topic Re: ASA 9.3 Nat U-Turn / NAT Reflection in Network Security

ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Sat, 05 Feb 2022 17:52:00 GMT

Hello,

I have an internal server on inside interface of ASA with IP 192.168.1.5 (Public IP 1.2.3.4)

Access from the internet is facilitated via NAT, being translated from the Dynamic interface of the ASA PPPoE outside interface.

My issue relates to accessing the server via its public IP address from the inside interface.

Due to constraints with a mobile application, the server must be accessed using the same public FQDN from both internal and via the internet. To further complicate matters, ideally the external port must be mapped to a different tcp port for inbound connections (the server only listens on port 8000)

WAN-IP (1.2.3.4:443)-------ASA--------Server (192.168.1.5:8000)

In the first instance, I got the basic NAT rules running which gave access from the net to the server via the port translation

object network IntServer-8000
nat (Inside,Outside) static interface service tcp https 8000

However, I could not connect internally to the server using the public FQDN. Fixed this by adding a u-turn nat, and allowing intra-interface traffic

nat (Inside,Inside) source dynamic any interface destination static WAN-IP IntServer

I could now connect to the server externally using https://FQDN but only internally using https://FQDN:8000 - the port translation would not work.

My problem is I cannot seem to get u-turn NAT AND Port translation working the same together, internally and externally - I can do one or the other, despite adding service objects for TCP 443 and TCP 8000 and trying to add them to the nat (inside,inside) statement. So as a workaround we are currently accessing the server using https://FQDN:8000, but ideally we would just use https://FQDN and let the ASA translate 443 to 8000

So essentially I want the u-turn nat (inside, inside) to also translate tcp 443 to tcp 8000, as it does on the nat (inside,outside), for connections initiated on the inside with the public FQDN, and would be delighted for any pointers on this.

I have tried various combinations of nat (Inside,Inside) source dynamic any interface destination static WAN-IP IntServer with service ports appended for 8000 and 443 to no avail.

I do hope my explaination is clear enough to understand from the above.

Any ideas welcomed.

Regards

Ger

Re: ASA 9.3 Nat U-Turn / NAT Reflection

MHM Cisco World — Sun, 06 Feb 2022 00:21:00 GMT

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html

please see this doc. about the DNS doctor.
Inside Host must be get Private IP of Server from DNS Server Outside, this make the Inside host connect directly to Server.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

Marius Gunnerud — Sun, 06 Feb 2022 14:17:27 GMT

I would suggest changing your hairpinning NAT statement to be static and to use the the local LAN subnet (or RFC 1918) as source networks.

network object LAN

subnet 192.168.1.0 255.255.255.0

nat (inside,inside) source static LAN LAN destination static WAN-IP IntServer

DNS doctoring will not solve the issue as there is a restriction that requires users to access the server using the public IP. DNS doctoring will rewrite the DNS reply with the private IP of the server, not to mention that the DNS request will need to pass through the ASA for it to work.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Sun, 06 Feb 2022 14:23:36 GMT

Thansk for your reply - yes, unfortunately DNS doctoring wont work as the initial DNS query will be gotten from an internal DNS server thus never traversing the ASA.

Regards,

Ger

Re: ASA 9.3 Nat U-Turn / NAT Reflection

MHM Cisco World — Mon, 07 Feb 2022 10:33:54 GMT

same-security-traffic permit intra-interface
!
nat (inside,inside) 1 source dynamic any interface destination static PublicServer-IP PrivateServer-IP
Note:- 1 is mandator to put the NAT in top list.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Mon, 07 Feb 2022 21:22:09 GMT

Thanks all for your input - both source static and source dynamic worked for the main nat loopback. Unfortunately no luck on the PAT portion, when trying to translate TCP443 to TCP8000.

Possibly complicated by the fact that I already have a nat (inside,outside) for internet access to the server via 443 outside to 8000 inside.

Thanks again

Re: ASA 9.3 Nat U-Turn / NAT Reflection

MHM Cisco World — Mon, 07 Feb 2022 22:11:00 GMT

destination port can be change with service tcp, this make the source nat and destination with it port NAT.
what issue you face with this config, I am interest to know?

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Tue, 08 Feb 2022 00:19:32 GMT

Simply, the loopback NAT works as long as I don't try to do PAT, but once I add the PATs with the service command I lose internal access to the WAN address.

Rather than explaining any further I have attached the relevant config parts below

object network Int_VLAN100
subnet 192.168.1.0 255.255.255.0
object network Int_VLAN110
subnet 192.168.10.0 255.255.255.0
object network OpServer
host 192.168.1.6
object network AServer
host 192.168.1.5
object network WAN-IP
host 1.2.3.4
object service TCP80
service tcp source eq www
object service TCP443
service tcp source eq https
object service UDP1394
service udp source eq 1394
object service TCP8000
service tcp source eq 8000
object network Test
host 192.168.1.2
object-group network Int_Nets
network-object object Int_VLAN110
network-object object Int_VLAN100
access-list inbound extended permit udp any object OpServer eq 1394
access-list inbound extended permit tcp any object AServer eq www
access-list inbound extended permit tcp any object AServer eq 8000
access-list inbound extended permit tcp any object AServer eq https

nat (Inside,Inside) source dynamic any interface destination static WAN-IP AServer
nat (Inside,Outside) source static AServer interface service TCP8000 TCP443
nat (Inside,Outside) source static AServer interface service TCP80 TCP80
nat (Inside,Outside) source static OpServer interface service UDP1394 UDP1394
nat (Inside,Outside) source static AServer interface service TCP8000 TCP8000
!
nat (Inside,Outside) after-auto source dynamic Int_Nets interface
access-group inbound in interface Outside

With the above config, on the inside I can ICMP to WAN 1.2.3.4, and connect to the object AServer on 8000 using https://1.2.3.4:8000

From the WAN I'm also able to connect to https://1.2.3.4 and I don't need the port as the mapping from the second nat statement is correctly mapping outside 443 to inside 8000.

However, when I try to do the same for the internal mapping in the (inside,inside) nat using this line

nat (Inside,Inside) source dynamic any interface destination static WAN-IP AServer service TCP8000 TCP443

the loopback NAT just fails to work. I recall getting an error at one point something line TCP443 is not a wildchar. Additionally I got errors about not being able to reserve NAT port. I believed this was due to the already existing (inside,outside) mapping for 443 to 8000. This is the case whether I use dynamic or static NAT for the loopback statement.

Hopefully I have explained the position sufficiently.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Tue, 08 Feb 2022 01:52:13 GMT

Simply, the PAT part, if I append it.

I attach here the relevant parts from my config.

same-security-traffic permit intra-interface

object network Int_VLAN100
subnet 192.168.1.0 255.255.255.0
object network Int_VLAN110
subnet 192.168.10.0 255.255.255.0
object network OpServer
host 192.168.1.6
object network HRServer
host 192.168.1.5
object network WAN-IP
host 1.2.3.4
object service TCP80
service tcp source eq www
object service TCP443
service tcp source eq https
object service UDP1393
service udp source eq 1393
object service TCP8000
service tcp source eq 8000
object network Test
host 192.168.1.2
object-group network Int_Nets
network-object object Int_VLAN110
network-object object Int_VLAN100
access-list inbound extended permit udp any object OpServer eq 1393
access-list inbound extended permit tcp any object HRServer eq www
access-list inbound extended permit tcp any object HRServer eq 8000
access-list inbound extended permit tcp any object HRServer eq https

nat (Inside,Inside) source dynamic any interface destination static WAN-IP HRServer
nat (Inside,Outside) source static HRServer interface service TCP8000 TCP443
nat (Inside,Outside) source static HRServer interface service TCP80 TCP80
nat (Inside,Outside) source static OpServer interface service UDP13943 UDP1393
nat (Inside,Outside) source static HRServer interface service TCP8000 TCP8000
!
nat (Inside,Outside) after-auto source dynamic Int_Nets interface

With the above config, I can connect to HRServer from outside with https://1.2.3.4, and I get redirected from 443 to 8000 fine and all works, due to nat rule 2. From the inside I can connect to HRServer using https://1.2.3.4:8000 (no port translation), as there is no PAT service appended to the nat (inside,inside) statement, from nat rule 1.

If I now replace the above nat (inside, inside) with the following:

nat (Inside,Inside) source dynamic any interface destination static WAN-IP HRServer service TCP8000 TCP443

in an effort to replicate the port translation from 443 to 8000, and now try connecting to https://1.2.3.4 from the inside, without adding :8000, no joy and I cannot connect. So essentially the loopback NAT works for translating 1.2.3.4 from the inside, but refuses to redirect port 443 to 8000 (on the inside).

I hope I've explained sufficiently, and hope the config snippet makes it clear what I'm trying to do.

PS - I already wrote this reply but for some reason the browser did not publish it, so here it is again. Hopefully wont result in a double post.

Regards

Ger

Re: ASA 9.3 Nat U-Turn / NAT Reflection

BoomShakaLak — Tue, 08 Feb 2022 10:23:37 GMT

In this scenario you need to switch HRServer and WAN-IP as well as the service, as follows:

nat (Inside,Inside) source dynamic any interface destination static HRServer WAN-IP service TCP443 TCP8000

Re: ASA 9.3 Nat U-Turn / NAT Reflection

MHM Cisco World — Tue, 08 Feb 2022 13:12:46 GMT

Ok, when we check traffic flow for asa we see that’s NAT come before acl,

I see acl in asa permit only 8000 so this make asa drop the connect, beucase as I mention before it NAT 8000 to 443, so the new connection is now from outside but with port 443 not 8000. This is why the connect drop in asa.

please check this point add acl check connect And if it pass, check with admin to allow this port in outside.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Tue, 08 Feb 2022 14:09:10 GMT

Hi,

Do you mean replace the current nat with your statement switching the HRServer as above, or add yours as an additional nat (inside, inside)?

Thank you for your time.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Tue, 08 Feb 2022 14:10:49 GMT

Hi,

I already have 443 referenced in the ACL as per

access-list inbound extended permit tcp any object HRServer eq https

Is this what you are referring to as being missing?

Thank you for your help.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

Sheraz.Salim — Tue, 08 Feb 2022 18:11:36 GMT

I know I am late into this but found a link might it help you. Apologies did not understand competeley your scenario but might you find this help you

https://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1150-cisco-asa-firewall-nat-reflection-loopback-hairpinning-configuration.html

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Wed, 09 Feb 2022 13:32:56 GMT

Thank you for the link, and appreciate your response.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

MHM Cisco World — Sat, 12 Feb 2022 02:35:09 GMT

Hi freind,

Can i see the acl for inisde and outside of asa?

Re: ASA 9.3 Nat U-Turn / NAT Reflection

Aref Alsouqi — Sat, 12 Feb 2022 08:57:16 GMT

Try please to create two destination service objects, one with destination port 8000/tcp and another with destination port 443/tcp, add them to this NAT rule, and remove the other two you created:

nat (inside,any) source static <server-pivate-IP> <server-public-IP> <real-destination-service> <mapped-destination-service>

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Sat, 12 Feb 2022 17:53:13 GMT

access-list inbound extended permit udp any object OpServer eq 1394
access-list inbound extended permit tcp any object AServer eq www
access-list inbound extended permit tcp any object AServer eq 8000
access-list inbound extended permit tcp any object AServer eq https

Re: ASA 9.3 Nat U-Turn / NAT Reflection

GR5516 — Sat, 12 Feb 2022 17:54:15 GMT

unfortunately did not work - with the "any" this overlaps with the ip address of the outside interface.

Re: ASA 9.3 Nat U-Turn / NAT Reflection

Aref Alsouqi — Sat, 12 Feb 2022 18:45:27 GMT

Ok, how about if you keep the object network IntServer-8000 NAT rule, remove the "nat (inside,inside)" source dynamic statement, and then you add:

nat (inside,inside) source static <server-pivate-IP> <server-public-IP> <real-destination-service> <mapped-destination-service>