topic Have you run a packet tracer in Network Security

NAT ISSUE ASA 5505 VERSION 9.1

STYLIANOS DEMETRIOU — Tue, 12 Mar 2019 04:14:57 GMT

Hi guys,

I have a firewall asa 5505 and behind it in the DMZ zone i have a windows server 2012 that is a load balancer with the ip 172.168.200.10 and two web servers that are responding to requests, server1 172.168.200.2 and server2 172.168.200.3

The problem i have is that i am able to access the public ip of my load balancer from any host on the internet and it works normally but i am unable to get server1 and server2 to reach the internet.

I am sure this is a Natting problem but i can't find the solution.

I am attaching the configuration and a drawing of the network

Have you run a packet tracer

Marius Gunnerud — Tue, 27 May 2014 11:28:12 GMT

Have you run a packet tracer on the ASA? If not please run the following command:

packet-tracer input DMZ tcp 172.168.200.10 12345 4.2.2.2 80 detail

and

packet-tracer input DMZ tcp 172.168.200.10 12345 4.2.2.2 443 detail

Could you also post the output of the object group INTERNET-TCP and INTERNET-UDP

Also please check the logs when connecting to the internet from the servers, do you see anything that might be out of place?

Please remember to select a correct answer and rate

Load Balancer with the ip 172

STYLIANOS DEMETRIOU — Tue, 27 May 2014 13:26:58 GMT

Load Balancer with the ip 172.168.200.10 can access the internet since it has a static natting , the other two servers, server1 172.168.200.2 and server2 172.168.200.3 doesn't have a nat entry that's why they can't reach the internet. Basically what i want is to add a nat statement for those two servers also. If i use nat for the whole network 172.168.200.0/24 i am able to reach the internet from all servers but unable to get my load balancer work when i try to reach it using the public ip from outside.

You can see below the output for both 172.168.200.10 which has a static nat and works properly and below it the output for server1 172.168.200.2 which has not a nat statement and justifiably can't reach the internet.

packet-tracer input dmz tcp 172.168.200.10 12345 4.2.2.2 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ-IN in interface DMZ
access-list DMZ-IN extended permit tcp 172.168.200.0 255.255.255.0 any object-group INTERNET-TCP
object-group service INTERNET-TCP tcp
description: TCP standard Internet Services
port-object eq www
port-object eq https
port-object eq ssh
port-object eq domain
port-object eq smtp
port-object eq 3389
port-object eq 62306
port-object eq 60502
port-object eq 58545
port-object eq 445
port-object eq 88
port-object eq ldap
port-object eq 135
port-object eq 49155
port-object eq 49159
port-object eq 1433
port-object eq 1434
port-object eq 55527
port-object eq 2794
port-object eq 5985
port-object eq 22233
port-object eq 309
port-object eq 902
port-object eq 32843
port-object eq 32844
port-object eq 808
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,outside) source static WEBSERVER-REALIP WEBSERVER-PUBLICIP
Additional Information:
Static translate 172.168.200.10/12345 to A.B.C.D/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static WEBSERVER-REALIP WEBSERVER-PUBLICIP
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1697859, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

-----------------------------------------------------------------

asa# packet-tracer input dmz tcp 172.168.200.2 12345 4.2.2.2 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1697818, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Well, I would have though

Marius Gunnerud — Tue, 27 May 2014 13:38:06 GMT

Well, I would have though that you would be able to send outgoing traffic through the loadbalancer also.
But you could add a dynamic NAT for the 172.168 network.

network object 172_168_200_0
subnet 172.168.200.0 255.255.255.0
nat (DMZ,outside) dynamic interface
--

Please remember to select a correct answer and rate

Thanks for your help

STYLIANOS DEMETRIOU — Tue, 27 May 2014 13:51:06 GMT

Thanks for your help MariusGunnerud i am able to access the internet from those servers too.

The problem now is that they access the internet from the public ip assigned on the outside interface and not the dedicated ip address assigned for the load balancer.

isn't it possible to also add those two servers in the static nat statement and receive the ip of the load balancer?

Thanks for your help

STYLIANOS DEMETRIOU — Wed, 28 May 2014 06:00:29 GMT

Thanks for your help MariusGunnerud i am able to access the internet from those servers too.

The problem now is that they access the internet from the public ip assigned on the outside interface and not the dedicated ip address assigned for the load balancer.

isn't it possible to also add those two servers in the static nat statement and receive the ip of the load balancer?

You could use an object-group

Marius Gunnerud — Wed, 28 May 2014 06:52:00 GMT

You could use an object-group to group those 3 servers together...so something like this:
object-group network WEBSERVERS-PRIVATEIP
host 172.168.200.10
host 172.168.200.2
host 172.168.200.3
nat (DMZ,outside) source static WEBSERVERS-PRIVATEIP WEBSERVER-PUBLICIP
--

Please remember to select a correct answer and rate

Thank you for the rating :)

Marius Gunnerud — Wed, 28 May 2014 07:26:26 GMT

Thank you for the rating 🙂

Thanks for your help! :)

STYLIANOS DEMETRIOU — Wed, 28 May 2014 08:16:16 GMT

Thanks for your help! 🙂