topic Problem with NAT ASA 9.0(2) in Network Security

Problem with NAT ASA 9.0(2)

josedelpino — Tue, 12 Mar 2019 01:27:00 GMT

Hello

Basically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.

Example:

ASA 8.4:

nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http

In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ASA 9.0:

nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http

In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I can not access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.

Any ideas on how I can fix this will be appreciated.

Sorry for my English is not my native language.

Problem with NAT ASA 9.0(2)

Julio Carvajal — Thu, 11 Apr 2013 22:15:08 GMT

Hello Jose,

the nat commands you type there are not valid, incorrect syntax, can you try it one more time,

Problem with NAT ASA 9.0(2)

lcambron — Thu, 11 Apr 2013 23:18:03 GMT

Hello Jose,

Your NAT should be something like:

nat (LAN,outside) source static 192.168.3.2 192.168.3.104 destination static any any service http http

So 192.168.3.2 is NATed to 192.168.3.104 when destination port is 80

You can use the packet tracer command to see which NAT rule you are hitting:

packet in incoming_interface tcp source_ip 1025 destination_IP 80

You need to check on your configuration the NAT rules you have since the ones you posted are not correct.

Then explain what is exactly the problem.

Regards,

Felipe.

Problem with NAT ASA 9.0(2)

josedelpino — Fri, 12 Apr 2013 18:33:56 GMT

Thank very much to both

The command was wrong because the translator that i used change the syntax and I did not realize.

The correct command is:

nat (LAN,outside) 85 source static 10.252.253.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

The nat itself works well, host1 uses the mapped ip (192.168.3.104) to access to the port 80 without any problem but after setting this nat host1 cannot access to the original server ip address using any other port or ping.

host1 ip address= 192.168.3.2

Original server ip address = 10.252.253.28

Nated server ip address = 192.168.3.104

Problem with NAT ASA 9.0(2)

Julio Carvajal — Fri, 12 Apr 2013 19:25:18 GMT

Hello Jose Alan,

let's see that

can you paste:

packet-tracer input LAN tcp 10.252.253.28 1025 192.168.3.2 80

That is what you are looking for

Problem with NAT ASA 9.0(2)

josedelpino — Fri, 12 Apr 2013 20:10:04 GMT

Hello Julio,

Thanks for your time

Here is:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.3.0 255.255.255.0 outside

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Apparently drop the package due to lack of routes but the destination network is directly connected.

If I delete the nat this is the output:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.3.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN_access_in in interface LAN

access-list LAN_access_in extended permit ip object-group NET-ADM any4

access-list LAN_access_in remark XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

object-group network NET-ADM

description: xxxxxxxxxxxxxxxxxxxxxx

network-object host 10.252.253.28

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,outside) source static any any unidirectional

Additional Information:

Static translate 10.252.253.28/1025 to 10.252.253.28/1025

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,outside) source static any any unidirectional

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 808, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Problem with NAT ASA 9.0(2)

Julio Carvajal — Fri, 12 Apr 2013 20:14:57 GMT

Hello Jose,

good post interesting results,

can you share the entire asa configuration with the NAT with a show route as well>

Re: Problem with NAT ASA 9.0(2)

josedelpino — Sat, 13 Apr 2013 02:30:08 GMT

Julio,

In a test environment I upgrade from version 9.0 (2) to 9.1(1)4 and also remove all settings from the configuration leaving just the enough to test the NAT but the behavior is the same.

This is the complete actual configuration:

ASA Version 9.1(1)4

hostname ASATEST

enable password xxxxxxxxxxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxxxxxxxxxxx encrypted

names

interface GigabitEthernet0/0

nameif LAN

security-level 0

ip address 10.252.254.1 255.255.255.0

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 192.168.3.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

boot system disk0:/asa911-4-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network 10.252.254.28

host 10.252.254.28

object network 192.168.3.104

host 192.168.3.104

object network 192.168.3.2

host 192.168.3.2

object service ftp

service tcp source eq ftp

access-list ANY extended permit ip any4 any4

pager lines 24

logging enable

logging asdm informational

mtu LAN 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

access-group ANY in interface LAN

access-group ANY in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.3.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.252.254.28 255.255.255.255 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 10.252.254.28 255.255.255.255 LAN

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username jdelpino password xxxxxxx encrypted privilege 15

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0e5d8be6f25f180223f5c1beee7fc0c6

: end

Thanks again for the help

Re: Problem with NAT ASA 9.0(2)

Julio Carvajal — Sat, 13 Apr 2013 07:10:53 GMT

Hello Jose,

Hey man my pleasure to help.

I need the following info:

1) I do not see the object-service http on the configuration, why is that? May I have it?

2) All your traffic is being routed to that same device 3.2? is that expected?

route outside 0.0.0.0 0.0.0.0 192.168.3.2 1

Re: Problem with NAT ASA 9.0(2)

josedelpino — Sat, 13 Apr 2013 18:30:42 GMT

Hello Julio,

1) Sorry for this, I must have accidentally deleted when paste the config

object service http

service tcp source eq http

In my test environment I have a router connected to the outside interface of the ASA and sometimes I create loobacks interfaces on the router to simulate external networks for this reason the default route but in this case it is not necessary so I can remove it without any problem.

Server-------------------------------ASA-----------------------------Router

10.252.253.28 253.1 3.1 192.168.3.2

Re: Problem with NAT ASA 9.0(2)

Julio Carvajal — Sat, 13 Apr 2013 20:31:46 GMT

Hello Jose,

First error:

The object service HTTP should be destination not source

change that,

clear the xlate table and perform the packet tracer again, post the results

Remember to rate all of the helpful posts, as important as a thanks man

regards

Re: Problem with NAT ASA 9.0(2)

josedelpino — Sun, 14 Apr 2013 02:15:18 GMT

Hello Julio,

I think I do not expressed myself correctly because of my poor english and the problem was not understood.

Basically what I need is that if a user wants to access to the server A web page (tcp/80) has to make the request to the nated server ip address (192.168.3.104) but if the same user wants to access to any other service of the server A for example remote desktop (tcp/3389), ssh (tcp/22), ping, etc has to make the request to the original server ip address 10.252.253.28.

User ip address = 192.168.3.2

Nated server ip address = 192.168.3.104

Original server ip address = 10.252.253.28

In ASA 8.4 this works well:

nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

By doing this the user accessed the website making the request to the nated ip address 192.168.3.104 and for any other service make the request to the original server ip address 10.252.253.28 but in ASA 9.1(1)4 once I configure the nat any communication between the user and the server original ip address 10.252.253.28 is cut.

Please let me know if I am not clear with my explanation of the problem.

Re: Problem with NAT ASA 9.0(2)

Julio Carvajal — Sun, 14 Apr 2013 07:44:18 GMT

Hello Jose,

Yeah, I think I got it know but if that is the casea you do not need to use any destination keyword

no nat (LAN,outside) source static 10.252.254.28 192.168.3.104 destination static 192.168.3.2 192.168.3.2 service http http

nat (LAN,outside) source static 10.252.254.28 192.168.3.104 service http http

Then do the following and provide the entire outputs ( please )

packet-tracer input outside tcp 192.168.3.2 1025 192.168.3.104 80

packet-tracer input outside tcp 192.168.3.2 1025 10.252.254.28 8080

Regards,