topic PAT on PPPOE ( DHCP) interface in Network Security

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Mon, 11 Mar 2019 22:21:42 GMT

Hi all,

i am first time using the new ASA IOS ( 8.4) and frankly i am in trouble

I have one PPPOE interface ( Ip assigned from DHCP) i want to use PAT on that interface and divert FTP traffic to the host inside

Can any one please help me in resolving this issue

I am using below command but unfortuntely it is not working

object network ftp_server

nat (inside,outside) static interface service tcp 21 21

access-list FTP_IN extended permit tcp any object ftp_server eq 21

access-group FTP_IN in interface outside

Sh xlate

TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21

flags sr idle 0:07:14 timeout 0:00:00

Below is the complete config

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 1

72.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any

172.16.93.0 255.255.255.0

access-list DMZ_access_in extended deny ip any any

access-list outside_access_in extended deny ip any any

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

object network obj_any

nat (inside,outside) dynamic interface

object network ftp_server

nat (inside,outside) static interface service tcp ftp ftp

access-group inside_access_in in interface inside

access-group FTP_IN in interface outside

access-group DMZ_access_in in interface DMZ

Lookinf for support from community

PAT on PPPOE ( DHCP) interface

integreon — Tue, 31 Jan 2012 13:49:00 GMT

NAT-Control is removed in 8.3|8.4 versions. Use these commands

If I understand your post correctly, you want to do a dynamic PAT of all hosts on the inside interface when they go out the outside. Use below commands.

object network any-0

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

nat (inside,outside) after-auto source dynamic any interface

Hope this helps.

Regards,

Anton

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Tue, 31 Jan 2012 14:05:05 GMT

I want that someone come from outside on outside interface ip and it should directed to the inside host ( 172.16.93.12)

( for FTP) As we do not have pool for the Global Ip addresses.

Re: PAT on PPPOE ( DHCP) interface

integreon — Tue, 31 Jan 2012 14:44:30 GMT

Hey Imram,

Follow these steps.

Step 1: Create a new object group for you web server.

(config)# object network ftpserver

Step 2: Add the IP of the web server to the network group.

(config-network-object)# host 172.16.93.12

Step 3: Forward the port via the NAT command.

(config-network-object)# nat (inside,dmz) static interface service tcp ftp ftp

Step 4: Exit back to the root and add the access list

(config)# access-list outside_access_in permit tcp any object ftpserver eq ftp

Hope it helps.

Best regards,

Anton

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Tue, 31 Jan 2012 14:55:34 GMT

Dear Anton

Thanks for your reply,

I have done same setting but i am unable to connect from outside

i got hits in the implicit deny in the outside interface but no hit on the above access-list ( allowing for ftp)

Any other possible reasons ??

PAT on PPPOE ( DHCP) interface

integreon — Tue, 31 Jan 2012 16:04:20 GMT

Its because of this.

access-list outside_access_in extended deny ip any any

you need to allow ftp

access-list ourside_access_in permit tcp any object ftpserver eq ftp

Hope this helps.

Regards,

Anton

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Tue, 31 Jan 2012 17:15:51 GMT

Dear Anton ,

Thanks for your reply.

I have already added this acl

but hit count is increasing on the deny statment not on the allow statment.

very surprise to me ?

Not sure what exactly be the resaon.

PAT on PPPOE ( DHCP) interface

integreon — Tue, 31 Jan 2012 17:30:38 GMT

Hi Imran,

Can you share your full configuration.

Anton

PAT on PPPOE ( DHCP) interface

lcambron — Tue, 31 Jan 2012 23:59:43 GMT

Can you share the output of:

show run access-group

show access-list FTP_IN

show run nat

You said you don't see hit counts on the ACL.

Seems like you have these two ACLs;

access-list outside_access_in extended deny ip any any

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

If the first one is applied inbound to the outside interface, the second one is not applied.

Captures and packet-tracer migth help.

access-list capture permit tcp any ftp_public_IP eq ftp

capture test access-list capture interface outside

show cap test

packet in outside tcp 8.8.8.8 1025 ftp_public_IP 21

Felipe.

PAT on PPPOE ( DHCP) interface

Julio Carvajal — Wed, 01 Feb 2012 01:59:38 GMT

Hello,

On the show xlate we can see the translation being built.

On the access-groups you have the following:

access-group FTP_IN in interface outside

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

So the ACL is only allowing connections to the FTP server on port 21 witch is what you are looking for.

If you do a ASP capture you will see if the ASA is dropping the packets witch you have this configured like you posted on this post, it should not be happening.

here is the capture you need to make and then attempt a connection:

capture asp type asp-drop all

Try to connect to the FTP server from the outside and finally provide us the following:

Show cap asp | include x.x.x.x ( Ip address of the host you made the connection from)

Regards,

Julio

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Wed, 01 Feb 2012 06:09:20 GMT

HI ALL,

Below is the detail config and the packet trace

It seems some NAT error but i am not sure why the nat error ?

Looking forward for your support

: Saved

ASA Version 8.4(2)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/5

switchport access vlan 12

interface Vlan1

nameif inside

security-level 100

ip address 172.16.93.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ISP

ip address pppoe setroute

interface Vlan12

nameif DMZ

security-level 50

ip address 10.175.111.1 255.255.255.0

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network uaelan

subnet 172.16.93.0 255.255.255.0

object network dmz_net

subnet 10.175.111.0 255.255.255.0

object network ftpserver

host 172.16.93.12

object-group network dmz

network-object 10.175.111.0 255.255.255.0

object-group network inside

network-object 172.16.93.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any 172.16.93.0 255.255.255.0

access-list DMZ_access_in extended deny ip any any

access-list outside_access_in extended permit tcp any object ftpserver eq ftp

access-list global_access extended permit ip any any

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

object network obj_any

nat (inside,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group global_access global

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

vpdn group ISP request dialout pppoe

vpdn group ISP localname ASA842

vpdn group ISP ppp authentication pap

vpdn username ASA842 password ***** store-local

dhcpd auto_config outside

dhcpd address 172.16.93.101-172.16.93.250 inside

dhcpd dns 172.16.93.12 interface inside

dhcpd lease 691200 interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

PAT on PPPOE ( DHCP) interface

Julio Carvajal — Wed, 01 Feb 2012 14:30:07 GMT

Hello,

Packet-tracer should be pointing to the outside interface of your asa.

Do it again!

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Wed, 01 Feb 2012 14:50:43 GMT

Thanks for reply

It shows some implicit deny rule error

sh accesss-list outside_access_in

access-list outside_access_in; 2 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any object ftpserver eq

ftp log notifications interval 300 (hitcnt=0) 0x33d02b01

access-list outside_access_in line 1 extended permit tcp any host 172.16.93.12

eq ftp log notifications interval 300 (hitcnt=1) 0x33d02b01

access-list outside_access_in line 2 extended deny ip any any log informational

interval 300 (hitcnt=106) 0x2c1c6a65

sh run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

Attached is the snapsohot

PAT on PPPOE ( DHCP) interface

Julio Carvajal — Wed, 01 Feb 2012 17:33:43 GMT

Hello Imra,

access-list outside_access_in line 1 extended permit tcp any object ftpserver eq

ftp log notifications interval 300 (hitcnt=0) 0x33d02b01

Please do the following:

no access-list outside_access_in line 1 extended permit tcp any object ftpserver eq ftp

access-list outside_access_in line 1 permit tcp any host 172.16.93.12 eq 21

Then give it a try!

Regards,

Julio

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Thu, 02 Feb 2012 22:00:30 GMT

Dear julio

thanks for your reply

still the same issue,

not able to connect ftp rom outiside

Any thing is wrong , why packet stuck on implicit denty policy of outside interface

what should i do now ?

now below is the access-list ( Outside_access_in )

access-list outside_access_in; 1 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any host 172.16.93.12 e

q ftp (hitcnt=0) 0xbd7b5852

sh run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

and sh nat details

Manual NAT Policies (Section 1)

1 (DMZ) to (outside) source dynamic any interface

translate_hits = 0, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32

2 (inside) to (outside) source dynamic any interface

translate_hits = 320653, untranslate_hits = 51063

Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32

3 (inside) to (DMZ) source static any any

translate_hits = 20117, untranslate_hits = 19926

Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ftpserver interface service tcp ftp ftp

translate_hits = 0, untranslate_hits = 0

Source - Origin: 172.16.93.12/32, Translated: 83.X.X.X/32

Service - Protocol: tcp Real: ftp Mapped: ftp

2 (any) to (outside) source dynamic obj_any interface

translate_hits = 0, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32

sh run nat

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

object network obj_any

nat (any,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

sh xlate | incl 172.16.93.12

TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21

PAT on PPPOE ( DHCP) interface

lcambron — Thu, 02 Feb 2012 23:16:18 GMT

Can you try the the packet tracer on the CLI so we can see the full output?

The packet is hitting the implicit rule because it's not being NAT'ed.

packet in outside tcp 8.8.8.8 1025 83.x.x.x 21

Also, is the FTP active or passive? Client outside or inside?

Felipe.

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Thu, 02 Feb 2012 23:29:56 GMT

Not nate'd .... Why my Nat statment is wrong ?? if wrong what is the correct one ?

I am using ftp connection from outside and using the filezila ftp server and xp ftp client from outside for connection

below is the CLI packet tracer info

packet in outside tcp 8.8.8.8 1025 83.x.x.x 21

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 83.x.x.x 255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

PAT on PPPOE ( DHCP) interface

lcambron — Thu, 02 Feb 2012 23:56:57 GMT

Why do you have:

nat (inside,outside) source dynamic any interface

If you have:

object network obj_any

nat (any,outside) dynamic interface

Can you remove this NAT and try the packet tracer again?

no nat (inside,outside) source dynamic any interface

packet in outside tcp 8.8.8.8 1025 83.x.x.x 21

When using NAT and FTP there are some things to take in consideration.

FTP uses port 21 to establish the connection but uses a random port for data.

Need to find out if it is passive or active. Also port forwarding for a range of ports might be needed.

A one-to-one NAT is preferred.

Felipe.

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Fri, 03 Feb 2012 00:09:51 GMT

Ok understood

if i remove

nat (inside,outside) source dynamic any interface

would it stop all the hosts "inside" to use internet using PAT ( on outside interface) ??

I understand that for data Ftp use different port but we cannot have one to one nat as due to non availaibility of global Ip addresses ( only interface ip address) can be used for incoming traffic .

regards

PAT on PPPOE ( DHCP) interface

imranbhatti151 — Fri, 03 Feb 2012 00:25:31 GMT

ok i remove that statment below is the packet trace output

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 83.x.x.x 255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule