topic Hi in Network Security

ASA 8.2(1) static NAT using public IP address in same subnet as WAN(outside) port

matthewik.lee — Tue, 12 Mar 2019 09:40:34 GMT

Internet ---- outside_port@ASA1@inside_port ----- LAN ----- Server.

IP addresses:

Outside port: 118.x.x.1/24

Server public: 118.x.x.2

Server real: 10.10.10.2

Now cannot ping/web browsing 118.x.x.2 from the LAN 10.10.10.0/24.

Outside inbound ACL is permitted any to 118.x.x.2 for any services.

It is related to ASA hair pinning scenario.

Are there ways to let 10.10.10.x to reach 118.x.x.2 as our user demands. Thanks a lot.

Matthew

Hi matthewik.lee,

Spooster IT Services — Mon, 10 Jul 2017 16:27:28 GMT

Hi matthewik.lee,

You are facing this issue due to the security feature called IP spoofing. Have you noticed the syslogs while testing connectivity from LAN to server 118.x.x.2 you are getting the folowing syslog:-

%ASA-2-106016: Deny IP spoof from (x.x.x.x) to x.x.x.x on interface outside

This is happening due to the following:-

Let say you are trying to access the server from the LAN user 10.10.10.100. Traffic flow is like the following:-

Source IP 10.10.10.100 Destination IP 118.x.x.2 when the traffic reaches to ASA the source is getting PAT into ASA interface IP and ASA route the traffic towards ISP. ISP check it's routing table and sends the traffic back to ASA. Now ASA is recieving the traffic having source IP it's own outside interface IP. ASA assume that someone is sending the traffic with to ASA by spoofing the IP of it's own.

Question 1) Are you using the local DNS server of any public DNS server?

Hi,

matthewik.lee — Tue, 11 Jul 2017 01:49:11 GMT

Hi,

Thanks for your kind response.

We are using local DNS.

Matthew

You need change the A record

Spooster IT Services — Tue, 11 Jul 2017 05:32:19 GMT

You need change the A record at your local DNS server from public IP to private IP. The DNS server should hand out a private IP address, which is the real IP address assigned to the application server. This allows the local client to connect directly to the application server. Now the point is that the remote client cannot access the application server with the private address. As a result, DNS Doctoring is configured on the ASA to change the embedded IP address within the DNS response packet. This ensures that when the remote client makes a DNS request for www.abc.com, the response they get is for the translated address of the application server. Following is the config example.

Let's say 10.x.x.100 is the private IP of application server and 198.x.x.100 is the public IP

nat (inside,outside) source static 10.x.x.100 198.x.x.100 dns
!
policy-map global_policy
class inspection_default
inspect dns

Hi

matthewik.lee — Tue, 11 Jul 2017 08:37:31 GMT

I did the

static (inside,outside) 198.x.x.100 10.x.x.100 netmask 255.255.255.255 dns
!
policy-map global_policy
class inspection_default
inspect dns

But 198.x.x.100 is not recorded in DNS and I modified my computer hosts file:

198.x.x.100 test

Then I ping test from my computer, cannot succeed. If the public IP is not in DNS, can DNS doctoring work?

Thank you, Matthew

Hi Matthew,

Spooster IT Services — Tue, 11 Jul 2017 10:13:30 GMT

Hi Matthew,

In your local DNS server, what is the A record ( is that public IP or private IP) for your application server?

Hi, as this a test web server

matthewik.lee — Wed, 12 Jul 2017 02:06:09 GMT

Hi, as this a test web server, and we use IP to do tests, so not registered it in our DNS.

We only do ASA static NAT public to real in the office LAN. Then try to reach the public IP from the office LAN.

Thank you. Matthew

Unfortunately, ASA doesn't

Spooster IT Services — Wed, 12 Jul 2017 21:43:30 GMT

Unfortunately, ASA doesn't not allow you to do that. You can't reach using public IP from the office LAN.

Thank you.

matthewik.lee — Mon, 17 Jul 2017 02:54:40 GMT

Thank you.