Xlate and server communication

suthomas1 — Tue, 12 Mar 2019 01:09:13 GMT

Hi,

We have a server in our LAN. It connects to a Juniper firewall , this inturn connects to an ASA which acts as the

internet firewall.

LAN Server 10.96.1.90 needs to connect to an external destination 81.20.97.19 for ftp service as also the external

destination should be able to connect back to 10.96.1.90 for ftp service

However,the request from 10.96.1.90 is only recognised & allowed on the destination when it comes from

public IP 203.121.17.140 and similarly, request from 81.20.97.19 to 10.96.1.90 is done using public IP 203.121.17.140.

Server 10.96.1.90 -> Juniper Firewall -> ASA Firewall -> Destination 81.20.97.19 (FTP)

Destination 81.20.97.19 (FTP) -> ASA Firewall -> Juniper Firewall -> Server 10.96.1.90 (FTP)

LAN Server IP: 10.96.1.90

Juniper Firewall LAN interface IP: 10.96.1.68

Juniper Firewall WAN interface IP: 172.16.1.68

ASA Firewall LAN interface IP: 172.16.1.98 ( Transit Interface(eth0/2) is the name given to the interface which connects Juniper's WAN to ASA's LAN)

ASA Firewall WAN interface IP: 203.121.17.144

The rules are in place on both Juniper and ASA firewall for the above bidirectional communication.I can see the packets passing on through the juniper firewall on its way to ASA.

Now, the problem;

The communication when initiated from 10.96.1.90 towards 81.20.97.19 is not successful.

When i run capture on ASA, i can see the packets coming on to ASA via Juniper firewall, but i can only see sync packets.

Moreover, i cannot see the xlate for these packets.

The current configuration on the ASA firewall is :-

interface Ethernet0/0

nameif outside

security-level 1

ip address 203.121.17.144 255.255.255.224

interface Ethernet0/1

description To Server

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.0.98 255.255.255.0

interface Ethernet0/2

description To Juniper Firewall

speed 100

duplex full

nameif transit

security-level 90

ip address 172.16.1.98 255.255.255.0

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name bsh-sg.com

object-group service Apps tcp

description FTP and HTTP access

port-object eq ftp-data

port-object eq ftp

port-object eq echo

port-object eq www

object-group service FTP tcp

port-object eq ftp

port-object eq ftp-data

access-list acl_out extended permit tcp any host 203.121.17.142 object-group Apps

access-list acl_out extended permit tcp host 81.20.97.19 host 203.121.17.140 object-group FTP

pager lines 24

logging console informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu transit 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (transit) 2 10.96.1.0 255.255.255.0

static (inside,outside) 203.121.17.142 172.16.0.97 netmask 255.255.255.255

static (transit,outside) 203.121.17.140 10.96.1.90 netmask 255.255.255.255

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 203.121.17.129 1

route transit 10.96.1.0 255.255.255.0 172.16.1.68 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect ftp

service-policy global_policy global

Now, the problem;

The communication when initiated from 10.96.1.90 towards 81.20.97.19 is initiated , it is not successful.

When i run capture on ASA, i can see the packets coming in to ASA via Juniper firewall, but i can only see sync packets.

Moreover, i cannot see the xlate for this packets.

Please help me in this problem, if there is any thing wrong on the ASA regarding this requirement of traffic.

Appreciate all inputs!

Xlate and server communication

jocamare — Mon, 04 Mar 2013 18:56:32 GMT

Do you the same SYN packets leaving the outside interface?

Xlate and server communication

suthomas1 — Tue, 05 Mar 2013 08:19:09 GMT

No, i do not see the SYN packets leaving outside interface.

Is the static nat configuration for these ip's correct ? How should i proceed?

Appreciate all help!

Xlate and server communication

Jouni Forss — Tue, 05 Mar 2013 08:37:13 GMT

Hi,

In your above configuration I cant at the moment see anything that would prevent the connection being initiated through it.

Static NAT is configure correctly
There is a default route for outbound connections
The security-level between "transit" and "outside" should allow for the traffic to pass the firewall
You have FTP inspection configured which will automatically allow the Data connection after Control connection has been formed.

You could confirm the firewalls operation by using the "packet-tracer" command

packet-tracer input transit tcp 10.96.1.90 1234 81.20.97.19 21

This will simulate the FTP connection attempt from the host behind "transit" interface to the specified destination IP address on the Internet.

Can you share the output of that command here?

- Jouni

Xlate and server communication

jocamare — Tue, 05 Mar 2013 19:19:06 GMT

Do you see any particular logs refering to these particular public IP when testing?

Try to gest an ASP capture, this is the command for it: capture drop type asp-drop all

Test and check the capture : show capture drop | i 81.20.97.19

Are you having problems only when going to 81.20.97.19?

topic Xlate and server communication in Network Security

Xlate and server communication

Xlate and server communication

Xlate and server communication

Xlate and server communication

Xlate and server communication