topic Strange behaviour... Could in Network Security

ASA Traceroute issue

Kurt Lei — Tue, 12 Mar 2019 06:04:20 GMT

Hi All,

I am newbie on ASA configuration. The network topology should be below

Internet -- (Outside) ASA 5520 (Inside) -- Router -- MPLS Connection

In my case, there is a solarwind server at MPLS connection side and responsible to collecting syslog of ASA. However, now, ASA can't be connected to the server. I have doing traceroute from ASA and found the first hop is going to Internet. How can I fix the first hop back to the router side. Below is the ASA configuration

================================================================================================================

interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.248

ospf cost 10

!
interface Ethernet0/1

nameif inside

security-level 100

ip address 10.131.3.2 255.255.255.0

ospf cost 10

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.0.0.0

route outside 0.0.0.0 0.0.0.0 (Outside GW) 1

route inside 10.0.0.0 255.0.0.0 10.131.3.1 1

Hello, What is the IP-address

Boris Uskov — Mon, 08 Jun 2015 10:40:55 GMT

Hello,

What is the IP-address of solarwind server? If it is not from 10.0.0.0/8 net, you need to add a static route:

route inside x.x.x.x 255.255.255.255 y.y.y.y

where x.x.x.x - ip-address of solarwind, y.y.y.y - ip-address of Router's interface, who is responsible for connection to MPLS-Cloud.

Hi Boris,The solarwind server

Kurt Lei — Mon, 08 Jun 2015 11:33:00 GMT

Hi Boris,

The solarwind server is 10.130.8.248 and should belong to 10.0.0.0/8. And I wonder to it can't route to inside and going to Outside Interface.

Strange behaviour... Could

Boris Uskov — Mon, 08 Jun 2015 11:53:09 GMT

Strange behaviour... Could you, please, post the output of show route command?

Theoretically, NAT

Boris Uskov — Mon, 08 Jun 2015 12:35:29 GMT

Theoretically, NAT-translations can influence the selection of exit interface. I'm not sure, that it'll help, but you can try to remove nat-configurations and issue clear xlate command. Attention! If it is production network, it could influence the packet handling. Don't do it in production environment.

Alternatively, you can try to add a nat exception for host 10.130.8.248. It'll be something like this:

access-list inside_nat0_outbound extended permit ip host 10.130.8.248 any

access-list inside_nat0_outbound extended permit ip any host 10.130.8.248

clear xlate

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_overview.html

How Routing Behaves Within the Adaptive Security Appliance

The ASA uses both routing table and XLATE tables for routing decisions. To handle destination IP translated traffic, that is, untranslated traffic, the ASA searches for existing XLATE, or static translation to select the egress interface. The selection process is as follows:

Egress Interface Selection Process

1. If destination IP translating XLATE already exists, the egress interface for the packet is determined from the XLATE table, but not from the routing table.

2. If destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used.

3. If destination IP translating XLATE does not exist and no matching static translation exists, the packet is not destination IP translated. The ASA processes this packet by looking up the route to select egress interface, then source IP translation is performed (if necessary).

For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.

Yes, I finally got the show

Kurt Lei — Tue, 09 Jun 2015 02:21:46 GMT

Yes, I finally got the show route from the customer. It's really strange, there is no static route on the configuration but there is an entry when show route.

S 10.130.0.0 255.255.0.0 [1/0] via (Outside GW), outside

However, I have another issue is that some subnet should go to this Outside gateway. The criteria is that only the inside subnet (i.e. 10.131.3.0) will back to MPLS connection and should use below route.

S 10.0.0.0 255.0.0.0 [1/0] via 10.131.3.1, inside

I know there is no any policy routing in ASA 8.0, how can I achieve it ?

Hello, Kurt.I'm afraid, there

Boris Uskov — Tue, 09 Jun 2015 09:30:38 GMT

Hello, Kurt.

I'm afraid, there is no way to configure your task on ASA.

I believe, you have to change default gateway on devices from subnet 10.131.3.0/24 to 10.131.3.1 (Router) and implemet all routing logic on the router.