URGENT-NAT PROBLEM

Antonio Simoes — Tue, 12 Mar 2019 02:40:35 GMT

Hi,

I have a client with the diagram below, we beleave having a missconfiguration in NAT.

Because:

Inside computers 192.168.15.0/24,192.168.115.0/24 can´t access outside networks. But can acess webserver on DMZ.

Outside networks acess DMZ and inside computers beind static NAT rules.

Atention. The web server must access SQL server at inside network.

We have this configuration on ASA 5505 SEC plus license:

interface Ethernet0/0

switchport trunk allowed vlan 20

switchport mode trunk

interface Ethernet0/1

interface Ethernet0/2

shutdown

interface Ethernet0/3

switchport access vlan 3

interface Ethernet0/4

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 10.0.34.1 255.255.255.252

interface Vlan3

nameif dmz

security-level 70

ip address 192.168.70.254 255.255.255.0

interface Vlan20

nameif outside

security-level 0

ip address 72.72.72.66 255.255.255.252

ftp mode passive

dns server-group DefaultDNS

domain-name none.pt

object-group service DM_INLINE_SERVICE_1

service-object tcp eq 1433

service-object tcp eq domain

service-object udp eq 1434

service-object udp eq domain

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq 100

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq 20115

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq 20119

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq 90

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq pptp

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq www

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq 9000

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq ftp

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 21

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 100

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 9000

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 20119

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 90

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 1723

access-list outside_access_in extended permit udp any host 72.72.72.66 eq www

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 20115

access-list outside_access_in extended permit tcp any host 72.72.72.66 eq https

access-list outside_access_in extended permit udp any host 72.72.72.66 eq 443

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 host 192.168.70.1 192.168.15.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.115.0 255.255.255.0 192.0.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.0.10.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.34.0 255.255.255.252

nat (dmz) 1 192.168.70.0 255.255.255.0

static (inside,outside) tcp interface telnet 192.168.15.1 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 20115 192.168.15.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface pptp 192.168.15.1 pptp netmask 255.255.255.255

static (inside,outside) udp interface 1723 192.168.15.1 1723 netmask 255.255.255.255

static (inside,outside) udp interface 9000 192.168.15.1 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 9000 192.168.15.1 8080 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.15.1 ftp netmask 255.255.255.255

static (inside,outside) udp interface 21 192.168.15.1 21 netmask 255.255.255.255

static (dmz,outside) tcp interface 100 192.168.70.1 100 netmask 255.255.255.255

static (dmz,outside) udp interface 100 192.168.70.1 100 netmask 255.255.255.255

static (dmz,outside) udp interface 90 192.168.70.1 90 netmask 255.255.255.255

static (dmz,outside) tcp interface 90 192.168.70.1 90 netmask 255.255.255.255

static (dmz,outside) tcp interface 20119 192.168.70.1 3389 netmask 255.255.255.255

static (dmz,outside) udp interface 20119 192.168.70.1 3389 netmask 255.255.255.255

static (dmz,outside) udp interface www 192.168.70.1 www netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.70.1 www netmask 255.255.255.255

static (dmz,outside) udp interface 443 192.168.70.1 443 netmask 255.255.255.255

static (dmz,outside) tcp interface https 192.168.70.1 https netmask 255.255.255.255

access-group dmz_access_in in interface dmz

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 72.72.72.651

route inside 192.168.1.0 255.255.255.0 10.0.34.2 1

route inside 192.168.15.0 255.255.255.0 10.0.34.2 1

route inside 192.168.30.0 255.255.255.0 10.0.34.2 1

route inside 192.168.115.0 255.255.255.0 10.0.34.2 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set connection-type originate-only

crypto map outside_map 1 set peer 81.81.81.81

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password f3UhLvUj1QsXsuK7 encrypted

tunnel-group 81.81.81.81type ipsec-l2l

tunnel-group 81.81.81.81ipsec-attributes

pre-shared-key 20fhc2010

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect http

inspect pptp

inspect snmp

inspect ipsec-pass-thru

inspect icmp

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6189b758b89e1dd1ed31ccfb731ad27c

: end

Some help plzzz......

Kind Regards

URGENT-NAT PROBLEM

Jouni Forss — Thu, 19 Sep 2013 06:09:46 GMT

Hi,

You dont have the "nat" statements/configurations for the "inside" networks

Add

nat (inside) 1 192.168.15.0 255.255.255.0

nat (inside) 1 192.168.115.0 255.255.255.0

- Jouni

URGENT-NAT PROBLEM

Antonio Simoes — Thu, 19 Sep 2013 06:17:54 GMT

Hi,

I´ll try it.

Thankx,

Re: URGENT-NAT PROBLEM

Antonio Simoes — Sat, 21 Sep 2013 09:44:03 GMT

Hi J,

When I put this command lines to nat the nat with the dmz crashes and the server in dmz dont comunicate with inside network as inside network don´t comunicate with DMZ.

Sep 21 2013

09:12:22

192.168.15.1

1434

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src dmz:192.168.7

0.1/5292 dst inside:192.168.15.1/1434 denied due to NAT reverse path failure

Sep 21 2013

09:18:57

192.168.70.1

portmap translation creation failed for icmp src inside:192.168.15.122 dst dmz:192.168.70.1 (type 8, code 0)

Remember I´m in a ASA 5505 Sec Plus and NAt control is activated. I know that influences the nat commands to be set. I tried a fiew but no success.

Any tip ???

Regards,

URGENT-NAT PROBLEM

Jouni Forss — Sat, 21 Sep 2013 13:15:10 GMT

Hi,

You should add Static Identity NAT for the "inside" networks

static (inside,dmz) 192.168.15.0 192.168.15.0 netmask 255.255.255.0

static (inside,dmz) 192.168.115.0 192.168.115.0 netmask 255.255.255.0

- Jouni

Re: URGENT-NAT PROBLEM

Antonio Simoes — Sat, 21 Sep 2013 14:50:33 GMT

Hi J,

It worked. Thanks a lot.

[]´s

topic URGENT-NAT PROBLEM in Network Security

URGENT-NAT PROBLEM

URGENT-NAT PROBLEM

URGENT-NAT PROBLEM

Re: URGENT-NAT PROBLEM

URGENT-NAT PROBLEM

Re: URGENT-NAT PROBLEM