topic Re: Source address NAT in Network Security

Source address NAT

patrifick — Mon, 11 Mar 2019 20:23:08 GMT

Hi,

I would like to know how can we allow traffic on ports 3389 (rdp) and 8007 which comes from any to 192.168.2.10 but pretend to be a Phones interface 192.168.2.1?

thanks

Patrick

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name bakerlabels.co.uk
names
name 192.168.1.2 securegw
name 10.0.0.29 Barracuda
name 82.111.186.146 sdt
name 10.0.0.31 Bakerctx1
name 10.0.0.32 Bakerctx2
name 10.0.0.2 Bakersvr
name 10.0.0.5 Bakerftp
name 10.0.0.181 Bakerms1
name 217.40.42.124 External_ip_124
name 217.40.42.125 External_ip_125
name 10.0.0.20 Bakerdc1
name 174.36.154.0 Mailpatrol1
name 207.154.50.0 Mailpatrol2
name 208.43.37.0 Mailpatrol3
name 208.70.88.0 Mailpatrol4
name 208.70.89.0 Mailpatrol5
name 208.70.90.0 Mailpatrol6
name 8.70.91.0 Mailpatrol7
name 109.170.153.243 External_ip_243
name 109.170.153.244 External_ip_244
name 90.155.124.49 Crystaline-Comms1
name 94.174.88.222 Crystaline-Comms2
name 109.170.153.245 External_ip_245
name 192.168.2.10 Phone-System
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 109.170.153.242 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan13
nameif phones
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name bakerlabels.co.uk
object-group network RDP_Group
network-object host sdt
object-group service 2598 tcp
description citrix session reliability
port-object eq 2598
object-group service rdp tcp
description Remote Desktop
port-object eq 3389
object-group network Citrix_Group
network-object host Bakerctx1
network-object host Bakerctx2
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq domain
service-object tcp eq www
object-group network Mailpatrol
network-object Mailpatrol1 255.255.255.0
network-object Mailpatrol2 255.255.255.0
network-object Mailpatrol3 255.255.255.0
network-object Mailpatrol4 255.255.255.0
network-object Mailpatrol5 255.255.255.0
network-object Mailpatrol6 255.255.255.0
network-object Mailpatrol7 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object Mailpatrol1 255.255.255.0
network-object Mailpatrol2 255.255.255.0
network-object Mailpatrol3 255.255.255.0
network-object Mailpatrol4 255.255.255.0
network-object Mailpatrol5 255.255.255.0
network-object Mailpatrol6 255.255.255.0
network-object Mailpatrol7 255.255.255.0
object-group network Crystaline-Comms
network-object host Crystaline-Comms1
network-object host Crystaline-Comms2
object-group service phones-8007 tcp
port-object eq 8007
object-group network DM_INLINE_NETWORK_2
network-object host sdt
group-object Crystaline-Comms
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 host securegw
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 object-group rdp
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 eq 2598
access-list dmz_access_in extended permit object-group TCPUDP host securegw 10.0.0.0 255.255.255.0 eq domain
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 host securegw any
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any object-group rdp
access-list outside_access_in extended permit tcp any any eq ldap
access-list outside_access_in extended permit tcp any host External_ip_124 eq https
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any eq https
access-list phones_access_in extended permit ip any any
access-list phones_access_in extended permit tcp any any object-group rdp inactive
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm informational
logging host inside Bakerdc1
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu phones 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (phones) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Bakerms1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www Bakerms1 www netmask 255.255.255.255
static (inside,outside) tcp interface ldap Bakerdc1 ldap netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Bakerdc1 3389 netmask 255.255.255.255
static (dmz,outside) tcp External_ip_243 https securegw https netmask 255.255.255.255
static (inside,outside) tcp External_ip_243 ftp Bakerftp ftp netmask 255.255.255.255
static (inside,outside) tcp interface https Bakerms1 https netmask 255.255.255.255
static (inside,inside) tcp External_ip_243 ftp-data Bakerftp ftp-data netmask 255.255.255.255
static (phones,outside) tcp External_ip_245 3389 Phone-System 3389 netmask 255.255.255.255
static (phones,phones) tcp External_ip_245 8007 Phone-System www netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (inside,phones) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (phones,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group phones_access_in in interface phones
route outside 0.0.0.0 0.0.0.0 109.170.153.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address Bakersvr-10.0.0.254 inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

: end

Re: Source address NAT

Shrikant Sundaresh — Tue, 19 Apr 2011 11:15:18 GMT

Hey Patrick,

If I understand correctly, you want traffic reaching 192.168.2.10 to be sourced from 192.168.2.1.

Unfortuantely destination based source natting is a bit unpredictable.

Ideally you can configure something like:

access-list acl1 permit tcp any host 192.168.2.10 eq 3389

access-list acl1 permit tcp any host 192.168.2.10 eq 8007

nat (outside) 1 access-list acl1 outside

global (phones) 1 interface

However, you would need to take care of the other nat rules, as there are a lot of ways this can interfere with a normal NAT setup.

Please let me know if you face any issues, and I will try to help you sort them out.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: Source address NAT

patrifick — Tue, 19 Apr 2011 13:09:03 GMT

HI,

thanks for the quick reply, I am not sure what to do now, whether to apply it or not. What it the risk involved with creating those rule for NAT? Does 8.3 allow to do what we try to achieve?

regards
Patrick

Re: Source address NAT

Shrikant Sundaresh — Tue, 19 Apr 2011 13:22:31 GMT

Hi Patrick,

I think there can be some issues with nat reverse path check. Not sure though.

I would suggest applying the config and trying it out. From what I see in your config, I think it should work fine.

You can run packet-tracer commands and do a quick check to see if everything is still working.

Focus on the NAT phase in the packet tracer, to see which NAT rule is being hit.

In case you see a problem with one of the packet-tracers, then post the output here, and I will try to point out what might be going wrong.

Syntax:

packet-tracer input tcp detailed

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: Source address NAT

patrifick — Tue, 19 Apr 2011 13:35:24 GMT

Hi,

sorry I don't know much about cisco firewalls and their command lines. I use gui to create rules. These are usually simple and most of the time they work.

As I am off site my idea was to connect to ADM remotely and run the config you sent and then test it.

The probem I have now is that when I try to connect to ASDM remotely I get cisco asa unable to launch device manager from 109.170.153.242 which is IP address of the outside interface. I did setup remote access before, but strangly enough this doesn't work on this one. I have attached the current config.

Once I am able to connect remotely via asdm I can test all and hopefully all will work as you suggested.

Patrick

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name bakerlabels.co.uk

names
name 192.168.1.2 securegw
name 10.0.0.29 Barracuda
name 82.111.186.146 sdt
name 10.0.0.31 Bakerctx1
name 10.0.0.32 Bakerctx2
name 10.0.0.2 Bakersvr
name 10.0.0.5 Bakerftp
name 10.0.0.181 Bakerms1
name 217.40.42.124 External_ip_124
name 217.40.42.125 External_ip_125
name 10.0.0.20 Bakerdc1
name 174.36.154.0 Mailpatrol1
name 207.154.50.0 Mailpatrol2
name 208.43.37.0 Mailpatrol3
name 208.70.88.0 Mailpatrol4
name 208.70.89.0 Mailpatrol5
name 208.70.90.0 Mailpatrol6
name 8.70.91.0 Mailpatrol7
name 109.170.153.243 External_ip_243
name 109.170.153.244 External_ip_244
name 90.155.124.49 Crystaline-Comms1
name 94.174.88.222 Crystaline-Comms2
name 109.170.153.245 External_ip_245
name 192.168.2.10 Phone-System
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 109.170.153.242 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan13
nameif phones
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name bakerlabels.co.uk
object-group network RDP_Group
network-object host sdt
object-group service 2598 tcp
description citrix session reliability
port-object eq 2598
object-group service rdp tcp
description Remote Desktop
port-object eq 3389
object-group network Citrix_Group
network-object host Bakerctx1
network-object host Bakerctx2
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq domain
service-object tcp eq www
object-group network Mailpatrol
network-object Mailpatrol1 255.255.255.0
network-object Mailpatrol2 255.255.255.0
network-object Mailpatrol3 255.255.255.0
network-object Mailpatrol4 255.255.255.0
network-object Mailpatrol5 255.255.255.0
network-object Mailpatrol6 255.255.255.0
network-object Mailpatrol7 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object Mailpatrol1 255.255.255.0
network-object Mailpatrol2 255.255.255.0
network-object Mailpatrol3 255.255.255.0
network-object Mailpatrol4 255.255.255.0
network-object Mailpatrol5 255.255.255.0
network-object Mailpatrol6 255.255.255.0
network-object Mailpatrol7 255.255.255.0
object-group network Crystaline-Comms
network-object host Crystaline-Comms1
network-object host Crystaline-Comms2
object-group service phones-8007 tcp
port-object eq 8007
object-group network DM_INLINE_NETWORK_2
network-object host sdt
group-object Crystaline-Comms
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 host securegw
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 object-group rdp
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 eq www
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host securegw 10.0.0.0 255.255.255.0 eq 2598
access-list dmz_access_in extended permit object-group TCPUDP host securegw 10.0.0.0 255.255.255.0 eq domain
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_1 host securegw any
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any object-group rdp
access-list outside_access_in extended permit tcp any any eq ldap
access-list outside_access_in extended permit tcp any host External_ip_124 eq https inactive
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq www
access-list phones_access_in extended permit ip any any
access-list phones_access_in extended permit tcp any any object-group rdp inactive
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm informational
logging host inside Bakerdc1
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu phones 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (phones) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Bakerms1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www Bakerms1 www netmask 255.255.255.255
static (inside,outside) tcp interface ldap Bakerdc1 ldap netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Bakerdc1 3389 netmask 255.255.255.255
static (dmz,outside) tcp External_ip_243 https securegw https netmask 255.255.255.255
static (inside,outside) tcp External_ip_243 ftp Bakerftp ftp netmask 255.255.255.255
static (inside,outside) tcp interface https Bakerms1 https netmask 255.255.255.255
static (inside,inside) tcp External_ip_243 ftp-data Bakerftp ftp-data netmask 255.255.255.255
static (phones,outside) tcp External_ip_245 3389 Phone-System 3389 netmask 255.255.255.255
static (phones,phones) tcp External_ip_245 8007 Phone-System www netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (inside,phones) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (phones,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group phones_access_in in interface phones
route outside 0.0.0.0 0.0.0.0 109.170.153.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
http sdt 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address Bakersvr-10.0.0.254 inside
!

: end

Re: Source address NAT

Shrikant Sundaresh — Tue, 19 Apr 2011 13:43:46 GMT

Hi Patrick,

According to your config, only the ip address 82.111.186.146is allowed to access the ASDM from outside.

The related config lines are: http sdt 255.255.255.255 outside and name 82.111.186.146 sdt

So unless your ip at your off-site location is the same as sdt, it would not be possible for you to access ASDM.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: Source address NAT

patrifick — Tue, 19 Apr 2011 13:47:54 GMT

Hi,

The IP is my external IP which I just added to the config so I don't understand why it doesn't connect.

Patrick

Re: Source address NAT

Shrikant Sundaresh — Tue, 19 Apr 2011 13:59:32 GMT

Hi Patrick,

Please go through the troubleshooting steps mentioned in this document I have written on ASDM access troubleshooting:

https://supportforums.cisco.com/docs/DOC-15016

The error you mentioned is similar to the one ASDM shows when you try to launch it using ASDM launcher on a 64bit OS.

Try accessing ASDM using https:///admin, and check if it works.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: Source address NAT

patrifick — Tue, 19 Apr 2011 15:50:12 GMT

Hi,

for the asmd issue, I have found out that the https nat rule was conflicting with exchange/owa so we have changed the DNS. We need to now wait 24h for replications to go through. Once this is done we can continue troubleshoot the asdm external access.Once we establish the cause and resolve the asdm external access we can apply you config. I should know more tomorrow or Thursday

Patrick

Re: Source address NAT

patrifick — Wed, 20 Apr 2011 12:51:34 GMT

Hi,

I have resolved the remote access, but the source NAT rule which you suggested don't work. I have now logged a call with cisco TAC

thanks

Patrick