topic I see now, object network in Network Security

Ping problem to this VLAN

Mohd Khairul Nizam — Tue, 12 Mar 2019 04:56:35 GMT

i have an ASA firewall configured with VLAN. All this while to configuration was OK and each server (VM) able to ping each other.

Then we start to configure NAT in the firewall. Somehow (2 days ago) we realize that there is one server that we can't ping from other internal server.

Others server OK.

I have 4 VLAN (12,20,30,50)

i check the ASA log and found this

"5 Oct 16 2014 11:38:48 10.1.12.30 10.1.20.2 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src VLAN12:10.1.12.30 dst VLAN20:10.1.20.2 (type 8, code 0) denied due to NAT reverse path failure"

What could be the NAT rules that prevent the icmp???

================================================

ASA Version 9.1(2)
!
hostname ASHFW01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 110.74.132.50 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.1
vlan 12
nameif VLAN12
security-level 100
ip address 10.1.12.254 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 20
nameif VLAN20
security-level 100
ip address 10.1.20.254 255.255.255.0
!
interface GigabitEthernet0/1.3
vlan 30
nameif VLAN30
security-level 100
ip address 10.1.30.254 255.255.255.0
!
interface GigabitEthernet0/1.4
vlan 50
nameif VLAN50
security-level 100
ip address 10.1.50.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer-RDP
host 10.1.12.13
object network Exch-SMTP
host 10.1.20.2
object network Exch-POP3
host 10.1.20.2
object network Exch-SMTPS
host 10.1.20.2
object network ExchServer-RDP
host 10.1.20.2
object network MgmtSvr-RDP
host 10.1.12.30
object network Exch-SMTP1
host 10.1.20.2
object network Exch-HTTP
host 10.1.20.2
object network Portal
host 10.1.12.14
description Portal
object service Portal80
service tcp source eq www destination eq www
description Portal80
object service SalesMobile9090
service tcp destination eq 9090
description SalesMobile9090
object network MgmtSvr
host 10.1.12.30
object network TerminalServer
host 10.1.12.13
object network ExchServer
object network ExchSvr
host 10.1.20.2
object service smtp2
service tcp destination eq 587
object network SalesMobile
host 10.1.12.14
description SalesMobile
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object ExchSvr
network-object object MgmtSvr
network-object object TerminalServer
object-group service Exch-Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object object smtp2
service-object tcp destination eq smtp
access-list outside_access_in extended permit icmp any4 any
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group rdp
access-list outside_access_in extended permit object-group Exch-Services any object ExchSvr
access-list outside_access_in extended permit tcp any object Portal eq www
access-list outside_access_in extended permit object SalesMobile9090 any object SalesMobile
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer-RDP
nat (VLAN12,outside) static 110.74.132.51 service tcp 3389 3389
object network Exch-SMTP
nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp
object network Exch-POP3
nat (VLAN20,outside) static 110.74.132.52 service tcp https https
object network Exch-SMTPS
nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587
object network ExchServer-RDP
nat (VLAN20,outside) static 110.74.132.52 service tcp 3389 3389
object network MgmtSvr-RDP
nat (VLAN12,outside) static 110.74.132.53 service tcp 3389 3389
object network Exch-SMTP1
nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3
object network Exch-HTTP
nat (VLAN20,outside) static 110.74.132.52 service tcp www www
object network Portal
nat (VLAN12,outside) static 110.74.132.51 service tcp www www
object network MgmtSvr
nat (any,any) static 110.74.132.53
object network ExchSvr
nat (any,any) static 110.74.132.52
object network SalesMobile
nat (VLAN12,outside) static 110.74.132.51 service tcp 9090 9090
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside

==============================================================

Hi,You can run this packet

Vibhor Amrodia — Thu, 16 Oct 2014 04:34:04 GMT

Hi,

You can run this packet tracer on the ASA device to check:-

packet input VLAN12 icmp 10.1.12.30 8 0 10.1.20.2 det

Thanks and Regards,

Vibhor Amrodia

This is what i get===========

Mohd Khairul Nizam — Thu, 16 Oct 2014 04:55:20 GMT

This is what i get

======================

Result of the command: "packet input VLAN12 icmp 10.1.12.30 8 0 10.1.20.2 det"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a638790, priority=1, domain=permit, deny=false

hits=1375642, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=VLAN12, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.20.0 255.255.255.0 VLAN20

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network MgmtSvr

nat (any,any) static 110.74.132.53

Additional Information:

Static translate 10.1.12.30/0 to 110.74.132.53/0

Forward Flow based lookup yields rule:

in id=0x7fff2a80b110, priority=6, domain=nat, deny=false

hits=1834, user_data=0x7fff2a8098c0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=10.1.12.30, mask=255.255.255.255, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a7a09f0, priority=2, domain=permit, deny=false

hits=1827, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=VLAN12, output_ifc=any

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff29b81a90, priority=0, domain=nat-per-session, deny=true

hits=4666, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a640630, priority=0, domain=inspect-ip-options, deny=true

hits=9745, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=VLAN12, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2aefe1b0, priority=70, domain=inspect-icmp, deny=false

hits=1634, user_data=0x7fff2aefc550, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0

input_ifc=VLAN12, output_ifc=any

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a63ff60, priority=66, domain=inspect-icmp-error, deny=false

hits=1634, user_data=0x7fff2a63f4d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0

input_ifc=VLAN12, output_ifc=any

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network ExchSvr

nat (any,any) static 110.74.132.52

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff2a80f780, priority=6, domain=nat-reverse, deny=false

hits=1271, user_data=0x7fff2a80db20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=10.1.20.2, mask=255.255.255.255, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Result:

input-interface: VLAN12

input-status: up

input-line-status: up

output-interface: VLAN20

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,NAT statement is the issue

Vibhor Amrodia — Thu, 16 Oct 2014 05:03:17 GMT

Hi,

NAT statement is the issue:-

object network ExchSvr

nat (any,any) static 110.74.132.52

Change this to specific interfaces on the NAT and that should fix this issue for you.

If i am correct it should change to:-

nat (VLAN20,outside) static 110.74.132.52

Thanks and Regards,

Vibhor Amrodia

I see now, object network

Mohd Khairul Nizam — Thu, 16 Oct 2014 06:10:49 GMT

I see now,

object network ExchSvr
nat (any,any) static 110.74.132.52

Once i removed the nat (any,any) static 110.74.132.52, i'm able to ping to the destination.

The nat above is actually for me to ping from external to the public ip of 110.74.132.52.

If i remove the nat command above, how can i still ping to the public ip of 110.74.132.52 from external??

Hi,You still need that NAt

Vibhor Amrodia — Thu, 16 Oct 2014 06:14:13 GMT

Hi,

You still need that NAt but with specific Interface Names in the NAT configuration.

object network ExchSvr
nat (VLAN20,outside) static 110.74.132.52

This should still help you to ping the Public IP from the internet.

Thanks and Regards,

Vibhor Amrodia