topic I still don't understand this in Network Security

ASA - NAT Help

Gregor Blaj — Tue, 12 Mar 2019 08:52:39 GMT

Hi,

I can’t seem to get the below to work, so hopefully someone can help. The ASA has 4 live interfaces as below.

1. Outside (security 0)

2. Inside (one sub interface, security 100)

- inside_11_infrastructure

- - PAT’d to the outside interface (works)

3. Lab (with 2 sub interfaces, security 90 and security 80).

- Lab_13_LAN

- - PAT’d to the outside interface (works)

- Lab_14_DMZ

- - PAT’d to the outside interface (works)

The Lab interfaces are routable between each other, and this works correctly. The Lab subnets are not routable from the ‘inside’ network but I want RDP (3389) NAT’d to one of the inside hosts, and this is where something isn’t quite working. NAT and ACL config below, but please let me know if you need any more info.

NAT

nat (outside,inside_11_infrastructure) source dynamic ANYCONNECT_VPN_SUBNET interface

nat (inside_11_infrastructure,outside) source dynamic CC_11 interface

nat (Lab_13_LAN,outside) source dynamic LAN_13 interface

nat (Lab_14_DMZ,outside) source dynamic DMZ_14 interface

nat (Lab_13_LAN,inside_11_infrastructure) source dynamic LAN_13 interface # added as a test

nat (Lab_14_DMZ,inside_11_infrastructure) source dynamic DMZ_14 interface # added as a test

… # few other static NATs

object network LAB_ManagementPC

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389

Access Lists

…

access-list DMZ_14_out extended permit tcp object DMZ_14 object LAN_13 eq https

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq domain

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq ntp

access-list DMZ_14_out extended permit icmp object DMZ_14 any

access-list LAN_13_out extended permit tcp object LAN_13 any eq https

access-list LAN_13_out extended permit tcp object LAN_13 any eq www

access-list LAN_13_out extended permit tcp object LAN_13 any eq ssh

access-list LAN_13_out extended permit udp object LAN_13 any eq domain

access-list LAN_13_out extended permit udp object LAN_13 any eq ntp

access-list LAN_13_out extended permit icmp object LAN_13 any

access-group inbound in interface outside

access-group LAN_13_out in interface Lab_13_LAN

access-group DMZ_14_out in interface Lab_14_DMZ

When I do a capture, while doing 'telnet ASA_inside_IP 3389', nothing comes up in the log.

Any help appreciated.

To be clear, you are saying

Philip D'Ath — Thu, 02 Feb 2017 19:43:39 GMT

To be clear, you are saying their is no routable path from the inside network to the lab networks? Can you change this?

Where is the ACL for the

Marius Gunnerud — Thu, 02 Feb 2017 20:05:42 GMT

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network. For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

Please remember to select a correct answer and rate helpful posts

Correct. I tried adding a

Gregor Blaj — Thu, 02 Feb 2017 20:38:06 GMT

Correct. I tried adding a static route to one host but it still doesn't work. I can then ping this host from the lab network which verifies the PAT working.

I had an any to any ACL in

Gregor Blaj — Thu, 02 Feb 2017 21:00:24 GMT

I had an any to any ACL in there as a test but it still didn't work. Anyway, the security levels of the interfaces should allow this traffic.

Its the default gateway for some devices, only a handful.

Do you suggest I add a second IP to the inside_11_infrastructure interface? How do I then reference this second IP in the NAT statement?

you don't add an IP to the

Marius Gunnerud — Thu, 02 Feb 2017 21:19:12 GMT

you don't add an IP to the interface. You just change the static NAT rule to translate to another IP on the same subnet as the inside_11_infrastructure.

Also run a packet tracer to see where it is stopping up.

packet-tracer input inside_11_infrastructure tcp <source IP> 12345 <destination IP> 3389

Please remember to select a correct answer and rate helpful posts

Alright, I'll give that a go

Gregor Blaj — Thu, 02 Feb 2017 21:44:02 GMT

Alright, I'll give that a go and post back.

The packet trace was failing at an implicit ACL, that's when I tried adding the permit any to 11_infrastructure.

That works, config below. Can

Gregor Blaj — Thu, 02 Feb 2017 22:10:04 GMT

That works, config below. Can you explain to me why I can't use the ASA's interface IP?

Also, why wasn't I able to capture traffic for port 3389 on the ASA with the previous config? It was as if the traffic wasn't getting there at all, probably related to the first question 😐

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389

Thanks so much Marius, much appreciated!

Well, theoretically you could

Marius Gunnerud — Thu, 02 Feb 2017 22:34:00 GMT

Well, theoretically you could use the interface, but I like to keep things seperate as I feel it will be easier to troubleshoot. The problem you had was that you had a dynamic NAT which is unidirectional, while static NAT is by directional. You didn't see anything in your capture because traffic is dropped before the capture is taken. You would however have seen it in the logs if you had the logging level set to informational or lower.

Please remember to select a correct answer and rate helpful posts

I still don't understand this

Gregor Blaj — Fri, 03 Feb 2017 08:10:23 GMT

I still don't understand this, weren't both NAT's static?

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389 (not working)

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389 (working)

In terms of logging, I was using 'debugging' mode from ASDM, so I would've expected it to show up.

I am not entirely sure why it

Marius Gunnerud — Fri, 03 Feb 2017 08:40:09 GMT

I am not entirely sure why it did not work. I would need to set this up in a lab to test it, and not sure when I will be able to do that.

Please remember to select a correct answer and rate helpful posts

No problem, thanks again for

Gregor Blaj — Fri, 03 Feb 2017 10:15:50 GMT

No problem, thanks again for your help. I'm happy knowing I didn't do anything obvious wrong 🙂