topic Problem with NAT in ASA5505 8.3(2) in Network Security

Problem with NAT in ASA5505 8.3(2)

darshan288shah — Tue, 12 Mar 2019 02:02:00 GMT

Hi,

I am using ASA5505 with version a 8.3(2) and having problem with the nat configuration.

inside ip - 192.168.1.1/255.255.255.0

outside ip - 10.127.225.10/255.255.255.0

we have TCP10042 as service port thru' which we are passing data from inside network to outside network.

We have Client_server as 10.127.226.21/24

our DataServer as 192.168.1.3/ 24

we want to send the data from dataServer to Client server thru' port no. 10042.

We did following settings in the ASA thru' ASDM but facing problem that no any nating actually takes place.

Object network Client_Server

host 10.127.226.21

Object network DataServer

host 192.168.1.3

Object service TCP_10042

Service tcp source range 1 65535 destination eq 10042

Object network Firewall_Outside

host 10.127.225.10

object network DataServer(192.168.1.3)

nat (inside, outside) static interface service tcp 10042 10042

object network Firewall_outside (10.l27.225.10)

nat (outside, inside) static DataServer(192.168.1.3) service tcp 10042 10042

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit ip any any

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group global_access global

but still we are getting problem for NAT rules.

Also when we tried with Packet Transfer check point and found that "Access List - denied due to “Implicit rule”

Please help how we have to transfer data thru' Firewall.

Problem with NAT in ASA5505 8.3(2)

Jouni Forss — Mon, 24 Jun 2013 11:30:09 GMT

Hi,

Can you post your interface configurations using "show run interface" command.

If I understood you correctly then there is a server on the "inside" that is initiating a connection to a server on "outside" with the destination port TCP/10042? Is this correct?

If this is true, then we dont really need all the NAT configurations you have done. A Dynamic PAT configuration might be all that is needed.

Naturally if you want to give an own address to the server on the "inside" then you would configure Static NAT.

If the server on the "outside" needed to access the server on the "inside" then you might need Static NAT or Static PAT (Port Forward)

Is this firewall located inside some LAN network or is it at the edge of LAN and WAN?

Lets clear up these few things and then we can look at what is required to correct the situation.

- Jouni

Problem with NAT in ASA5505 8.3(2)

darshan288shah — Mon, 24 Jun 2013 12:30:52 GMT

Hi Jouni,

Thank you for the prompt reply.

Please find the details of the complete details of the configuration.

: Saved

: Written by enable_15 at 12:54:21.049 IST Mon Jun 24 2013

ASA Version 8.3(2)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 10.127.225.10 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

clock timezone IST 5 30

object network IP21_Server

host 10.127.226.21

description IP21_Server

object network Tank_OPC_Server

host 192.168.1.2

description Tank_OPC_Server

object network CIMIO_TestPC

host 10.127.230.35

description CIMIO_TestPC

object service TCP_10041

service tcp source range 1 65535 destination eq 10041

description TCP-10041

object service TCP_10042

service tcp source range 1 65535 destination eq 10042

description TCP-10042

object service TCP_135

service tcp source range 1 65535 destination eq 135

description TCP_135

object service TCP_47625

service tcp source range 1 65535 destination eq 47625

description TCP-47625

object service TCP_7777

service tcp source range 1 65535 destination eq 7777

description TCP_7777

object service tcp_all

service tcp source range 1 65535 destination range 1024 65535

description tcp-all

object network Firewall_Outside

host 10.127.225.10

object service Ping

service icmp echo-reply

description Ping

object network Rule_2

subnet 10.127.0.0 255.255.255.0

description Web Access

object network OPCIP

host 10.0.0.0

object-group network Firewall_Inside_Sys description Firewall_Inside_Sys

network-object object Tank_OPC_Server

object-group network Firewall_Outside_OPC_Sys

description Firewall_Outside_OPC_Sys

network-object object CIMIO_TestPC

network-object object IP21_Server

object-group service DM_INLINE_TCP_1 tcp

port-object eq 49153

port-object eq 49154

port-object eq 49155

port-object eq 49156

port-object eq 49157

port-object eq 49158

port-object eq 49160

port-object eq 49161

port-object eq 49162

port-object eq 49163

port-object eq 49164

port-object eq 49165

object-group service DM_INLINE_TCP_2 tcp

port-object eq 135

port-object eq 1433

port-object eq 3389

port-object eq 445

port-object eq 49152

port-object eq 49153

port-object eq 49154

port-object eq 49155

port-object eq 49156

port-object eq 49157

port-object eq 49158

port-object eq 49159

port-object eq 49160

port-object eq 49161

port-object eq 49162

port-object eq 5357

object-group service DM_INLINE_TCP_3 tcp

port-object eq 135

port-object eq 3389

port-object eq www

port-object eq lpd

port-object eq netbios-ssn

object-group service DM_INLINE_TCP_4 tcp

port-object eq 135

port-object eq 1433

port-object eq 445

port-object eq 49152

port-object eq 49153

port-object eq 49154

port-object eq 49155

port-object eq 49156

port-object eq 49157

port-object eq 49158

port-object eq 49159

port-object eq 49160

port-object eq 49161

port-object eq 49162

port-object eq 5357

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq lpd

port-object eq netbios-ssn

object-group service OPC tcp

port-object eq 445

object-group service OPCM tcp

port-object eq 1433

object-group service OPCMS tcp

port-object eq 3389

object-group service OPCTCP tcp

port-object eq 135

object-group service OPCTCPU tcp

port-object eq 5357

object-group service TEST tcp

port-object eq 49152

port-object eq 49153

port-object eq 49154

port-object eq 49155

port-object eq 49156

port-object eq 49157

port-object eq 49158

port-object eq 49159

port-object eq 49160

port-object eq 49161

port-object eq 49162

port-object eq 49163

port-object eq 49164

port-object eq 49165

port-object eq 49166

port-object eq 49167

port-object eq 49168

port-object eq 49169

port-object eq 49170

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any eq 135

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq netbios-ssn

access-list inside_access_in extended permit ip object OPCIP object OPCIP

access-list inside_access_in extended permit tcp any any eq 445

access-list inside_access_in extended permit tcp any any eq lpd

access-list inside_access_in extended permit tcp any any eq 1433

access-list inside_access_in extended permit tcp any any eq 3389

access-list inside_access_in extended permit tcp any any eq 5357

access-list inside_access_in extended permit tcp any any eq 49152

access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1

access-list inside_access_out extended permit icmp any any

access-list inside_access_out remark IP21 Server to PTD DeltaV OPC Inside

access-list inside_access_out extended permit tcp object IP21_Server range 1 65535 object Tank_OPC_Server eq 10042

access-list inside_access_out remark Test PC to Tank OPC Server

access-list inside_access_out extended permit tcp object CIMIO_TestPC range 1 65535 object Tank_OPC_Server eq 10042

access-list inside_access_out remark Any Intranet to TFMS Web Server

access-list inside_access_out extended permit tcp any object Tank_OPC_Server eq www

access-list inside_access_out remark Report Access

access-list inside_access_out extended permit udp any eq netbios-ns object Tank_OPC_Server eq netbios-ns

access-list inside_access_out remark Report Access

access-list inside_access_out extended permit tcp any eq netbios-ssn object Tank_OPC_Server eq netbios-ssn

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp object IP21_Server range 1 65535 object Firewall_Outside eq 10042

access-list outside_access_in remark Test PC to TFMS OPC Server

access-list outside_access_in extended permit tcp object CIMIO_TestPC range 1 65535 object Firewall_Outside eq 10042

access-list outside_access_in remark Any-Intranet to TFMS Web Server

access-list outside_access_in extended permit tcp any object Firewall_Outside eq www

access-list outside_access_in remark Report Access

access-list outside_access_in extended permit udp any eq netbios-ns object Firewall_Outside eq netbios-ns

access-list outside_access_in remark Report Access

access-list outside_access_in extended permit tcp any eq netbios-ssn object Firewall_Outside eq netbios-ssn

access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_3

access-list global_access extended permit ip object OPCIP object OPCIP

access-list global_access extended permit tcp any any object-group DM_INLINE_TCP_4

access-list global_access extended permit tcp any any object-group DM_INLINE_TCP_5

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network Tank_OPC_Server

nat (inside,outside) static interface service tcp 10042 10042

object network Firewall_Outside

nat (outside,inside) static Tank_OPC_Server service tcp 10042 10042

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 10.127.225.1 1

route outside 10.127.226.0 255.255.255.0 10.127.229.1 1

route outside 10.127.230.0 255.255.255.0 10.127.229.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http authentication-certificate outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username krish password ZDpDPiLx3Glgwqc. encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

Cryptochecksum:83aa589d0b77930b72fb3d2faffb127b

You are correct that Server is inside the network and it is initiating the connection to outside network. This firewall is located inside the LAN network.

Re: Problem with NAT in ASA5505 8.3(2)

Jouni Forss — Mon, 24 Jun 2013 12:51:07 GMT

Hi,

I would suggest simplifying the configuration a bit.

For example I would suggest that you only configure ACLs / access-list in the "in" direction to the "inside" or "outside" interfaces. You dont generally need to use the "out" direction with typical firewall scenarios.

So I would remove the following first (I presume that this is just in implementation phase and wont cause any problems with anything in production.

no access-group inside_access_out out interface inside

no access-group outside_access_in in interface outside

no access-group global_access global

You should then use the "inside_access_in" ACL to allow the traffic you need from the "inside" server to the "outside" server.

Add this configuration line to that ACL

access-list inside_access_in permit tcp host 192.168.1.3 host 10.127.226.21 eq 10042

Also you could REMOVE the NAT configuration you have currently (shown below)

object network Tank_OPC_Server

host 192.168.1.2

description Tank_OPC_Server

nat (inside,outside) static interface service tcp 10042 10042

object network Firewall_Outside

host 10.127.225.10

nat (outside,inside) static Tank_OPC_Server service tcp 10042 10042

Instead you could configure basic Dynamic PAT which should enable the "inside" server to connect to "outside" server.

object-group network INSIDE-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface

What we have to notice with the above Dynamic PAT configuration is that this only enables the hosts and server behind "inside" to connect to hosts/server behind "outside". If the "outside" server needs to open/initiate connections towards the "inside" server THEN we need a Static NAT configuration. Let me know if this is needed.

Also it seems that these "route" commands are incorrect. Remove them and leave the default route

no route outside 10.127.226.0 255.255.255.0 10.127.229.1 1

no route outside 10.127.230.0 255.255.255.0 10.127.229.1 1

interface Vlan2

nameif outside

security-level 0

ip address 10.127.225.10 255.255.255.0

This is because the gateway IP address of 10.127.229.1 IS NOT part of the "outside" interfaces connected network of 10.127.225.0/24 so the routes cannot be correct.

After you have made the required configuration changes, test the firewall rules with the "packet-tracer" command

Use this command on the CLI of the ASA

packet-tracer input inside tcp 192.168.1.3 12345 10.127.226.21 10042

This will print an output what would happen to this connection your are attempting. Share the output with us here on the forums so we can have a look at what is causing the problems (if any after this)

Hope this helps

- Jouni

Re: Problem with NAT in ASA5505 8.3(2)

darshan288shah — Mon, 01 Jul 2013 03:08:26 GMT

Hi Jouni,

Thank you for the support.

We have not connected any host at outside network and tried the below command.

Result of the command: "packet-tracer input inside tcp 192.168.1.3 12345 10.127.226.21 10042"

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Then we have connected host with ip address as 10.127.225.21/24 and run the below commands,

Result of the command: "packet-tracer input inside tcp 192.168.1.3 12345 10.127.225.21 10042"

access-list inside_access_in permit tcp host 192.168.1.3 host 10.127.225.21 eq 10042

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.127.225.0 255.255.255.0 outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: mgmt-deny-all

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Please suggest forward path.

Problem with NAT in ASA5505 8.3(2)

Jouni Forss — Mon, 01 Jul 2013 07:30:21 GMT

Hi,

Can you share the current configuration.

- Jouni