topic nat (any,inside) source in Network Security

Tricky Twice NAT scenario

lunadesign — Tue, 12 Mar 2019 04:03:46 GMT

I'm setting up my first ASA 5505 (Security Plus) and want to make sure I'm doing this correctly.

I have a web server on my inside network. The web server's internal IP is 192.168.1.53. The web server runs on port 9000. I want this accessible from several internal VLANs. I also want to expose this web server externally on one of my static public IP's, x.x.x.172, also on port 9000.

Here's the catch: My internal users sometimes need to access the web server using the *external* hostname/IP, so I need to enable hairpinning.

I started using Network Object NAT but found that I had to use Twice NAT to get the hairpin scenario to work. I experimented some more and found that if I adjusted my Twice NAT rule, I didn't need the Network Object NAT rules anymore.

I set this up and it seems to work great internally and externally. Before I set up a few dozen more of these for different server/port combinations, I wanted to run this by you experts to see if there are any issues with this config that will bite me later down the road.

same-security-traffic permit intra-interface
object network PUBLIC-172
host x.x.x.172
object network INTERNAL-53
host 192.168.1.53
object service PORT-9000
service tcp destination eq 9000
access-list OutsideIn extended permit tcp any host 192.168.1.53 eq 9000
access-group OutsideIn in interface outside
nat (any,inside) source static any interface destination static PUBLIC-172 INTERNAL-53 service PORT-9000 PORT-9000

Thanks!

I would be careful using the

Marius Gunnerud — Fri, 11 Apr 2014 05:10:43 GMT

I would be careful using the any keyword. In this case you would be allowing every one access to the server using the external IP (given that access lists permit the connection also.) It is always a best practice to be very specific with what you configure on the ASA.

Of course if you don't have a very strict security policy and are allowed to do this, then there is nothing wrong with doing it.

Please remember to select a correct answer and rate

Hi Marius,Thanks for the

lunadesign — Fri, 11 Apr 2014 05:29:40 GMT

Hi Marius,

Thanks for the quick reply.

Which "any" were you referring to? The one in parens representing the "real" interface or the one after the keyword "static"?

And sure enough, I've found a

lunadesign — Fri, 11 Apr 2014 05:38:29 GMT

And sure enough, I've found a hole.

It appears this NAT rule is being triggered if an internal user tries to go to the internal server URL from one of the VLANs. The web page doesn't come up and the ASA syslog has this:

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src vlan10:192.168.10.12/3952 dst inside:192.168.1.53/9000 denied due to NAT reverse path failure

I really only want the NAT rules to trigger when a user is accessing the external URL not the internal one so I'm definitely doing something wrong here.

nat (any,inside) source

Marius Gunnerud — Fri, 11 Apr 2014 06:05:07 GMT

nat (any,inside) source static any interface destination static PUBLIC-172 INTERNAL-53 service PORT-9000 PORT-9000

I was refering to both.

I thought that both the host PC and the server were located on the same network?

try changing the souce static to source dynamic...and test

Please remember to select a correct answer and rate

Thanks again for your help!To

lunadesign — Fri, 11 Apr 2014 06:25:19 GMT

Thanks again for your help!

To be clear, I have two client PC's I'm testing with. One on the "inside" VLAN and one on the "work" VLAN.

If I take out the first "any", I have to reproduce the rule N times for each of my VLANs. However, even after doing this I'm seeing the same issue -- works if client PC is on "inside" VLAN, fails with "reverse path failure" if client PC is on another other internal VLAN.

I tried replacing the second "any" with INTERNAL-53.and the requests to the internal URL now work from the other VLANs but now the requests to the external URL from those same PCs now doesn't work. I'm not seeing anything in the syslog though.

Changing from "source static" to "source dynamic" didn't change anything either.

I think I'm being stumped by the tricky syntax of this NAT command. In essence, I want something that implements "if internal or external user requests this external URL, translate to this instead". NAT shouldn't be getting involved if an internal user requests and internal URL.