topic I can not to connect to nated address in Network Security

I can not to connect to nated address

pslavkovsky — Mon, 11 Mar 2019 22:38:47 GMT

I have server with real address 10.173.1.242, i created static nat to address 10.164.32.15, but I can not to connect to address 10.164.32.15 from IP 10.161.111.130, here is config of ASA:

Peter

ASA Version 8.0(5)

names

interface GigabitEthernet0/0

nameif intranet

security-level 30

ip address 10.164.241.1 255.255.255.0 standby 10.164.241.2

interface GigabitEthernet0/1

nameif cdi

security-level 80

ip address 10.173.241.1 255.255.255.0 standby 10.173.241.2

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

interface GigabitEthernet0/2.491

vlan 491

nameif service491

security-level 50

ip address 10.173.1.241 255.255.255.0 standby 10.173.1.240

interface GigabitEthernet0/2.492

vlan 492

nameif service492

security-level 50

ip address 10.173.2.241 255.255.255.0 standby 10.173.2.240

interface GigabitEthernet0/2.493

vlan 493

nameif service493

security-level 50

ip address 10.173.3.241 255.255.255.0 standby 10.173.3.240

interface GigabitEthernet0/2.500

vlan 500

nameif service500

security-level 50

ip address 10.173.0.241 255.255.255.0 standby 10.173.0.240

interface GigabitEthernet0/2.550

vlan 550

nameif service550

security-level 50

no ip address

interface GigabitEthernet0/3

description LAN Failover Interface

boot system disk0:/asa805-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name t-dc.sk

access-list cdi-in extended permit icmp any any log debugging

access-list cdi-in extended deny ip any any

access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.0.0.0 log debugging

access-list intranet-in extended permit ip 10.164.32.0 255.255.255.0 host 10.0.0.0 log debugging

access-list intranet-in extended deny ip any any

access-list service491-in extended permit icmp any any log debugging

access-list service491-in extended deny ip any any

access-list service492-in extended deny ip any any

access-list service493-in extended deny ip any any

access-list service500-in extended deny ip any any

access-list service550-in extended deny ip any any

access-list cap extended permit ip any any

pager lines 24

logging buffered debugging

logging trap debugging

logging asdm debugging

logging host service491 10.173.1.242

mtu intranet 1500

mtu cdi 1500

mtu service491 1500

mtu service492 1500

mtu service493 1500

mtu service500 1500

mtu service550 1500

mtu mngmt 1500

ip local pool pool1 10.31.250.129-10.31.250.255 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover interface ip failover 172.16.10.1 255.255.255.252 standby 172.16.10.2

no monitor-interface intranet

no monitor-interface cdi

no monitor-interface mngmt

icmp unreachable rate-limit 1 burst-size 1

icmp permit any intranet

icmp permit any cdi

icmp permit any service491

icmp permit any service492

icmp permit any service493

icmp permit any service500

icmp permit any service550

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255

access-group intranet-in in interface intranet

access-group cdi-in in interface cdi

access-group service491-in in interface service491

access-group service492-in in interface service492

access-group service493-in in interface service493

access-group service500-in in interface service500

access-group service550-in in interface service550

route intranet 0.0.0.0 0.0.0.0 10.164.241.5 1

route cdi 10.97.0.0 255.255.0.0 10.173.241.5 1

route cdi 10.168.0.0 255.255.0.0 10.173.241.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint localtrust

enrollment self

fqdn sslvpn.t-dc.sk

keypair sslvpnkeypair

crl configure

crypto ca certificate chain localtrust

certificate c116474f

308201e7 30820150 a0030201 020204c1 16474f30 0d06092a 864886f7 0d010104

bce 90a3424e

f9f040e2 95c69b91 779b8a

quit

no crypto isakmp nat-traversal

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust intranet

webvpn

enable intranet

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

svc enable

group-policy GrpPolicy-ssl1 internal

group-policy GrpPolicy-ssl1 attributes

vpn-tunnel-protocol svc

tunnel-group ssl1 type remote-access

tunnel-group ssl1 general-attributes

address-pool pool1

default-group-policy GrpPolicy-ssl1

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:be82cd121bde8e5de3981453caa201f0

: end

I can not to connect to nated address

Kimberly Adams — Tue, 06 Mar 2012 17:15:24 GMT

Peter,

Are you seeing any deny's in the log files? This kind of smells like someting is being denyed from the access lists. Also, where does the 10.161.111.X network reside?

Thanks,

Kimberly

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 17:18:19 GMT

Hi,

I see no denys in logg.

10.161.111. is on intranet interface

Peter

I can not to connect to nated address

Kimberly Adams — Tue, 06 Mar 2012 17:31:23 GMT

Peter,

Have you tried running a packet capture while trying to connect?

Thanks,

Kimberly

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 17:39:06 GMT

yes, I tried capture on intranet interfacem but I did not see any packet.

But I have no problem to connect intranet interface of ASA via ASDM

Peter

Re: I can not to connect to nated address

johuggin — Tue, 06 Mar 2012 19:06:00 GMT

Peter,

From your configuration:

access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.0.0.0 log debugging

access-list intranet-in extended permit ip 10.164.32.0 255.255.255.0 host 10.0.0.0 log debugging

access-list intranet-in extended deny ip any any

You're permitting access to 10.0.0.0 but you're using the 'host' keyword. This is causing a 255.255.255.255 mask which isn't going to allow what you want.

Try adding this:

access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.164.32.15

Re: I can not to connect to nated address

Julio Carvajal — Tue, 06 Mar 2012 20:09:19 GMT

Hello,

Joseph advise should do it... If by any chance that does not make it please add the following and provide us the output:

packet-tracer input intranet tcp 10.161.11.1130 1025 10.164.32.15 80

Regards,

Julio

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 20:26:35 GMT

I corrected mistake which was found by Joseph, but it still not working

SO i did packet-tracer...

pna-tdc1# packet-tracer input intranet tcp 10.161.11.130 1025 10.164.32.15 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group intranet-in in interface intranet
access-list intranet-in extended deny ip any any
Additional Information:

Result:
input-interface: intranet
input-status: up
input-line-status: up
output-interface: service491
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

pna-tdc1#

Re: I can not to connect to nated address

Sajan Thomas — Tue, 06 Mar 2012 20:40:36 GMT

Please remove this line and check

access-list intranet-in extended deny ip any any

Coz, in phase 4 it is showing

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

One more quest where is the IP

10.164.32.15 belongs?

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 20:48:59 GMT

I have no account on server so I can not to ping from server.

I removed

access-list intranet-in extended deny ip any any

but it is stiil the same.

What you think about phase3

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 21:11:48 GMT

i corrected "packet-tracer..." there was mistake, 10.161.11.130 instead 10.161.111.130

pna-tdc1# packet-tracer input intranet tcp 10.161.111.130 1025 10.164.32.15 22

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group intranet-in in interface intranet
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 10.0.0.0 255.0.0.0 log debugging
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2956, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.173.1.242 using egress ifc service491
adjacency Active
next-hop mac address 0014.4fed.bb6c hits 41

Result:
input-interface: intranet
input-status: up
input-line-status: up
output-interface: service491
output-status: up
output-line-status: up
Action: allow

pna-tdc1#
pna-tdc1#

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 21:21:56 GMT

router which is in front of ASA has this in arp cache:

router#sh arp | i 10.164.32.15

Internet 10.164.32.15 0 Incomplete ARPA

router#

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 21:26:21 GMT

it looks that router can not to reslove 10.164.32.15 to MAC address via arp request. What do you think?

I can not to connect to nated address

Julio Carvajal — Tue, 06 Mar 2012 21:37:20 GMT

Hello,

That is correct, that seems to be the problem.

Now on the packet-tracer we can see that everything is properly configured on the ASA site ( the NAT, ACLs,inspections, etc) is properly configured.

Do you have a route from the router to that ip via the ASA?

Regards,

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 21:40:41 GMT

router#sh ip route | i 10.164.32.0

C 10.164.32.0/24 is directly connected, GigabitEthernet0/0.2

router#

I can not to connect to nated address

pslavkovsky — Tue, 06 Mar 2012 22:29:01 GMT

it is resolved. thank you all