topic Re: Server got lost from LAN while allowing Internet connectivity in Network Security

Server got lost from LAN while allowing Internet connectivity

Unit4_cognizant — Fri, 19 Feb 2021 08:11:21 GMT

Hello Team,

Seeking your help with an issue I've been facing deploying a new ASA5555 FW. We have a server behind the LAN interface which is well reachable over Cisco AnnyConnect profile, that server needs also internet connectivity and here is when the issue comes up; after configuring the NAT to allow internet traffic it is no longer reachable over AnyConnect and what I can see in the logs is a kind of asymmetric NAT.

FW details:

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)151

Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2793 MHz, 1 CPU (8 cores)
ASA: 8546 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB

The server is directly connected on LAN interface

OSLO-ASA01# show arp | in 10.47.20.245
LAN 10.47.20.245 0015.5db3.a9f7 12

ACL to allow traffic from this server over the Internet (WAN Interface)

access-list LAN_access_in extended permit ip host 10.47.20.245 any log

NAT to translate source IP to WAN interface IP for Internet traficc

nat (LAN,WAN) source dynamic 10.47.20.245 interface

As soon as that NAT gets applied the internet is allowed to go over the internet but is lost from the LAN (cisco anyconnect) and I can see below error in the logs

Feb 19 2021

09:01:44

305013

10.47.200.1

LOCAL

10.47.20.245

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src WAN:10.47.200.1(LOCAL\Jaime.Viera@unit4.com) dst LAN:10.47.20.245 (type 8, code 0) denied due to NAT reverse path failure

Does someone know what would be the issue? I need to have this server (and many others to come up) reachable over the Cisco AnyConnect but also able to have Internet traffic

I would be able to provide further config details and logs/debug if needed

Thanks in advance for your help

Jaime,

Re: Server got lost from LAN while allowing Internet connectivity

Unit4_cognizant — Fri, 19 Feb 2021 08:14:23 GMT

re is a packet-tracer result

OSLO-ASA01# packet-tracer input LAN icmp 10.47.200.2 8 0 10.47.20.245 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7822fa4da0, priority=13, domain=capture, deny=false
hits=4348289, user_data=0x7f781925d3e0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=LAN, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78169efd80, priority=1, domain=permit, deny=false
hits=982379, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=LAN, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.47.20.245 using egress ifc LAN

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_access_in in interface LAN
access-list LAN_access_in extended permit ip any object Corplan
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78177d0860, priority=13, domain=permit, deny=false
hits=813, user_data=0x7f780a483580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7815c912c0, priority=0, domain=nat-per-session, deny=true
hits=19503, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78171eb830, priority=0, domain=inspect-ip-options, deny=true
hits=15286, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78178264a0, priority=70, domain=inspect-icmp, deny=false
hits=212, user_data=0x7f781945ba90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78171eb040, priority=66, domain=inspect-icmp-error, deny=false
hits=726, user_data=0x7f78171ea5b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7817d00520, priority=13, domain=debug-icmp-trace, deny=false
hits=1385, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 10
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7817d00520, priority=13, domain=debug-icmp-trace, deny=false
hits=1386, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7815c912c0, priority=0, domain=nat-per-session, deny=true
hits=19505, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f78171eb830, priority=0, domain=inspect-ip-options, deny=true
hits=15288, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 25809, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

Re: Server got lost from LAN while allowing Internet connectivity

Rob Ingram — Fri, 19 Feb 2021 09:01:11 GMT

@Unit4_cognizant

You probably need a NAT exemption rule betweeen the LAN and RAVPN networks, as the traffic is probably being unintentionally being natted.

Re: Server got lost from LAN while allowing Internet connectivity

Unit4_cognizant — Fri, 19 Feb 2021 09:38:34 GMT

Hello Rob,

Thanks for taking a look, that mak sense but I have a pplieda couple of NATs trying to achive this and still same issue, probably I’m doing it wrong.

Would you guide me how to achive this? Any suggestion?

Best regards,

Re: Server got lost from LAN while allowing Internet connectivity

Rob Ingram — Fri, 19 Feb 2021 09:44:51 GMT

@Unit4_cognizant

You need a rule something like this:-

nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp

You may need to amend the interfaces, you will obviously have to amend the groups used. If that fails, provide your configuration and the output of "show nat detail".

Re: Server got lost from LAN while allowing Internet connectivity

Unit4_cognizant — Fri, 19 Feb 2021 09:49:34 GMT

Got to solve the issue now with below NAT

nat (LAN,WAN) source static Corplan Corplan destination static Corplan Corplan no-proxy-arp route-lookup

Corplan is our whole internal network.

Still unclear how it works to be honest, but glad it is working fine, now that server is having internet Access and still rechable through the cisco annyconnect VPN

Thanks so much for your help