topic Hello,now the sh nat looks in Network Security

ASA 9.2 Port Forward

Attila Erdos — Tue, 12 Mar 2019 05:36:12 GMT

Hello,

i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any

nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

object network Public_Server
nat (DMZ,outside) static interface service tcp www www

access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?

Thank You!

It is probably the order of

Jon Marshall — Sat, 07 Mar 2015 00:05:00 GMT

It is probably the order of your NAT.

Can you post a "sh nat" from the ASA ?

And what is the object Public_Server, is it 10.168.50.5 ?

Jon

Hello, of course.sh natManual

Attila Erdos — Sat, 07 Mar 2015 07:13:07 GMT

Hello, of course.

sh nat

Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 91968, untranslate_hits = 61972
2 (DMZ) to (outside) source dynamic obj_any interface
    translate_hits = 1734, untranslate_hits = 0
3 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 7, untranslate_hits = 7
4 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface   service tcp www www
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 42230, untranslate_hits = 20999

Yes, here is the public server object.:

object network Public_Server
host 10.168.50.5

And here is the HTTP service object.:

object service HTTP
service tcp destination eq www

The problem is NAT is one

Jon Marshall — Sat, 07 Mar 2015 13:12:39 GMT

The problem is NAT and the sections ie. you have section 1 and 2 NAT. The ASA with 8.3 or later uses the sections in order so it is using the dynamic NAT statement you have for your DMZ in section 1 for the translation and never gets to the section 2 static statement.

There are two solutions -

1) move your dynamic NAT to section 2 where your static should take precedence

2) move your dynamic NAT to section 3 so the static is matched first.

The recommendation is to use section 3 for dynamic NAT so you need to replace -

nat (DMZ,outside) source dynamic obj_any interface

with this -

nat (DMZ,outside) after-auto source dynamic obj_any interface

the "after-auto" keyword moves it to section 3.

For full details of how it all works see this document by Jouni Forss -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

Hello,now the sh nat looks

Attila Erdos — Sat, 07 Mar 2015 13:31:50 GMT

Hello,

now the sh nat looks like.:

sh nat
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 92926, untranslate_hits = 62078
2 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 18, untranslate_hits = 14
3 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 12, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic obj_any interface
translate_hits = 11, untranslate_hits = 0

But it dont work :(. The packet-tracer said the the implicit deny catch it, but as you can see also there isnt hit on the NAT rule.

Can you post the packet

Jon Marshall — Sat, 07 Mar 2015 18:02:36 GMT

Can you post the packet-tracer output ?

Are you accessing the server from the outside of the ASA ?

What is the IP address you are coming from ?

What is this meant to be doing -

nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

Jon

Here it is.:packet-tracer

Attila Erdos — Sat, 07 Mar 2015 18:15:22 GMT

Here it is.:

packet-tracer input outside tcp 1.1.1.1 http OUTSIDEINTERFACEIP http det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in <OUTSIDE IF> 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad070ce8, priority=1, domain=nat-per-session, deny=true
        hits=250632, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a1370, priority=0, domain=permit, deny=true
        hits=116843, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Uh, that's interesting. That was a nat rule which with I made debug, but currently that rule is not in the running config.

I coming from a random public IP, in the packet racer i tried the 1.1.1.1.

Okay can you run -"packet

Jon Marshall — Sat, 07 Mar 2015 18:25:19 GMT

Okay can you run -

"packet-tracer input outside 8.8.8.8 12345 <outside interface IP> http"

and post results.

Jon

I had to define also the tcp

Attila Erdos — Sat, 07 Mar 2015 18:32:33 GMT

I had to define also the tcp.

packet-tracer input outside tcp 8.8.8.8 12345 OUTIP http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTIP 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Can you post full ASA config

Jon Marshall — Sat, 07 Mar 2015 18:46:52 GMT

Can you post full ASA config and -

nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

what is the above for ?

Jon

Thats an old nat rule, but

Attila Erdos — Sat, 07 Mar 2015 19:19:32 GMT

Thats an old nat rule, but currently that's not in the running config. I dont understand why is that in the nat table.

I attached the config, i deleted the sensitive and VPN parts.

Can't see anything wrong with

Jon Marshall — Sat, 07 Mar 2015 19:50:36 GMT

Can't see anything wrong with your configuration now.

This NAT rule -

3 (DMZ) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 12, untranslate_hits = 0

have you actually generated traffic that would hit that rule ?

It should have no effect on what you are trying to do but just wondering as it would be checked before your static.

Other than that perhaps a reload if you can.

Like I say I can't see anything wrong with it now.

Jon

Good day. Just a thought here

Andre Neethling — Sun, 08 Mar 2015 06:33:26 GMT

Good day. Just a thought here. You have sorted your NAT issue as per Jon. I assume your webserver is in your DMZ. However, is your ACL entry allowing traffic from the Outside to the DMZ? It seems the "permit www" traffic statement is on the " outside access in" access rule. Can you try to add a permit access rule from outside to dmz?

I reloaded it, and re-ordered

Attila Erdos — Sun, 08 Mar 2015 06:48:54 GMT

I reloaded it, and re-ordered the NAT rules like.:

nat (Guest,outside) source dynamic obj_any interface
nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
!
nat (DMZ,outside) after-auto source dynamic obj_any interface
nat (DMZ,outside) after-auto source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup

But it still dont works.

As you can see on the outside

Attila Erdos — Sun, 08 Mar 2015 06:51:23 GMT

As you can see on the outside interface there are many ACLs whichs permit the traffic (more then one because of test), and currently on the DMZ interface there is a permit any any rule.

Can you do a "show nat" again

Andre Neethling — Sun, 08 Mar 2015 11:28:11 GMT

Can you do a "show nat" again please?

Of course. sh natManual NAT

Attila Erdos — Sun, 08 Mar 2015 11:30:34 GMT

Of course.

sh nat
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 45, untranslate_hits = 0
2 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic obj_any interface
    translate_hits = 765, untranslate_hits = 1
2 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 8, untranslate_hits = 0

The "Public_Server" object is

Andre Neethling — Sun, 08 Mar 2015 11:43:37 GMT

The "Public_Server" object is still 10.168.50.5. I don't see it in your amended rule order above. It's strange that you're getting lots of hits on the "after-auto" rule. But not on the Object rule....... which should apply first.

Just to test, can you try this?

Make sure the object Public_Server is set as host 10.168.50.5, then the NAT rule as you have it in the post above. Then remove the 2 DMZ "after-auto" rules. Then test again.

That section 3 number1 rule is bothering me a bit. What is the purpose of that rule? To provide internet access for traffic sourced from the DMZ?

Hi AndreIt's confusing isn't

Jon Marshall — Sun, 08 Mar 2015 12:22:49 GMT

Hi Andre

It's confusing isn't it because I can't see anything wrong with it now.

The section 3 dynamic PAT is only there because it was originally in section 1 so I assumed it must be needed in terms of DMZ machines sourcing traffic to the internet.

So I just moved it past section 2 to make sure the statics were used but the ASA seems to be completely ignoring them for some reason.

Which would suggest something was matching in section 1 or in section 2 before the static PAT but none of the NAT statements in those sections would match as a far as I can see.

Jon

Yes, the Public_server is the

Attila Erdos — Sun, 08 Mar 2015 12:28:15 GMT

Yes, the Public_server is the 10.168.50.5.:

object network Public_Server
host 10.168.50.5

I deleted them, currently.:

Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 45, untranslate_hits = 0
2 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0

Yes, that NAT rule makes internet access for the clients in DMZ.