topic Hello cofee. in Network Security

identity nat help

Sheraz.Salim — Tue, 12 Mar 2019 08:36:03 GMT

hello.

kindly please help

outside network address 192.168.95.233 (antivirus proxy server) need to get mapped with inside network (Anti virus server 10.7.2.250) here is my config.

object network AV_Inside

host 10.7.2.250

object network AV_outside

host 192.168.95.233

nat (inside,outside) source static AV_Inside AV_outside destination static AV_outside AV_Inside

access-list AV extended permit ip any object AV_inside

access-group AV in interface outside

when i do packet trace either was inside or from outside with above addresses everything is passing. however, on my ASDM logging

i am getting these critical alerts

source ip: 192.168.95.10 source port 64818

destination 192.168.95.233 destination port 8014

description: Inbound TCP connection denied from 192.168.95.10/64818 to 192.168.95.233/8014 flags SYN on interface outside.

kindly please advise what could be wrong.

I am not sure if you are

cofee — Tue, 29 Nov 2016 14:07:50 GMT

I am not sure if you are trying to create a policy nat. But if you just want to create a static NAT from inside to outside.

This is all you need:

nat (inside,outside) source static AV_Inside AV_outside

But if you want to create a policy nat for specific destination then nat syntax will be like this:

object network destination_address

host 1.2.3.4

nat (inside,outside) source static AV_Inside AV_outside destination destination_address destination_address

If this not what you need then let me know what exactly you are looking for.

hello cofee,

Sheraz.Salim — Tue, 29 Nov 2016 14:29:30 GMT

hello cofee,

i applied the first config and here is the out put.

packet-tracer input outside rawip 192.168.71.230 0 10.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.178.5.0      255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2be28320, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.71.230, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

here is from inside to outside

packet-tracer input inside rawip 10.178.5.250 0 192.168$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.68.0    255.255.252.0   outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static AV_Inside AV_outside
Additional Information:
Static translate 10.178.5.250/0 to 192.168.71.233/0
Forward Flow based lookup yields rule:
in id=0x7fff2b6144d0, priority=6, domain=nat, deny=false
        hits=2, user_data=0x7fff2c6e9c90, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.178.5.250, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2ac2f460, priority=0, domain=nat-per-session, deny=true
        hits=47606, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2190e3b0, priority=0, domain=inspect-ip-options, deny=true
        hits=46818, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static AV_Inside AV_outside
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2ac3fe90, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0x7fff2bf80ad0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.178.5.250, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c6eb690, priority=0, domain=user-statistics, deny=false
        hits=23566, user_data=0x7fff2bae5890, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

here is the config

object network AV_Inside
host 10.178.5.250
object network AV_outside
host 192.168.71.233

nat (inside,outside) source static AV_Inside AV_outside

access-list OUT extended permit ip any object AV_Inside

You haven't explained what

cofee — Tue, 29 Nov 2016 14:49:54 GMT

You haven't explained what you are trying to accomplish. Does this address 192.168.95.233 belong to anti-virus server that's connected to outside interface and you are trying to nat it to an ip address that's already being used by inside anti-virus 10.7.2.25?

There could be number of reasons for getting (sp-security-failed) Slowpath security checks failed:

Name: sp-security-failed

Slowpath security checks failed:

This counter is incremented and packet is dropped when the security appliance is:

1) In routed mode receives a through-the-box:

- L2 broadcast packet

- IPv4 packet with destination IP address equal to 0.0.0.0

- IPv4 packet with source IP address equal to 0.0.0.0

2) In routed or transparent mode and receives a through-the-box IPv4 packet with:

- first octet of the source IP address equal to zero

- source IP address equal to the loopback IP address

- network part of source IP address equal to all 0's

- network part of the source IP address equal to all 1's

- source IP address host part equal to all 0's or all 1's

3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source
and destination IP addresses

Recommendation:

1 and 2) Determine if an external user is trying to compromise the protected network.
Check for misconfigured clients.

3) If this message counter is incrementing rapidly, an attack may be in progress. Use
the packet capture feature to capture type asp packets, and check the source MAC address
in the packet to see where they are coming from.

thank you for the quick reply

Sheraz.Salim — Tue, 29 Nov 2016 15:03:57 GMT

thank you for the quick reply. apologies for note explaining in detail what i want to setup.

our antivirus ip address is 10.178.5.250 (this is inside network), where as other department X which we classified as outside network, they have a proxy antivirus (address 192.168.71.232) they (department X client) all connected to this address 192.168.71.232 for virus defination to update. now we need to get this proxy server 192.168.71.232 to get its updates from our internal antiversiu server address 10.178.5.250. and this is what i am creating rules for. plese let me know if this make sense to you.

Thanks for the explanation.

cofee — Tue, 29 Nov 2016 15:30:14 GMT

Thanks for the explanation. Just to make it clear one more time so we are on the same page.

Inside anti-virus (inside local) - 10.178.5.250

Inside anti-virus (inside global) - 192.168.95.233

Outside anti-virus - 192.168.71.232 ( it needs to talk to 192.168.95.233/10.178.5.250

You configuration appears to be fine that you sent earlier. Let's do it one more time.

object network AV_Inside

host 10.7.2.250

object network AV_outside

host 192.168.95.233

nat (inside,outside) source static AV_Inside AV_outside

access-list name extended permit protocol host 192.168.71.232 host 10.7.2.250 log

This should work as long as basic layer 3 reachability is there. Please look at the NAT order to see there is no conflict and your internal server is getting NATed to the configured address. Also look at the ACL order to make sure this ACL is not getting denied by some other ACL above it. Packet tracer should give you all that information.

Also can you try to initiate the connection from the outside anti-virus server to the inside anti-virus and then check the logs for any potential issues, also check the connection table and xlate table (sh xlate) to make sure internal server is getting nated to the right address.

You also want to make sure that your outside anti-virus server is properly configured to talk to internal anti-virus server and vice versa. Should also check for any policy on both servers that would prevent them from talking to each other and pull files.

Hello Cofee,

Sheraz.Salim — Tue, 29 Nov 2016 15:34:35 GMT

Hello Cofee,

apologies for making mess up as in my second post i put the original ip addresses.

so let me clear this so we are on one page.

Inside anti-virus (inside interface) - 10.178.5.250

outside anti-virus (outside interface) - 192.168.71.232

Outside anti-virus - 192.168.71.232 ( it needs to talk to 10.178.5.250)

i apologise again as i hide the ip address now i put everything as real. also just to let you know the asa version is 9.x

That's fine. Just choose any

cofee — Tue, 29 Nov 2016 15:42:12 GMT

That's fine. Just choose any available address (that's not assigned to any device) on the outside network and use that to nat your inside anti-virus server .

hello cofee,

Sheraz.Salim — Tue, 29 Nov 2016 21:17:11 GMT

hello cofee,

i ended up with a different nat rule.

as my outside firewall interface ip address is 192.168.71.254 and the requirement was

Inside anti-virus (inside interface) - 10.178.5.250

outside anti-virus (outside interface) - 192.168.71.232

Outside anti-virus - 192.168.71.232 ( it needs to talk to 10.178.5.250)

object network AV

host 10.178.5.250

nat (inside,outside) static interface server tcp 8014 8014

access-list AV extended permit tcp any object AV eq 8014

this above config worked without using a spare outside address.

Good to know. There are

cofee — Tue, 29 Nov 2016 22:08:20 GMT

Good to know. There are different ways to implement NAT . For example identity NAT can also be used which doesn't take up any extra address.

Thanks for letting me know.

Hi Cofee,

Sheraz.Salim — Wed, 30 Nov 2016 08:44:05 GMT

Hi Cofee,

could you kindly explain how i can implement identity NAT in this scenario please.

Inside anti-virus (inside server) - 10.178.5.250

outside anti-virus (outside server) - 192.168.71.232

my firewall outside interface ip address 192.168.71.254 (For Example)

Outside anti-virus - 192.168.71.232 ( it needs to talk to 10.178.5.250)

object network AV

host 10.178.5.250

nat (inside,outside) static interface server tcp 8014 8014

access-list AV extended permit tcp any object AV eq 8014

by giving the above command in asa. from outside the antivirus server which is acting as proxy when i go into this proxy antivirus and initiate telnet with ip address in it 192.168.71.254 (which is my outside firewall interface address) with port 8014 this address mapped with inside server 10.178.5.250 and connection opened.

Identity NAT:

cofee — Wed, 30 Nov 2016 15:24:08 GMT

Identity NAT:

object network AV

host 10.178.5.250

nat (inside,outside) static AV service tcp 8014 8014

you won't have to do anything with the acl.

Please let me know if this answers your question.

Hello cofee.

Sheraz.Salim — Wed, 30 Nov 2016 15:51:40 GMT

Hello cofee.

nat (inside,outside) static AV service tcp 8014 8014

in this above command will the outside server will communicate to the outside interface of firewall ip address. if so this is very similar to the command i wrote earlier,

nat (inside,outside) static interface service tcp 8014 8014

* With this identity NAT

cofee — Wed, 30 Nov 2016 16:22:07 GMT

* With this identity NAT outside server will communicate directly to the real IP and not the outside address.

* The one that you configured you are NATing 10.178.5.250 to the IP address of outside interface of firewall.

Let me know if this makes sense.