topic ASA5505 nat-issues in Network Security

ASA5505 nat-issues

Samuel Eng — Mon, 11 Mar 2019 23:11:01 GMT

Hi, we have users connecting via an ISP Wan-link to our ASA with inside-subnet 192.168.1.0. The remote users are on 192.168.2.0 and can only access 192.168.1.1, no other IP on the 192.168.1.0 subnet. Any idea why?

The (ISP) router and 192.168.2.0-subnet is behind 192.168.1.254

Thanks/Sam

Here's my config:

TMPASA01# show run

: Saved

ASA Version 8.4(3)

hostname TMPASA01

domain-name tmp.local

enable password v4fmcWqoQy.l8i1X encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 10

interface Ethernet0/2

switchport access vlan 10

interface Ethernet0/3

switchport access vlan 10

interface Ethernet0/4

switchport access vlan 10

interface Ethernet0/5

switchport access vlan 10

interface Ethernet0/6

switchport access vlan 10

interface Ethernet0/7

switchport access vlan 10

interface Vlan1

shutdown

no nameif

security-level 100

no ip address

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.252

interface Vlan10

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

boot system disk0:/asa843-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name tmp.local

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-lan

subnet 192.168.1.0 255.255.255.0

object network FTP-SERVER-PORT20

host 192.168.1.55

object network FTP-SERVER-PORT21

host 192.168.1.55

object network WEB-SERVER-PORT80

host 192.168.1.106

object network WEB-SERVER-PORT5222

host 192.168.1.106

object network ICAL-SERVER-PORT8008

host 192.168.1.56

object network ICAL-SERVER-PORT8443

host 192.168.1.56

object network ICAL-SERVER-PORT1701

host 192.168.1.56

object network ICAL-SERVER-PORT4500

host 192.168.1.56

object network ICAL-SERVER-PORT500

host 192.168.1.56

object network WEB-SERVER-UDP-PORT6000

host 192.168.1.106

object network WEB-SERVER-UDP-PORT6001

host 192.168.1.106

object network PPTP-SERVER-PORT1723

host 192.168.1.56

description PPTP Tunnel TMP Server

object network inside-nat-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object-group service L2TP udp

port-object eq 1701

access-list INBOUND extended permit icmp any any

access-list INBOUND extended permit tcp any host 192.168.1.55 eq ftp-data

access-list INBOUND extended permit tcp any host 192.168.1.55 eq ftp

access-list INBOUND extended permit tcp any host 192.168.1.106 eq www

access-list INBOUND extended permit tcp any host 192.168.1.106 eq 5222

access-list INBOUND extended permit tcp any host 192.168.1.56 eq 8008

access-list INBOUND extended permit tcp any host 192.168.1.56 eq 8443

access-list INBOUND extended permit udp any host 192.168.1.56 object-group L2TP

access-list INBOUND extended permit udp any host 192.168.1.56 eq 4500

access-list INBOUND extended permit udp any host 192.168.1.56 eq isakmp

access-list INBOUND extended permit udp any host 192.168.1.106 eq 6000

access-list INBOUND extended permit udp any host 192.168.1.106 eq 6001

access-list INBOUND extended permit tcp any host 192.168.1.56 eq pptp

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

object network inside-lan

nat (inside,outside) dynamic interface

object network FTP-SERVER-PORT20

nat (inside,outside) static interface service tcp ftp-data ftp-data

object network FTP-SERVER-PORT21

nat (inside,outside) static interface service tcp ftp ftp

object network WEB-SERVER-PORT80

nat (inside,outside) static interface service tcp www www

object network WEB-SERVER-PORT5222

nat (inside,outside) static interface service tcp 5222 5222

object network ICAL-SERVER-PORT8008

nat (inside,outside) static interface service tcp 8008 8008

object network ICAL-SERVER-PORT8443

nat (inside,outside) static interface service tcp 8443 8443

object network ICAL-SERVER-PORT1701

nat (inside,outside) static interface service udp 1701 1701

object network ICAL-SERVER-PORT4500

nat (inside,outside) static interface service udp 4500 4500

object network ICAL-SERVER-PORT500

nat (inside,outside) static interface service udp isakmp isakmp

object network WEB-SERVER-UDP-PORT6000

nat (inside,outside) static interface service udp 6000 6000

object network WEB-SERVER-UDP-PORT6001

nat (inside,outside) static interface service udp 6001 6001

object network PPTP-SERVER-PORT1723

nat (inside,outside) static interface service tcp pptp pptp

object network inside-nat-192.168.2.0

nat (inside,outside) dynamic interface

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 88.131.16.33 1

route inside 192.168.2.0 255.255.255.0 192.168.1.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.36.133.17 source outside prefer

ASA5505 nat-issues

Jennifer Halim — Thu, 24 May 2012 13:30:52 GMT

I assume that the default gateway on those devices in 192.168.1.0/24 is the ASA inside interface 192.168.1.1. That's why the remote user is not able to access the 192.168.1.0/24 subnet.

Reason being: the ASA does not see the complete TCP handshake, hence dropping the packet.

Eg:

TCP SYN: remote user --> 192.168.1.x host

TCP SYN-ACK: 192.168.1.x host --> ASA inside interface, and at this stage, the ASA will drop it because it does not see the SYN packet as the SYN packet goes directly to the host as they are in the same subnet hence does not route via default gateway.

ASA5505 nat-issues

Julio Carvajal — Thu, 24 May 2012 13:46:54 GMT

Hello Samuel,

As Jennifer stated is a desing issue, you will need to configure the TCP state bypass or a U-turning policy to allow that communication.

Regards.

ASA5505 nat-issues

Samuel Eng — Thu, 24 May 2012 14:12:05 GMT

Ok, thanks for your replys. How do I configure this?

And, just to be clear: I do get ping-replys from 192.168.1.1 from the 192.168.2.0-subnet, but on no other addresses. And I can't access any other host/port/service in the 192.168.1.0-net, but I can reach the internet from 192.168.2.0-subnet

/Sam

Re: ASA5505 nat-issues

Julio Carvajal — Thu, 24 May 2012 17:23:34 GMT

Hello Samuel,

Lets give it a try to the U-turning configuration:

same-security-traffic permit intra-interface

object network 192.168.254.0

subnet 192.168.254.255.255.255.0

Object network 2_inside-lan

subnet 192.168.2.0 255.255.255.0

object network inside-lan

subnet 192.168.1.0 255.255.255.0

nat (inside,inside) 1 source dynamic 2_inside-lan interface destination static 192.168.254.0 inside-lan

You will need to try to access the inside host by using the 192.168.254.0 ,as this is a desing problem that would be the way to make it work.

Let me know if it works!

Regards,

Julio

Re: ASA5505 nat-issues

Samuel Eng — Thu, 24 May 2012 21:44:07 GMT

Thanks for your reply. Just don't know where you got the 192.168.254.0-subnet from?

Re: ASA5505 nat-issues

Julio Carvajal — Thu, 24 May 2012 23:28:55 GMT

Hello Samuel,

The issue here is that the flow of the traffic (packet) is not the same for the outgoing and incoming packet. So we need to change that.

In order to do it we will nat the Inside1 local subnet to a Diferent subnet ( a ghost subnet) that the router will only know it by the ASA.

This will force the router to always send the traffic to the ASA.

Regards,

Rate all the posts that help.