static NAT problem with ASA using policy routing

tato386 — Tue, 12 Mar 2019 07:08:43 GMT

I added a second ISP and public IP block to my ASA that is running 9.5.2. I use a route-map and ACL to match internal private IPs that are then sent to the Internet via the second ISP. This seems to work fine for PAT.

Since it was working well, I decided to use the second ISP for static NAT also. Unfortunately, this is not working so well. I can ping the public IP of static NAT internal hosts but inbound TCP based services like RDP do not work. It doesn't seem to be an ACL issue as the packet trace utility tells me that the packets are allowed and sent to the correct interface.

On a related note, I cannot ping out or reply to pings on the ASA interface for the second ISP. This happens even thought the IP of that interface has been added to the ACL of the route-map that sends packets out the second ISP.

So it seems like certain operations, like ping sourced from ASA interface and static NAT are not being correctly policy routed. Below is some relevant config snips.

Any ideas?

Thanks,
Diego

ASA Version 9.5(2)

interface GigabitEthernet0/0
speed 100
duplex full
nameif inf_ISPA
security-level 0
ip address 1.1.1.2 255.255.255.224

interface GigabitEthernet0/1
speed 1000
duplex full
nameif inf_Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
policy-route route-map ALT-GATEWAY

interface GigabitEthernet0/2
speed 1000
duplex full
nameif inf_ISPB
security-level 0
ip address 2.2.2.209 255.255.255.248

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
!
object network SRV1
host 192.168.1.9
object network SRV1_ISPB
host 2.2.2.212
object network host1_ISPA
host 192.168.1.15
object network host2_ISPA
host 192.168.1.16

object network net_1
subnet 192.168.10.0 255.255.255.0
object network net_2
subnet 192.168.11.0 255.255.255.0

object-group network grp_remote_networks
network-object object net_1
network-object object net_2

object-group network grp_NoCXScan
network-object object CX_Module
network-object object rtr-1
network-object object rtr-2

object-group network PAT_Networks
network-object object net_data
network-object object net_voice
network-object object net_wireless

access-list inf_ISPB_access_in extended permit icmp any4 any4
access-list inf_ISPB_access_in extended permit object RDP any object SRV1

access-list acl_ISPB_Gateway extended deny ip object host1_ISPA any
access-list acl_ISPB_Gateway extended deny ip object host2_ISPA any
access-list acl_ISPB_Gateway extended permit ip object inf_ISPB any
access-list acl_ISPB_Gateway extended permit ip object SRV1 any
access-list acl_ISPB_Gateway extended permit ip any any

icmp permit any inf_ISPA
icmp permit any inf_Inside
icmp permit any inf_ISPB

arp timeout 14400
no arp permit-nonconnected

nat (inf_Inside,inf_ISPA) source static PAT_Networks PAT_Networks destination static grp_remote_networks grp_remote_networks no-proxy-arp
!
object network SRV1
nat (inf_Inside,inf_ISPB) static SRV1_ISPB

!
nat (inf_Inside,inf_ISPA) after-auto source dynamic PAT_Networks interface
nat (inf_Inside,inf_ISPB) after-auto source dynamic PAT_Networks interface

access-group inf_ISPB_access_in in interface inf_ISPB

!
route-map ALT-GATEWAY permit 10
match ip address acl_ISPB_Gateway
set ip default next-hop 2.2.2.214

!
route inf_ISPA 0.0.0.0 0.0.0.0 1.1.1.1 1

sysopt noproxyarp inf_Inside

!
class-map CX_Traffic
match access-list acl_CXTraffic
class-map tcp_bypass
description TCP traffic that bypasses stateful firewall
match access-list acl_TCPbypass
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map policy1
class tcp_bypass
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
policy-map global_policy
description ASA CX Policy
class CX_Traffic
cxsc fail-open
set connection random-sequence-number disable
class class-default
user-statistics accounting
set connection random-sequence-number disable
!
service-policy global_policy global

have you done any packet

Chris Izatt — Tue, 26 Jan 2016 21:18:47 GMT

have you done any packet tracers? if not run some and post them up if you can.

Hello Chris,

tato386 — Wed, 27 Jan 2016 05:53:59 GMT

Hello Chris,

I opened a TAC case and we confirmed that configuration is correct so we started looking at the possibility of a bug with PBR feature. We did find a bug logged that matches my problem but at the same time we realized we could get it working on the TAC agent's lab environment and also on a different system that I have access to. Going further, I tested on a fourth system and was able to reproduce the bug/problem.

The interesting thing is that the two systems that have the bug/problem use the same model Comcast modem for the PBR next-hop target. The two systems that work are a lab system and a live system that uses a Cisco router as the PBR next-hop target.

So my gut feeling now tells me that there is something odd about the way the Comcast modem is handling the ASA packets that causes this bug/problem. It would be interesting to find out if the previous guys who logged the bug/problem were also using Comcast or similar cable modem devices but I don't know if that is possible.

In any case I am going to work with the TAC a bit more and see what we find. I will update the post when we are done.

Thanks

I love code bugs. Good Luck

Chris Izatt — Wed, 27 Jan 2016 16:28:24 GMT

I love code bugs. Good Luck.

topic Hello Chris, in Network Security

static NAT problem with ASA using policy routing

have you done any packet

Hello Chris,

I love code bugs. Good Luck