topic Access from outside to a service on a host connected through VPN in Network Security

Access from outside to a service on a host connected through VPN

epasqualotto — Tue, 12 Mar 2019 00:44:54 GMT

Hi all, I got a ASA5510 and I'm trying to make public a service on a host reacheable through VPN IPSEC.

The VPN works well but not the NAT from outside interface.

I need to send packet into VPN with source IP: SRCNetworkGRIS

The server is published on IP address of outside interface

The remote server is 10.246.100.11

The service (HTTP) must to be published on port 8888 in the outside interface.

Here it's a part of my conf

object network ServerVPN

host 10.246.100.11

object network ServerVPN

nat (OUTSIDE,OUTSIDE) static interface service tcp www 8888

object network SRCNetworkGRIS

subnet 10.232.226.56 255.255.255.248

description SRC Network GRIS PRO

object network obj-10.246.0.0

subnet 10.246.0.0 255.255.0.0

access-group access_in in interface OUTSIDE

access-list access_in extended permit tcp any object ServerVPN eq www

crypto map LAN_map 4 match address OUTSIDE_cryptomap_1

access-list OUTSIDE_cryptomap_1 extended permit ip object SRCNetworkGRIS 10.246.0.0 255.255.0.0

nat (OUTSIDE,OUTSIDE) source static any SRCNetworkGRIS destination static obj-10.246.0.0 obj-10.246.0.0

Anyone can help me to find the issue? from debug I see syn timeout, so maybe the remote host can't reply back to ASA.

Thanks.

Re: Access from outside to a service on a host connected through

Jouni Forss — Wed, 09 Jan 2013 13:21:22 GMT

Hi,

Are you saying that you have the following setup?

A L2L VPN between 2 sites
Remote site has the Web server
Local site wants to enable public access to the remote server through its Internet connection and public IP address space

If this is the case I would imagine the problem is the return routing for the Web site connection and before that probably the NAT configuration.

When you consider that the source address to this public service can be nearly any public IP address it would mean that the remote site should tunnel all traffic for the Web server to the L2L VPN connection for the return traffic to be forwarded correctly. In the same way the local site should tunnel traffic with any source address to the remote site server

If I understood the situation correctly this is probably what happens when attempting the connection

Internet user initiates HTTP connection to the Web Server
Connection forms on the local Site Firewall
At this point I'm not totally sure without Labing the setup
- Either the firewall forwards the connection back to public network where it gets lost immediately
- Or the firewall forwards the connection to the L2L VPN where it gets lost (though I kind of doubt this option)
If the connection actually gets forwarded to the Web Server though the L2L VPN (which I doubt) I assume the return traffic for the TCP connection forming gets lost at the remote site firewall. (It either forwards the return traffic straight to public network or something else)

Can you confirm my original assumption of your network setup?

Could you also share the whole L2L VPN configuration and possibly the whole NAT configuration if possible.

After this we could look into an alternative configuration to establish this connectivity.

- Jouni

Access from outside to a service on a host connected through VPN

epasqualotto — Wed, 09 Jan 2013 14:03:09 GMT

Yes your assumption is correct.

I think the packet reach the remote server but cannot come back. Now I'm trying to install wireshark to check what's happen in the remote site.

This is the config of the tunnel:

crypto map LAN_map 4 match address OUTSIDE_cryptomap_1

crypto map LAN_map 4 set pfs

crypto map LAN_map 4 set peer remote_ip

crypto map LAN_map 4 set ikev1 transform-set ESP-AES-128-MD5

access-list OUTSIDE_cryptomap_1 extended permit ip object SRCNetworkGRIS 10.246.0.0 255.255.0.0

tunnel-group remote_ip type ipsec-l2l

tunnel-group remote_ip general-attributes

default-group-policy GroupPolicy_remote_ip

tunnel-group remote_ip ipsec-attributes

For the NAT:

nat (any,any) source static otherNetwork1 SRCNetworkGRIS destination static obj-10.246.0.0 obj-10.246.0.0

nat (OUTSIDE,OUTSIDE) source static any SRCNetworkGRIS destination static obj-10.246.0.0 obj-10.246.0.0

nat (any,any) source static otherNetwork2 SRCNetworkGRIS destination static obj-10.246.0.0 obj-10.246.0.0

object network ServerVPN

nat (OUTSIDE,OUTSIDE) static interface service tcp www 8888

These are the only nat rules for this network.

Access from outside to a service on a host connected through VPN

epasqualotto — Wed, 09 Jan 2013 14:17:44 GMT

Wireshark say that I don't come to the remote server.

Maybe the packet is dropped by the remote VPN peer.

I know that I can go only with these IP 10.232.226.56 255.255.255.248 so maybe the NAT don't translate the IP before tunnel it on the VPN.

Any suggestion?

Re: Access from outside to a service on a host connected through

Jouni Forss — Wed, 09 Jan 2013 16:21:25 GMT

Hi,

Think I finally got it but cant confirm it without creating an actual L2L VPN for my current lab setup (which I will only do if you cant get this working with the below steps)

So heres what I did

Configured with a single NAT statement a NAT that does the following or fills the following criteria
- Traffic from any source address from WAN will be NATed to a Private IP address NAT Pool WHEN the destination IP address is the local ASA WAN interface IP address and Destination Port is TCP/8888
- For the above Traffic the WAN Interface IP address will be translated to a Private IP address on the remote site
- The Destination port of TCP/8888 will be translated to the real port of TCP/80
Configured a L2L VPN configuration (Just to see if the traffic generated will try to initiate the negotiation for the L2L VPN also)
- Traffic Source is the NAT Pool configured in the above NAT configurations
- Traffic Destination is the whole remote site network

So here are my configurations

Base Information

WAN = my "outside" interface
L2L-VPN-POOL = defines the NAT pool towards the L2L VPN
L2L-REMOTE = defines the remote site LAN
WEB-SERVER-LOCAL = defines the remote web servers local IP address
WEB-REAL = defines the actual port used on the web server
WEB-NAT = defines the NATed / Mapped port used for the web server on the local firewall

object network L2L-VPN-POOL

range 10.10.200.1 10.10.200.200

object network L2L-REMOTE

subnet 10.10.1.0 255.255.255.0

object network WEB-SERVER-LOCAL

host 10.10.1.100

object service WEB-REAL

service tcp destination eq www

object service WEB-NAT

service tcp destination eq 8888

Above are network and service objects configured for the purpose of the L2L VPN and NAT configurations

nat (WAN,WAN) 1 source dynamic any L2L-VPN-POOL destination static interface WEB-SERVER-LOCAL service WEB-NAT WEB-REAL

Above is the NAT configuration to handle both the Source hosts and the Destination Web Server
- (WAN,WAN) = defines that the NAT is done for traffic both entering and leaving the same interface
- source dynamic = defines that Dynamic NAT will be done for the Source addresses
- any = source address for the NAT can be any
- L2L-POOL = contains the IP addresses to be used for induvidual users from the Internet
- destination static = defines that Static NAT will be done for the Destination addresses
- interface = defines that the WAN interface IP address will be used as the NAT address for the remote site server
- WEB-SERVER-LOCAL = defines the Web Server Local IP address at the remote site
- WEB-NAT = defines Mapped Web service port
- WEB-REAL = defines Real Web service port

access-list TEST-L2L-CRYPTO extended permit ip object L2L-VPN-POOL object L2L-REMOTE

Encryption Domain for the L2L VPN configured below

crypto ipsec ikev1 transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto map CRYPTOMAP 10 match address TEST-L2L-CRYPTO

crypto map CRYPTOMAP 10 set peer 1.1.1.1

crypto map CRYPTOMAP 10 set ikev1 transform-set AES-256

crypto map CRYPTOMAP interface WAN

crypto isakmp identity address

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key *****

Above is a very basic L2L VPN configuration to catch the above NAT configurations traffic and try to direct it to the L2L VPN tunnel
- Source address for the Tunnel is the NAT Pool configured above
- Destination address for the Tunnel is the remote site network and therefore also the Real IP address of the remote site Web Server

The only means to test this configuration at the moment was to use the "packet-tracer" command to show what the Firewall would do to a packet arriving from WAN to the WAN Interface IP address using port TCP/8888

Base Information

x.x.x.x = My WAN interface IP address
y.y.y.y = Random Public source IP address for the Web Server connection
WAN-IN = My WAN interface ACL

ASA(config)# packet-tracer input WAN tcp y.y.y.y 2054 x.x.x.x 8888

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (WAN,WAN) source dynamic any L2L-VPN-POOL destination static interface WEB-SERVER-LOCAL service WEB-NAT WEB-REAL

Additional Information:

NAT divert to egress interface WAN

Untranslate x.x.x.x/8888 to 10.10.1.100/80

Above shows that the "packet-tracer" test is hitting the configured NAT rule and is correctly translation the WAN interface IP address to the real IP address of the remote site web server
It also shows that the TCP destination port is correctly translated from mapped to real

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN-IN in interface WAN

access-list WAN-IN extended permit ip host y.y.y.y any

Additional Information:

Above shows that the traffic is hitting my WAN-IN ACLs rule allowing the traffic

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (WAN,WAN) source dynamic any L2L-VPN-POOL destination static interface WEB-SERVER-LOCAL service WEB-NAT WEB-REAL

Additional Information:

Dynamic translate y.y.y.y/2054 to 10.10.200.120/2054

Above shows that the random Public Source address is correctly translated to a random NAT Pool IP address

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Above shows that the above packet has also hit a configured L2L VPN rule.
NOTE! The result is DROP because my L2L VPN configuration isnt valid to bring up any L2L VPN connection. The L2L VPN configuration is only there to see if my configurations still forward the traffic to the L2L VPN from the public network

So with the above you might be able to test your setup. Just define the configurations to use your own "object" or "object-group" and IP addresses or networks.

Some things I would take into consideration judging by your above configurations

I would avoid using NAT configurations with "any,any" interfaces. They might at some point mess things up
Consider configuring the above NAT configuration as the First NAT rule so that no other rule will apply before it and therefore make it useless.
- This would be done with adding line number "1" after the (WAN,WAN) configuration of the NAT
You will need "same-security-traffic permit intra-interface" configuration for this to work.

Naturally also take precaution if you are going to test this in a production environment. Have a plan to fall back to the old configurations.

Please do rate the answers if you have found the information helpfull and if it does solve your problem please mark the questions as answered. Naturally also ask more if either the configuration doesnt work or if there is something more related to this setup.

- Jouni

Re: Access from outside to a service on a host connected through

epasqualotto — Wed, 09 Jan 2013 17:21:45 GMT

Hi Jouni, thanks for the posts.

I'll fix the issue (before your mail) by not using the NAT on the object network.

object network ServerVPN

host 10.246.100.11

object service Private_G

service tcp destination eq www

object network SRCNetworkG

subnet 10.232.226.56 255.255.255.248

object network Public2

host x.x.x.x

nat (OUTSIDE,OUTSIDE) source static any SRCNetworkG destination static Public2 ServerVPN service Private_G Private_G

and not

object network ServerVPN

nat (OUTSIDE,OUTSIDE) static interface service tcp www www

nat (OUTSIDE,OUTSIDE) source static any SRCNetworkGRIS destination static obj-10.246.0.0 obj-10.246.0.0

But I don't understand why.

I'll check tomorrow your last post better to see what change from my last config.

Thanks for the support.

Pasqu

Access from outside to a service on a host connected through VPN

Jouni Forss — Fri, 11 Jan 2013 07:20:40 GMT

Hi,

Have you been able to test the above setup I mentioned?

- Jouni