topic Dynamic NAT can be verified by Ping? in Network Security

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Mon, 11 Mar 2019 22:14:50 GMT

Hi Jcarvaja and all :

I have problem to verify the Dynamic NAT by Ping. First of all, can Dynamic NAT verified by Ping?

Following is my configuration of Dymanic NAT from Inside to DMZ. (My Inside Network is 192.168.100.0/24 and dmz network is 192.168.50.0/24).

nat (inside) 20 192.168.100.0 255.255.255.0

global (dmz) 20 192.168.50.151-192.168.50.160

When I use a host at inside with IP 192.168.100.x to ping a host at dmz with 192.168.50.x, it always fails and the result is failed also in reverse direction: from dmz to inside.

Before these two command lines, hosts from both sides can ping each other.

Is it any way (by adding command or other commands) that can make ping to verify the Dynamic NAT? Or that is no way can verify Dynamic NAT by ping?

Thanks for your answer in advance!

Best regards,

tangsuan

Dynamic NAT can be verified by Ping?

Julio Carvajal — Mon, 16 Jan 2012 19:13:59 GMT

Hello Tang,

The thing is that you are doing PAT here, and as you know it uses translation based on source IP and Port and ICMP does not use ports so you would not be able.

That is why I see in this particular scenario,

Julio

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Tue, 17 Jan 2012 01:45:36 GMT

Hi Jcarvaja :

Thanks for your reply!

If in this case, how can I use any tool to verify the dynamic NAT is working fine?

I have tried to use Packet Tracer in term of ICMP or TCP to track packet from Inside to DMZ or DMZ to Inside, it seems like the packet drops at the NAT's step and cannot reach to the end IP address.

What is the problem and anything can help? Thanks!

Regards,

tangsuan

Dynamic NAT can be verified by Ping?

Julio Carvajal — Tue, 17 Jan 2012 02:09:16 GMT

Hello,

What about the configuration of the nat on the DMZ ?

Can you provide us the full nat configuration.

Regards,

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Tue, 17 Jan 2012 02:18:25 GMT

Hi Jcarvaja :

Sorry that I have to amend above description that when doing packet tracing from inside to dmz, it is fine and show no packet drop.

The packet drop happens when doing packet tracing from dmz to inside, it shows packet drop at the step of NAT lookup.

How to ensure also when doing the packet tracing from dmz to inside, it has no packet drop at the step of NAT Lookup?

Is it any way out for it?

Many thanks!

tangsuan

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Tue, 17 Jan 2012 02:27:32 GMT

Hi Jcarvaja :

Below is the config file at the portion of nat and global.:

ciscoasa# conf t

ciscoasa(config)# sh run nat

nat (inside) 20 192.168.100.0 255.255.255.0

ciscoasa(config)# sh run global

global (dmz) 20 192.168.50.151-192.168.50.160

It seems like one packet tracing direction from inside to dmz is OK. Is it should be the way and what is the implication that the reverse packet tracing is not OK and will it affect any traffic flow from DMZ to Inside?

If I want to make the packet tracing from DMZ to Inside is OK, any command line can help to do that?

Thanks!

Regards,

tangsuan

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Tue, 17 Jan 2012 03:42:37 GMT

Hi Jcarvaja :

Below is another info on the show NAT :

ciscoasa(config)# sh nat

NAT policies on Interface inside:
match ip inside 192.168.100.0 255.255.255.0 inside any
    dynamic translation to pool 20 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.100.0 255.255.255.0 dmz any
    dynamic translation to pool 20 (192.168.50.151 - 192.168.50.160)
    translate_hits = 12, untranslate_hits = 4
match ip inside 192.168.100.0 255.255.255.0 outside any
    dynamic translation to pool 20 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.100.0 255.255.255.0 _internal_loopback any
    dynamic translation to pool 20 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface dmz:
match tcp dmz host 192.168.50.220 eq 56789 outside any
    static translation to 192.168.20.1/56789
    translate_hits = 0, untranslate_hits = 0
match ip dmz host DRMServer outside any
    static translation to MapAddDMZtoOutside
    translate_hits = 0, untranslate_hits = 0

If you need more info, please let me know.

Thanks!

tangsuan

Dynamic NAT can be verified by Ping?

Julio Carvajal — Tue, 17 Jan 2012 04:13:56 GMT

Hello,

I wanted to see the entire Nat configuration, is that all you have ( those 2 nat statements)

nat (inside) 20 192.168.100.0 255.255.255.0

global (dmz) 20 192.168.50.151-192.168.50.160

Is that all you have configured.

I think there is a nat (dmz) global (outside). Am I right?

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Tue, 17 Jan 2012 06:28:31 GMT

Hi Jcarvaja :

I just have nat (inside) and global (dmz).

I do not use nat (dmz) and global (outside). Let me know if you need more info or entire config file. Thanks!

regards,

tangsuan

Dynamic NAT can be verified by Ping?

Julio Carvajal — Tue, 17 Jan 2012 17:55:45 GMT

Hello Tang,

Traffic from the inside to the DMZ ( Higher to lower security level traffic) should be allowed and the returning traffic should not need any nat translation as you are not doing any nat on the DMZ,

Just in case lets do the following:

static (dmz,inside) DMZ_network_ip DMZ_network_ip netmask 255.255.255.0

If you can please provide a packet-tracer

Regards,

Rate post that help.

Julio

Dynamic NAT can be verified by Ping?

lcambron — Tue, 17 Jan 2012 19:49:57 GMT

Hi Tangsuan,

The issues here is that you are translating the source IP address from inside to dmz, and when you try a connection from dmz to inside this will be dropped due to NAT rpf-check. In other words the packet from DMZ to inside is not translated but the reply will be translated and the ASA will not allow this. The packet has to use the same NAT statement both ways.

You can use static NAT or NAT0 which are bidirectional, but you cannot use PAT if you want the connection to work from inside to DMZ and vise versa.

I hope this helps,

Felipe.

Re: Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Wed, 18 Jan 2012 02:15:12 GMT

Hi Jcarvaja :

I tried adding the command line as you suggested :

static (dmz,inside) DMZ_network_ip DMZ_network_ip netmask 255.255.255.0

and the result is the same that the packet is dropped at the NAT by Packet Tracer when doing the TCP from dmz to inside. Please see below picture for reference. I think this should be the way as Dynamic NAT will fail from low security site to higher security site.

Thanks!

Re: Dynamic NAT can be verified by Ping?

Julio Carvajal — Wed, 18 Jan 2012 04:40:27 GMT

Hello Tang,

I understood the problem different, in this case you are innitiating the connection from the DMZ ( lower security level) to the inside ( higher security level ) so you will need 2 things:

1- ACL on the DMZ interface allowing the connection

2-Identity nat or Nat 0 as my co-worker Luis Cambronero suggested, he is right you need a bi-derectional nat statement so pelase do the following:

1-access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

2- static (inside,dmz) 192.168.100.2 192.168.100.2

packet-tracer input dmz tcp permit 192.168.50.15 1025 192.168.100.2 80

And you will see it working.

Regards,

Rate helpful posts!!

Julio

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Wed, 18 Jan 2012 06:53:30 GMT

Hi Jcarvaja :

OK. I tried to add the command :

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

and this work for both directions. This shows that only static nat can have bi-direction and it overide the Dynamic Nat which still in the config file.

I will close this discussion because it already been answer by you.

thanks!

tangsuan

Dynamic NAT can be verified by Ping?

Tang-Suan Tan — Wed, 18 Jan 2012 06:56:27 GMT

Hi Icambron :

Thanks for your reply!

I get what you mean that dynamic nat can not have the packet tracer pass from high security to low security site.

regards,

tangsuan

Dynamic NAT can be verified by Ping?

Julio Carvajal — Wed, 18 Jan 2012 19:02:11 GMT

Hello Tang,

Glad I could help!!

Regards,

Julio