topic The ISP router interface has in Network Security

ASA nat proxy don't work

stranger1971 — Tue, 12 Mar 2019 06:24:00 GMT

Hello.

Could anybody explain what's wrong with my configuration?

I have ASA ASA-5525-X with 9.12 software. Outside interface has 3 real address ranges from ISP.

Inside network's (9 distinct LANs) users access the Internet through one ip address. It's outside interface address.

Other ISP's addresses is for outside access to internal resources. NAT configuration follows.

Section 2 records:

object network Rule360
nat (emts_vpn_admin,outside) static XX.YY.ZZ.DD service tcp sqlnet sqlnet

and so on about 100 times.

Section 3 records:

nat (architecture,outside) after-auto source dynamic architecture-NAT-to-Internet interface

nat (esx_mgmt,outside) after-auto source dynamic esx_mgmt-NAT-to-Internet interface

and so on 7 times.

Section 3 works well. But Section 2 don't work.

capture command shows outage arp answers for all external addresses besides outside interface address.

Wireshark shows arp request for mapped addresses from outside interface?! show arp interface outside shows full ARP cache.

So, NAT Proxy ARP don't function correctly.

Are the other IPs part of the

Jon Marshall — Sat, 08 Aug 2015 13:14:32 GMT

Are the other IPs part of the same IP subnet range as the IP assigned to the outside interface ?

If they are not do you know if the ISP has added routes for the other IP ranges pointing to your outside interface or have they added secondary IP addresses for these ranges to their router.

If they have added secondary addresses then they will use arp to resolve these IPs. If you have "no arp permit-nonconnected" in your configuration, which you may well have, then it won't work.

Solution would be to change the command ie. "arp permit non-connected" or get the ISP to modify their router to just route those additional ranges to the outside interface of your ASA.

Jon

Hi.Of course, arp permit non

stranger1971 — Sat, 08 Aug 2015 13:33:59 GMT

Hi.

Of course, arp permit non-connected exists in the config.

One subnet is in common range, but other one isn't.

I have forgot to say that the ASA is a replacement for old Linux-based firewall.

That old firewall works with ISP without problem. So ISP's routing is well enough.

Problem is located on ASA side.

That old firewall works with

Jon Marshall — Sat, 08 Aug 2015 13:38:32 GMT

That old firewall works with ISP without problem. So ISP's routing is well enough.

Not necessarily.

It may be that the ISP did arp for the other ranges but your previous firewall would answer.

I wasn't saying the issue is with the ISP but rather it depends on how the ISP have setup their router.

If it is using secondary addressing which it may be then your firewall won't respond to arp requests for any IPs that don't have an IP from the range assigned to an interface.

Are you saying the ISP is definitely routing the other ranges and not using arp to resolve them ?

Jon

Sorry I may have misread your

Jon Marshall — Sat, 08 Aug 2015 13:44:37 GMT

Sorry I may have misread your last post.

Are you saying you have "arp permit non-connected" configured ?

Jon

The ISP router interface has

stranger1971 — Sat, 08 Aug 2015 13:46:46 GMT

The ISP router interface has only one IP from the first address range.

No secondary IP on this interface at all. And I captured arp requiests from ISP router,

but no answers on them. Beside one address, ASA's ouside interface.

For this address arp response exits.

If the ISP was routing the

Jon Marshall — Sat, 08 Aug 2015 13:54:54 GMT

If the ISP was routing the other ranges to your ASA then you would not see arp requests for these IPs because the only arps you would see would be for -

1) the outside interface IP

2) any IPs that are part of the same IP subnet as the outside interface IP.

If you are seeing arp requests for IPs that are not either of the above then your ISP thinks those IPs are directly connected to their router and so you would need "arp permit-nonconnected" in your configuration.

Apologies but still not sure whether you have this or whether you have "no arp permit-nonconnected".

Jon

It exists. But not works.

stranger1971 — Sat, 08 Aug 2015 14:04:41 GMT

It exists. But not works. Look on this

access-list redcom_in extended permit tcp host ---------- host 10.0.0.51 eq 3389
access-list intranet_in remark Allow Echo, Echo-Reply, Unreachable and Time-Exceeded on Outside
access-list intranet_in extended permit icmp any4 any4 object-group PingTraffic
pager lines 50
mtu km66 1500
mtu redcom 1500
mtu km66_dmz 1500
mtu emts_vpn_admin 1500
mtu emts_intranet 1500
mtu library 1500
mtu intranet_cod 1500
mtu architecture 1500
mtu management 1500
mtu esx_mgmt 1500
mtu Mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any km66
icmp permit any redcom
icmp permit any km66_dmz
icmp permit any emts_vpn_admin
icmp permit any emts_intranet
icmp permit any library
icmp permit any intranet_cod
icmp permit any architecture
icmp permit any management
icmp permit any esx_mgmt
icmp permit any Mgmt
no asdm history enable
arp timeout 14400
arp permit-nonconnected
!
object network Rule439

Okay so can we clarify where

Jon Marshall — Sat, 08 Aug 2015 14:13:24 GMT

Okay so can we clarify where we are.

If the ISP is using arp for all IPs then it does not have a single IP on it's router or something is wrong.

You have captured arp requests from the ISP but the ASA is not responding ?

Does this include arp requests for IPs that are part of the same IP subnet as the outside interface ?

Have you just switched this over from your old firewall ie. when did you do the switch over.

Jon

> You have captured arp

stranger1971 — Sat, 08 Aug 2015 14:25:08 GMT

> You have captured arp requests from the ISP but the ASA is not responding ?

Yes.

>Does this include arp requests for IPs that are part of the same IP subnet as the outside >interface ?

Yes!!!

x.x.x.65 - no answer

x.x.x.66 - yes (outside)

x.x.x.67-94 - no answer

Provider's address x.x.x.78

I switched over back-force several times.

Were these IPs in use on the

Jon Marshall — Sat, 08 Aug 2015 14:30:34 GMT

Were these IPs in use on the old firewall ?

If they were the usual issue is that the ISP router has the old firewalls mac address in it's arp cache so it doesn't work.

But it does work for the outside interface usually because your internal clients are always connecting to the internet so that refreshes the ISP arp cache continually.

However you are saying you can see arp requests coming from the ISP so it doesn't sound like this is the issue here.

I will have a quick check of bugs to see if there is one for your version.

Can you post a "sh nat" ?

Jon

Actually can you post the

Jon Marshall — Sat, 08 Aug 2015 14:36:07 GMT

Actually can you post the full configuration please ?

Jon

Ok. See the attacment.sh nat

stranger1971 — Sat, 08 Aug 2015 14:43:13 GMT

Ok. See the attacment.

sh nat will be tomorrow.

It's 0:42 am here.