topic Strange in Network Security

Cannot configuring NAT using outside interface ip to Two different dmz servers

Rowlands Price — Tue, 26 Mar 2019 01:00:21 GMT

Hi Support,

I have a litte issue

I have a Cisco ASA 5525-x using version 8.6 (1)

My issue is that i cannot configure nat to allow users from Internet to access servers located on dmz1 and dmz4

The nat should use the outside ip interface.

outside ip: 172.16.1.1 (for testing)

dmz1; server ip: 192.168.46.15, ports must be used: https and 8080

Dmz4: server ip 192.168.35.2, port must be used: tcp 7909, 7910 and 7911

All servers from dmz must access internet.

Can you please help me regarding nat configuration?

Attached is my diagram

Hi

Francesco Molino — Thu, 08 Jun 2017 00:39:40 GMT

Here is an example to do the nat statement for dmz1. As nat ports are not contiguous, you'll need to create 2 objects and apply the nat statement. Also the acl needed on your outside interface.

As per example I've done 2 different ace, 1 per port. You can also create a port object and then have only 1 ace referring to that port object for this specific host.

object network dmz1-8080

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 8080 8080
!

object network dmz1-https

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 443 443

!

access-list outside_access_in extended permit tcp any object dmz1-https eq https

!

access-list outside_access_in extended permit tcp any object dmz1-8080 eq 8080

For dmz4, as ports are contiguous we can do in another way:

object network dmz4-srv
 host 192.168.35.2
!
object service Obj-Ports
 service tcp destination range 7909 7911
!

nat (outside,inside) source static any any destination static interface dmz4-srv service Obj-Ports Obj-Ports
!
access-list outside_access_in extended permit tcp any object dmz4-srv range 7909 7911

I don't have your config but nat order is important to not overlap things.

Sorry for my paging, I'm using my mobile phone to answer your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi Francesco

Rowlands Price — Thu, 08 Jun 2017 05:00:26 GMT

Hi Francesco

Many Thanks,

why this line please:

this is a nat from outside to inside, this must be denied by default, or what please

nat (outside,inside) source static any any destination static interface dmz4-srv service Obj-Ports Obj-Ports

Hi Francesco

Rowlands Price — Thu, 08 Jun 2017 06:25:17 GMT

Hi Francesco

I have an error message when write these commands

host 192.168.46.15
nat (dmz1,outside) static 172.16.1.1 service tcp 8080 8080

Here is the error message

ciscoasa(config-network-object)# nat (dmz1-,outside) static 172.16.1.1 serv$
ERROR: Address 172.16.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Hi

Francesco Molino — Thu, 08 Jun 2017 11:24:31 GMT

172.16.1.1 is the IP assigned to your outside interface that's why you get this error message.

Then you need to change that statement by:

nat (dmz1,outside) static interface service tcp 443 443

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi Francesco,

Rowlands Price — Thu, 08 Jun 2017 20:27:36 GMT

Hi Francesco,

Still not working, but the error message disapeared

Attached is my actual config, it's on a test firewall runing version 8.3

regards

Your config isn't attached.

Francesco Molino — Thu, 08 Jun 2017 20:59:15 GMT

Your config isn't attached.

Hi,

Rowlands Price — Thu, 08 Jun 2017 21:13:57 GMT

Hi,

Just reloaded the asa and it's now working well.

but when i applied theses commands, it's not working

nat (dmz-egov,outside) source dynamic dmz-egov_network interface

this nat is for allowing dmz-egov_network to go internet right

Thanks for support

I don't see this nat on your

Francesco Molino — Thu, 08 Jun 2017 21:25:21 GMT

I don't see this nat on your config.

Can you apply it and do a packet-tracer?

packet-tracer input dmz-egov icmp 192.168.46.20 8 0 8.8.8.8

Thanks

Hi

Rowlands Price — Thu, 08 Jun 2017 21:43:30 GMT

Here is the nat applied

nat (dmz-egov,outside) source dynamic dmz-egov_network interface

Here is the packet tracert

ciscoasa(config)# packet-tracer input dmz-egov icmp 192.168.46.15 8 0 8.8.8.8

Result:
input-interface: dmz-egov
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

ciscoasa(config)#

This message appears if

Francesco Molino — Thu, 08 Jun 2017 21:53:13 GMT

This message appears if interfaces is down and/or if your default route is not existing.

Like before, try to save and reboot your asa

Thanks

Sorry, the cable was

Rowlands Price — Thu, 08 Jun 2017 21:55:52 GMT

Sorry, the cable was unplugged

here is the result

ciscoasa(config)# packet-tracer input dmz-egov icmp 192.168.46.15 8 0 8.8.8.8

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz-egov_access_in in interface dmz-egov
access-list dmz-egov_access_in extended permit ip object dmz-egov_network any log disable
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz-egov,outside) source dynamic dmz-egov_network interface
Additional Information:
Dynamic translate 192.168.46.15/0 to 217.77.77.210/28229

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 751, packet dispatched to next module

Result:
input-interface: dmz-egov
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)#

Then it works.

Francesco Molino — Thu, 08 Jun 2017 21:57:22 GMT

Then it works.

Strange

Rowlands Price — Thu, 08 Jun 2017 22:04:03 GMT

Strange

with nat, i cannot reach my ftp behind 217.77.77.210

Actually i have a pc connecte to outside interface with ip 217.77.77.211

to test application, i tried ftp to 217.77.77.210 and the host behind reply

Without nat (dmz-egov,outside) i can reach ftp and with nat (dmz-egov,outside) it's not working

Regards

I'm sorry I don't get what

Francesco Molino — Thu, 08 Jun 2017 22:30:27 GMT

I'm sorry I don't get what you said.

Can you do the packet tracer matching this traffic and paste the output?

sorry,

Rowlands Price — Thu, 08 Jun 2017 22:36:34 GMT

sorry,

with this nat (dmz-egov,outside) source dynamic dmz-egov_network interface

here is the packet tracert from outside to access my ftp server, and it's not working

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 ftp 217.77.77.210 ftp

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 217.77.77.210 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

Ok now this is clear.

Francesco Molino — Thu, 08 Jun 2017 22:54:02 GMT

Ok now this is clear.

Remove the nat:

No nat (dmz-egov,outside) source dynamic dmz-egov_network interface

And replace by :

nat (dmz-egov,outside) after-auto source dynamic dmz-egov_network interface

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hi Francesco,

Rowlands Price — Thu, 08 Jun 2017 22:59:56 GMT

Hi Francesco,

It's working fine NOW

Many Thanks

That means, i will need to apply the same nat for all interfaces? (inside and dmz-etax)?

regards

For dynamic nat, it's better

Francesco Molino — Thu, 08 Jun 2017 23:15:29 GMT

For dynamic nat, it's better doing that way then you're sure it'll be the last statement will hit and no overlap with specific nats.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Ok, but what about others

Rowlands Price — Thu, 08 Jun 2017 23:20:43 GMT

Ok, but what about others interfaces to go to internet?

About theses nat ?

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (dmz-etax,outside) source dynamic dmz-etax_network interface