topic Nat Issues 5520 in Network Security

Nat Issues 5520

Jason Jayko — Tue, 12 Mar 2019 00:03:57 GMT

I have an ASA 5520 Cisco Adaptive Security Appliance Software Version 8.4(2)8 Device Manager Version 6.4(5)206. I am trying to add a nat for outside

x.x.x.77 port going inside x.x.x.22 port 80 . the wan interface is .74 with subnet of 255.255.255.248

the rule will add but traffic wont pass in .

Thank You in advance

Nat Issues 5520

Jouni Forss — Thu, 04 Oct 2012 10:25:43 GMT

Hi,

Are you trying to make a port forward configuration using your firewalls outside interface public IP OR are you trying to configure a separate public IP address for your server.

For portforward the configuration would look like this (using example names and IPs)

object network PORTFORWARD-TCP80

host 10.10.10.22

nat (inside,outside) static interface service tcp 80 80

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-TCP80 eq 80

access-list OUTSIDE-IN permit tcp any host 10.10.10.22 eq 80

For simple static translation the configuration would look like this

- x.x.x.x is the public IP address you have reserved for inside host. In the earlier example the nat congiguration uses the outside interfaces IP address (using the keyword "interface")

object network STATIC

host 10.10.10.22

nat (inside,outside) static x.x.x.x

access-list OUTSIDE-IN permit tcp any object STATIC eq 80

access-list OUTSIDE-IN permit tcp any host 10.10.10.22 eq 80

- Jouni

Nat Issues 5520

Jason Jayko — Thu, 04 Oct 2012 10:38:28 GMT

trying to configure a separate public IP address for our server since there is already port 80 for another server off of the .74 public interface

Re: Nat Issues 5520

Jouni Forss — Thu, 04 Oct 2012 10:47:06 GMT

Hi,

Then you basicly just configure the Static NAT and open the ports you want

Static NAT

object network NAME

host y.y.y.y

nat (inside,outside) static x.x.x.x dns

Where

NAME = the name of the object.
inside = nameif of your local network interface on the ASA
outside = nameif of your outside network interface on the ASA
y.y.y.y = the local IP address of the server/computer
x.x.x.x = the public IP address that you have reserved for this server/computer

After this you need to make an access-list configuration to allow traffic from outside/Internet

access-list OUTSIDE-IN permit tcp any object NAME eq 80

Where

OUTSIDE-IN = name of the access-list attached to the outside interface (direction "in")
object NAME = is the object/host you want to open the traffic to from outside/Internet

With the ASA softwares 8.3 and above you always use the local IP address even when configuring access-list rules from outside/Internet. In the 8.2 and before softwares you always used the NAT IP address (public) in the configurations.

I usually use the object in the access-list configurations as it already contains the local IP address of the server/computer under it. But you can naturally just type the local IP address in the access-list rule too like I did in the first post.

- Jouni

Nat Issues 5520

Jason Jayko — Thu, 04 Oct 2012 11:23:21 GMT

so i added the following with no luck

object network x.x.x.22

host x.x.x.22

nat (inside,outside) static x.x.x.77 dns

access-list OUTSIDE-IN permit tcp any object x.x.x.22 eq 80

Nat Issues 5520

Jouni Forss — Thu, 04 Oct 2012 11:59:50 GMT

Hi,

There shouldn't be that many possibilities on what would be wrong with firewall configuration in this case.

As I don't know the rest of your NAT configuration I can't say if some other NAT rule somehow overlaps it.

You could always use the "packet-tracer" command from the command line interface.

For your situation it could be for example

packet-tracer input outside tcp 1.2.3.4 1025 x.x.x.77 80

Where

outside is the interface where the traffic is coming from
1.2.3.4 is a random source address for traffic
1025 is a random source port for the traffic
x.x.x.77 is the destination address of that traffic
80 is the destination port for that traffic

You could always post the output of that command here (and remove public IP address information where needed)

- Jouni

Nat Issues 5520

Jason Jayko — Thu, 04 Oct 2012 12:28:18 GMT

Here are the results of the packet trace

ciscoasa# packet-tracer input outside tcp x.x.x.22 1025 x.x.x.77 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network x.x.x.22
nat (inside,outside) static x.x.x.77 dns
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.77/80 to x.x.x.22/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object x.x.x.22 eq www
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network x.x.x.22
nat (inside,outside) static x.x.x.77 dns
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Nat Issues 5520

Jouni Forss — Thu, 04 Oct 2012 12:43:01 GMT

Hi,

Never seen that Drop-reason before.

Are you sure you used some random IP address for the source address in the packet-tracer?

Above you mention x.x.x.22 which you mentioned as local IP address of the actual server.

Please use for example 1.2.3.4 as source address and the NAT IP as the destination IP address of the packet-tracer and post the results.

- Jouni

Nat Issues 5520

Jason Jayko — Thu, 04 Oct 2012 15:04:52 GMT

ciscoasa# packet-tracer input outside tcp 1.2.3.4 4522 x.x.x.77 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network x.x.x.22
nat (inside,outside) static x.x.x.77 dns
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 747589118, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Nat Issues 5520

Jouni Forss — Fri, 05 Oct 2012 08:12:34 GMT

Hi,

To me it seems that this latest packet-tracer indicates that the connection goes through just fine.

If its still not working is the actual server running the service working correctly? Can it be confirmed straight from the local LAN

Do note that you cant connect to the server from inside your firewall using the public NAT IP address. You will have to use the local IP address.

On the other hand, if your public IP address has an associated DNS name you can use that from LAN and it will connect (since you have the DNS parameter in the NAT command)

Though this is just guessing since you havent yet mentioned where you are testing the connection from.

- Jouni

Nat Issues 5520

Jason Jayko — Fri, 05 Oct 2012 09:37:23 GMT

works fine internally. we have another internal webserver with a different public address x.x.x.76 getting the same results when i try and create the rule. they work fine internally.

Nat Issues 5520

Jouni Forss — Fri, 05 Oct 2012 10:05:14 GMT

Hi,

I think anyone from the Internet can reach the servers with the public IP addresses but you can't connect to the servers using the public IP address that you are using in the NAT configurations.

If the servers where on a different interface on the ASA than your LAN you could atleast configure the NAT so that the servers are visible to the LAN with the public IP address also.

Have you had anyone test connection to the new server with the public IP address to see if its working fine?

- Jouni

Nat Issues 5520

Jason Jayko — Fri, 05 Oct 2012 14:38:13 GMT

i have another public address pointing to a different internal server using port 80 and both will not work from the public internet using name or ip. they both work fine internally.

Nat Issues 5520

Jason Jayko — Fri, 05 Oct 2012 14:53:09 GMT

on have a server on x.x.x.76 using https: and i can get to it from the outside/inside fine

Nat Issues 5520

Jason Jayko — Fri, 05 Oct 2012 22:39:20 GMT

i think the problem maybe related to some other rules the vendor that set it up last year put in.