topic Hi VibhorThank you very much in Network Security

Static NAT issue

Ejaz Ahmed — Tue, 12 Mar 2019 04:52:45 GMT

Hi Experts,

Please help me on this. I have attached my network diagram with this post.
My firewall is cisco ASA 5510 running with software version 8.4. I have configured static NAT for three servers (in diagram, server 1,2 and 3). The issue is, the static NAT is only working with the first server. No traffics are going in and out from other two server (Server 2 and 3). All servers are in DMZ.

When I remove the static NAT for the server 2 and 3, all the traffic is going from the server with WAN IP of the firewall, that means the dynamic NAT is working. I have attached the configuration file also.

(NOTE: NAT is working for the Server 72.16.34.1)

Regards,
Ejaz

Hi Ejaz,Can you please verify

Vibhor Amrodia — Wed, 08 Oct 2014 04:53:13 GMT

Hi Ejaz,

Can you please verify the NAT statements for only the servers which are not wokring. It is very difficult to search it through the configuration which you have provided.

Also , you can send the Packet Tracer outputs form the outside to DMZZ for the Servers which are not working.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor, I have attached

Ejaz Ahmed — Wed, 08 Oct 2014 05:30:11 GMT

Hi Vibhor,

I have attached the NAT configuration of one the server that having issue. Also please see that pact tracer output :

ASA5510# packet-tracer input Outside tcp 4.2.2.2 12345 w.w.w.w 80 detaile$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
nat (DMZ,Outside) static 23.30.88.139 dns
Additional Information:
NAT divert to egress interface DMZ
Untranslate w.w.w.w/80 to 172.16.34.3/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-VOIPSRV-02-172.16.34.3 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac8f08c0, priority=13, domain=permit, deny=false
        hits=1, user_data=0xa9863780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.3, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=152903, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=10024, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca29438, priority=50, domain=ids, deny=false
        hits=33660, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=65250, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
nat (DMZ,Outside) static w.w.w.w dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaeb79b70, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xafa57f48, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.3, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=41909, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=64267, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=150381, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 609401, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Hi Ejaz,Thank you for the

Vibhor Amrodia — Wed, 08 Oct 2014 06:30:40 GMT

Hi Ejaz,

Thank you for the reply. To be sure all the public IP being used for Nat on the ASA device are in the Outside Interface Pool ? Correct ?

If no , add this command:- arp permit-nonconnected

If yes , i think the issue might not be with the ASA device. Are these some new IP addresses and have we used it before ?

I would request you to apply the captures on the ASA device interfaces and see which device is not replying:-

capture capout interface Outside match ip host <Public IP of server which is not working> any

capture capin interface DMZ match ip host <Private IP of server which is not working> any

Send me the captures if required.

Thanks and Regards,

Vibhor Amrodia

HiThank you for the reply.

Ejaz Ahmed — Wed, 08 Oct 2014 07:04:32 GMT

Thank you for the reply.

"outside interface pool"??? I didn't get. Could you please explain this to me??

I am using the public IP addresses in the same IP block provided by ISP. When I configured the public IP in the server and connected it direcly to the ISP router, it was working fine.

Regards

Ejaz

Hi Ejaz,For ex:- If you have

Vibhor Amrodia — Wed, 08 Oct 2014 07:04:33 GMT

Hi Ejaz,

For ex:- If you have the External Interface configured as :-

ip address 1.1.1.1 255.255.255.248

The Natted Ip should be within this range of IP addresses:-

For Ex:- 1.1.1.1 -1.1.1.6.

If not , you would need this command on the ASA device:-

arp permit-nonconnected

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,Thank you so much

Ejaz Ahmed — Wed, 08 Oct 2014 07:08:51 GMT

Hi Vibhor,

Thank you so much for that quick response.

We are using the IP addresses in the same pool.

Regards

Ejaz

Hi Ejaz,Then , I think you

Vibhor Amrodia — Wed, 08 Oct 2014 07:11:42 GMT

Hi Ejaz,

Then , I think you should proceed with the captures on the ASA device interfaces.

Thanks and Regards,

Vibhor Amrodia

Hi VibhorI have attached the

Ejaz Ahmed — Wed, 08 Oct 2014 08:14:38 GMT

Hi Vibhor

I have attached the capture result with the post.

I tried to ping from the server to the IP 8.8.8.8

Regards,

Ejaz

Hi Ejaz,I think as you can

Vibhor Amrodia — Wed, 08 Oct 2014 08:22:36 GMT

Hi Ejaz,

I think as you can see in the captures , we only see Uni-directional traffic through the ASA device and no reply from the Outside server.

This can mean that the IP Addresses might not be working.

Is this ASA device in production at this moment ?

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor, Yes, this ASA is

Ejaz Ahmed — Wed, 08 Oct 2014 08:27:08 GMT

Hi Vibhor,

Yes, this ASA is in production. I have assigned the public IP to the server directly and connected the server to the ISP router, it was working fine.

Regards,

Ejaz

Hi Ejaz,Would you be able to

Vibhor Amrodia — Wed, 08 Oct 2014 08:29:45 GMT

Hi Ejaz,

Would you be able to try this workaround:-

https://supportforums.cisco.com/blog/149276/asapix-proxy-arp-vs-gratuitous-arp

I think the issue is with the IP addresses provided by the ISP.

Thanks and Regards,

Vibhor Amrodia

Hi VibhorThank you very much

Ejaz Ahmed — Thu, 16 Oct 2014 04:28:57 GMT

Hi Vibhor

Thank you very much for the help. It was the same issue mentioned the link. Once we rebooted the ISP router everything started working.

Thanks again .:) :):)

Ejaz