmp 92.239.10.100 8 0 80.10.10.51

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 80.10.10.48 255.255.255.248 OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group OUTSIDE_INGRESS in interface OUTSIDE
access-list OUTSIDE_INGRESS extended deny ip any any
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

its looks like that translation happening in one direction, not sure why

Re: ASA NATing doesn't seem to work

Marius Gunnerud — Sun, 31 May 2020 14:05:38 GMT

What protocols are you allowing in your ACL?

sh run object-group id DM_INLINE_SERVICE_11

Re: ASA NATing doesn't seem to work

mazin D — Sun, 31 May 2020 14:15:21 GMT

ICMP, HTTP, HTTPS

FW01/pri/act# sh run object-group id DM_INLINE_SERVICE_11
object-group service DM_INLINE_SERVICE_11
service-object icmp
service-object tcp-udp destination eq www
service-object tcp destination eq https

Re: ASA NATing doesn't seem to work

mazin D — Mon, 01 Jun 2020 11:25:14 GMT

sorted,

just re-added the NAT statement at the top of the all NAT rules and its worked.

1 (OUTSIDE) to (any) source static any any destination static Fortigate-IP CD-BFS-NORTHW

thanks all for your help