topic Re: Static NAT problem due to new version in Network Security

Static NAT problem due to new version

netbin2009 — Mon, 11 Mar 2019 21:36:53 GMT

Hi!

i´m trying to make a traditional port forward (http to http) on our new asa5510. Previous releases off 5505 and software prior 8.3 was no problem. Could someone tell me how do it in new 8.4 version? I ám a rookie on the new ASA series!

My setup is as this (config not in full info):

interface Ethernet0/0

nameif outside

security-level 0

ip address 87.96.xxx.75 255.255.255.128

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.200.2 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside-entry extended permit tcp any host 87.96.xxx.75 eq www

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in_1 extended permit tcp any any eq www

nat (inside,sll) source dynamic obj_any interface

object network obj_any

nat (inside,outside) dynamic interface

object network SRV02

nat (outside,inside) static interface service tcp www www

access-group outside_access_in_1 in interface outside

access-group inside_access_in in interface inside

access-group sll_access_in in interface sll

route outside 0.0.0.0 0.0.0.0 87.96.xxx.1 1

If nothing makes sense in this configuration please give example on how to do it correct. The object on the inside is SRV02 wich is running a webserver on port 80. So i want to open upp for http on outside interface and forward that traffic to srv02 (inside webserver)

I aslo tried to use Public Server Wizard but i fail even there. Se attached image.

Static NAT problem due to new version

Jennifer Halim — Wed, 12 Oct 2011 13:19:37 GMT

The line interface is the other way round:

object network SRV02

nat (outside,inside) static interface service tcp www www

should be:

object network SRV02

nat (inside,outside) static interface service tcp www www

Static NAT problem due to new version

netbin2009 — Wed, 12 Oct 2011 13:46:45 GMT

Hi!

In all my tries i reversed it....sorry. This does not help. Could it be that i cannot use my outside interface ipaddress for my purpose? Do i need another ipadress "attached" to my outside interface to make rules like NAT? I wonder why even the public server wizard doesn´t work? Is there a know bug that the wizard doesn´t work? Thanks for your quick and good reply!

Static NAT problem due to new version

cadet alain — Wed, 12 Oct 2011 14:14:48 GMT

Hi,

access-list outside_access_in extended permit tcp any interface outside eq www

In newest code you must use the private address not the public natted address so you must change your ACL like this:

access-list outside_access_in extended permit tcp any eq www

Regards.

Alain.

Static NAT problem due to new version

netbin2009 — Thu, 13 Oct 2011 07:11:48 GMT

I tried your suggestion access-list outside_access_in extended permit tcp any eq www

but it didn´t work. Just for information a had to specify mask after . Any other suggestion?

Re: Static NAT problem due to new version

netbin2009 — Thu, 13 Oct 2011 07:40:28 GMT

It looks like the traffic flow and rules are correct but it still doesn´t work.

Re: Static NAT problem due to new version

netbin2009 — Thu, 13 Oct 2011 13:55:45 GMT

I did a factory default reset and tried some. Please have a look and see if i missed out something. I changed to forward smtp service instead of http.

ASA Version 8.4(1)

hostname ciscoasa

enable password 2IDkypgMdFNeCGP1 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif outside

security-level 0

ip address 87.96.xxx.75 255.255.255.128

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.200.2 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 87.96.222.1

host 87.96.222.1

object network srv02

host 192.168.200.51

access-list outside_access_in extended permit tcp any host 192.168.200.51 eq smtp

access-list outside_access_in_1 extended permit tcp any any eq smtp

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network obj_any

nat (inside,outside) dynamic interface

object network srv02

nat (inside,outside) static interface service tcp smtp smtp

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 87.96.XXX.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 management

http 192.168.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpn-addr-assign local reuse-delay 5

dhcpd address 192.168.0.2-192.168.0.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

Cryptochecksum:e36b774ee17e4905da70de245a3dea85

: end

ciscoasa(config)#

Static NAT problem due to new version

cadet alain — Thu, 13 Oct 2011 14:03:13 GMT

Hi,

object network SRV02

nat (outside,inside) static interface service tcp www www

Isn't there something missing here like the ip address of SRV02 ?

object network SRV02

host x.x.x.x where x.x.x.x is private address of SRV02

nat (inside,outside) static interface service tcp www www

Alain.

Static NAT problem due to new version

varrao — Thu, 13 Oct 2011 14:07:28 GMT

Hi Fredrick,

Can you use this particular nat instead:

object service tcp_25

service tcp destination eq 25

nat (outside,inside) source static any any destination static interface srv02 service tcp_25 tcp_25

If it still does not work.

take captures and paste here:

access-list cap permit tcp any host 87.96.xxx.75 eq 25

access-list cap permit tcp host 87.96.xxx.75 any eq 25

access-list cap permit tcp host 192.168.200.51 any eq 25

access-list cap permit tcp any host 192.168.200.51 eq 25

cap capin access-list cap interface inside

cap capo access-list cap interface outside

Initiate some traffic after that and chcek "show cap capin" and "show cap capo"

Thanks,

Varun

Re: Static NAT problem due to new version

netbin2009 — Fri, 14 Oct 2011 06:48:28 GMT

Here is the capture:

1: 06:43:02.344876 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

2: 06:43:05.327802 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

3: 06:43:11.327787 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

4: 06:43:27.957454 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192

5: 06:43:30.953472 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192

6: 06:43:36.953930 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192

6 packets shown

6 packets captured

1: 06:43:02.344617 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192

2: 06:43:05.327726 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192

3: 06:43:11.327726 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192

4: 06:43:27.957195 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192

5: 06:43:30.953411 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192

6: 06:43:36.953869 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192

6 packets shown

Thanks!

Re: Static NAT problem due to new version

varrao — Fri, 14 Oct 2011 06:56:52 GMT

Hi Fredrik,

I guess we now have the picture a bit more clear:

If you see in the captures, there is no replies from the server for the request, like for a pibg you get request timeout, similarly for tcp, you get SYN timeout and thats what happening.

The client is sending a request to the server but not getting any reply back:

1: 06:43:02.344876 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

2: 06:43:05.327802 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

3: 06:43:11.327787 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

Next step woudl be to troubleshoot on the server end, check if any firewall on the server is blocking the conection or why is it not responding back to the requests.

Hope that helps,

Thanks,

Varun

Re: Static NAT problem due to new version

netbin2009 — Fri, 14 Oct 2011 07:12:05 GMT

Thanks for your quick reply! As far as i can check there is no trouble accessing smtp service from inside network. I tried creating the rule in our production Astaro fw and that is work perfectly. Could there be a bug? I think i should try either downgrade or reinstall the running firmware. Any other suggestion i could try?

Static NAT problem due to new version

varrao — Fri, 14 Oct 2011 07:51:47 GMT

Can you try this natting:

nat (outside,inside) 1 source dynamic any interface destination static interface srv02 service tcp_25 tcp_25

I dont see this to be a issue with the firewall, beacuse firewall is forwarding the packets but no receiving any replies.

Can you test this and let me know.

Varun

Re: Static NAT problem due to new version

netbin2009 — Fri, 14 Oct 2011 08:09:44 GMT

This is working! Can you explain why?

Static NAT problem due to new version

varrao — Fri, 14 Oct 2011 08:17:12 GMT

Fantastic....Check the route and default gateway on the server, it is responding correctly to its own subnet but not sending packets for internet ip's back to the ASA inside interface. Check what is the gateway on the server.

Hope that helps,

Varun

Re: Static NAT problem due to new version

netbin2009 — Fri, 14 Oct 2011 08:29:15 GMT

Thanks for pointing it out. Inside interface do have ip 192.168.200.2 and the old firewall is serving 192.168.200.1 Clients/servers on inside is configured towards the "old" default gateway....

So your latest nat suggestion really make inside interface listen to inside traffic on specific port and could pick up that. Is it the dynamic statement that do this magic?

Thanks again!

Static NAT problem due to new version

varrao — Fri, 14 Oct 2011 08:34:50 GMT

Hi Fredrik,

Yes, in the nat statement, the users coming from internet are dynamically patted to the inside interface, while the destination server is statically port forwarded to the outside interface. So teh serevr woudl see the request coming from your inside interface.

Hope that helps.

Thanks,

Varun