topic ASA 5505 NAT help/routing issue in Network Security

ASA 5505 NAT help/routing issue

Chad Ciszewski — Tue, 12 Mar 2019 02:58:13 GMT

Hi -

I have a small issue with a small network. I have two servers and a LAN behind a 5505 in one vlan. The servers are natted/port forwarded out using the outside interface's public addressing.

One server for ssh

One server for http(s)

Let's say the servers are 192.168.1.20 and 21

.21 is the web server

The LAN uses public dns provided by the ISP. DHCP range is 192.168.1.50-100 and provided by the ASA

On the LAN, it cannot route to the webserver due to only having the one inside vlan and one outside vlan. I cannot break the servers off to another vlan due to issues with an outside consultant.

So when trying to hit the url of our website, it attempts to hit the outside interface ip of the ASA and cannot due to only having the singular default route out. Is there a way to nat this or route it so that the internal clients can hit the outside interface and see the website without using the internal IP of the webserver? I can provide some config if needed.

ASA 5505 NAT help/routing issue

Jouni Forss — Wed, 30 Oct 2013 19:03:12 GMT

Hi,

So you want the users to be able to connect to the public IP address specifically from the LAN?

Could you tell us the software level of your ASA and perhaps share the current NAT configuration with the following commands

Software level 8.2 or below

show run global

show run nat

show run static

Software level 8.3 or above

show run nat

- Jouni

ASA 5505 NAT help/routing issue

Chad Ciszewski — Wed, 30 Oct 2013 19:07:42 GMT

Hi Jouni -

Running 9.1(1) software

Here's the result of sh run nat for the affected server

Result of the command: "sh run nat"

nat (inside,outside) source static local_nets local_nat_pool destination static monitoring_network monitoring_network

object network obj_any

nat (inside,outside) dynamic interface

object network webserverhttp

nat (inside,outside) static interface service tcp www www

object network webserverhttps

nat (inside,outside) static interface service tcp https https

object network webservervsftp

nat (inside,outside) static interface service tcp ftp ftp

object network Infotechssh

nat (inside,outside) static interface service tcp ssh ssh

Re: ASA 5505 NAT help/routing issue

Jouni Forss — Wed, 30 Oct 2013 19:20:21 GMT

Hi,

You could try the following configurations. Insert the public IP address to the below configurations that matches your current "outside" interface public IP address.

object network LAN

subnet 192.168.1.0 255.255.255.0

object network SERVER-SSH

host 192.168.1.20

object network SERVER-WEB

host 192.168.1.21

object network SERVER-PUBLIC

host

object service WWW

service tcp destination eq 80

object service HTTPS

service tcp destination eq 443

object service SSH

service tcp destination eq 22

nat (inside,inside) after-auto source dynamic LAN interface destination static SERVER-PUBLIC SERVER-SSH service SSH SSH

nat (inside,inside) after-auto source dynamic LAN interface destination static SERVER-PUBLIC SERVER-WEB service WWW WWW

nat (inside,inside) after-auto source dynamic LAN interface destination static SERVER-PUBLIC SERVER-WEB service HTTPS HTTPS

This should essentially do so that when connections are coming from the network LAN towards the SERVER-PUBLIC with the services SSH, WWW or HTTPS then the connections will actually be forwarded to the local SERVER-SSH or SERVER-WEB.

Also the LAN users address will be mapped to the "inside" interface IP address (with the "source dynamic LAN interface" configuration) so that the servers actually think the connections are coming from the ASA IP. This is essential in this configuration as otherwise the traffic flow wont be correct for the ASA. What I mean is that the ASA would not see the whole "conversation" between the host and server without this type of NAT configuration and would block the connections.

Let me know if this works for you

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

ASA 5505 NAT help/routing issue

Jouni Forss — Thu, 31 Oct 2013 08:59:51 GMT

Hi,

Were you able to test this out yet?

- Jouni

ASA 5505 NAT help/routing issue

jumora — Sun, 03 Nov 2013 03:02:57 GMT

JouniForss,

You just forgot to add the same-security-traffic permit intra-interface command to allow the U turn

ASA 5505 NAT help/routing issue

Chad Ciszewski — Fri, 08 Nov 2013 17:03:13 GMT

jumora -

Can you provide what the full statement should be? Following JouniForss it looked like packets would be allowed but then the same issue occurred. Thanks!

ASA 5505 NAT help/routing issue

Jouni Forss — Fri, 08 Nov 2013 17:07:13 GMT

Hi,

Yes, the command mentioned by Jumora was missing from my examples

same-security-traffic permit intra-interface

Otherwise the configurations I mentioned regarding "nat" should work unless other NAT configurations prevent that.

You could use "packet-tracer" to test the configurations. For example

packet-tracer input inside tcp 192.168.1.100 12345 80

The output should tell us what happens regarding the configurations.

- Jouni

ASA 5505 NAT help/routing issue

Chad Ciszewski — Fri, 08 Nov 2013 17:28:15 GMT

Jouni -

Still getting an error for routing with no route to host. Routes are as follow -

Result of the command: "sh route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is PUB GATEWAY to network 0.0.0.0

C    192.168.1.0 255.255.255.0 is directly connected, inside
C    PUB NETWORK 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [10/0] via PUB GATEWAY, outside

ASA 5505 NAT help/routing issue

Jouni Forss — Fri, 08 Nov 2013 17:30:44 GMT

Hi,

Can you post the output of the "packet-tracer" anyway

Could you also post the current "nat" configuration with the command

show run nat

- Jouni