topic Re: ASA NAT Issue in Network Security

ASA NAT Issue

bboston85 — Mon, 11 Mar 2019 19:25:26 GMT

I hope someone can point me in the correct direction here.

I have a client that needs 4 machines with static internal addresses. He is using a remote filtering service that filters by public IP. I have set the proper NAT and Global statements I believe. The unfiltered and filtered machines are all on the same /24 subnet so I setup object-group lists with individual ip ranges for filtered and unfiltered and then created access-lists that are mapped via the NAT statements. Basically, I need client IP's 192.168.1.1-35 to be on one public IP and clients 192.168.1.130-140 on a separate public IP.

After setting all that up I get a SYN Timeout statement in the logs, it looks to me as if the traffic gets out but does not route back in. The second public IP I am using is available and points through our perimeter router so there is no issue there.

Do I need a static statement to translate the secondary IP in to the public side?

Thanks,

Bryan.

Re: ASA NAT Issue

Federico Coto Fajardo — Tue, 21 Dec 2010 03:47:27 GMT

Bryan,

If you need outbound access for those devices then you use nat/global.

ie.

nat (inside) 1 First_Range MASK

global (outside) 1 PUBLIC_IP_1

nat (inside) 2 Second_Range MASK

global (outside) 2 PUBLIC_IP_2

In the above example, the First_Range private IPs will be translated to PUBLIC_IP_1

The second range will be translated to PUBLIC_IP_2

On the other hand if you need inbound access, you require a STATIC NAT.

Static NAT is bidirectional so it will work both inbound/outbound.

You can use Port Redirection in the static NAT to translate a range of private IPs to a single public IP and vice versa.

For inbound access, an ACL allowing the traffic is required as well.

Hope it helps.

Federico.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 03:56:48 GMT

Thank you for your quick response Federico.

The example that you displayed is essentially what I have, accept for the ACL. How would I write that to reference the secondart public ip?

Thanks again,

Bryan.

Re: ASA NAT Issue

Federico Coto Fajardo — Tue, 21 Dec 2010 04:04:58 GMT

Bryan,

You need to check if there's an ACL already applied in the inbound direction on the outside interface:

sh run access-group

Let's say the name of the ACL is OUTSIDE (or create a new ACL).

access-list OUTSIDE permit tcp any host PUBLIC_IP_2 eq 80

access-list OUTSIDE permit tcp any host PUBLIC_IP_2 eq 25

...

access-group OUTSIDE in interface outside

The above ACL allows incoming TCP traffic from any source (Internet) to PUBLIC_IP_2 for web traffic and SMTP.

Federico.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 04:35:05 GMT

Thanks again Federico,

I will take a look at this in the morning. As I recall, there was not an inbound ACL present. I feel better about this since I have some sort of heading now.

Just to be sure, adding that ACL will not open up free access from the outside world without having a static entry in place correct?

Thanks,

Bryan.

Re: ASA NAT Issue

Federico Coto Fajardo — Tue, 21 Dec 2010 04:44:05 GMT

Well.....

Creating an ACL (and applying it inbound on the outside interface), allows for inbound traffic (whatever traffic allowed on the ACL).

Remember there's an implicit deny any at the end (anything not explicity permitted is denied).

In order to be able to initiate inbound traffic, besides the ACL a static NAT is required. So one would think that if not having static NAT, then no traffic could enter the ASA.... BUT...

There are other methods, ie NAT 0 with ACL also allows traffic from outside-to-inside.

In short, in normal circumstances, the fact of creating an ACL without static NAT should not be a problem, I will strongly recommend against that and instead just permit the desired traffic in the ACL (no more).

Hope it helps.

Federico.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 04:51:35 GMT

Great. Thank you very much! This helped tremendously. Unlike a normal everyday forum, the CSC forums are almost like an instant help line for those of us still learning this Cisco stuff.

Thanks.

Re: ASA NAT Issue

Federico Coto Fajardo — Tue, 21 Dec 2010 04:55:20 GMT

Brian,

Thanks for the kind words, I honestly believe this is the best forum/community out there 😜

And believe me... we are all still learning 🙂

If you found this one helpful please mark it as answered and rate it!

Thank you!

Federico.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 05:09:07 GMT

Will do. I'm on my Blackberry at the moment, but will do that as soon as I get a chance.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 22:03:58 GMT

Ok, unfortunately, no go on this. For testing purposes I created a NAT entry for a single host. I also have created a corresponding global entry as seen below:

nat (inside) 2 client_ip 255.255.255.255

global (outside) 2 public_ip netmask 255.255.255.224

It seems the traffic is going out of the ASA just fine, but it does not get back in for some reason or another. After checking the logs I see the connection build messages and a few teardown messages with "SYN Timeout" at the end about 30 seconds after the original translation entry is built.

I believe the NAT-ting is working fine from seeing this since the ASA looks to be expecting a response. My question is, would the issue be an ACL problem with my ASA, or with my ISP's router (which is the next hop) maybe not having this IP routed to us? I have left a message with our ISP contact already so I am hoping the issue may be on their side.

I don't feel the issue could be with an ACL because I do not get any "connection denied" messages in the debug logging.

Any more help is greatly appreciated!

Thanks,

Bryan.

Re: ASA NAT Issue

Federico Coto Fajardo — Tue, 21 Dec 2010 22:23:32 GMT

Bryan,

If you see the traffic going out (NATing is working), and the SYN timeout indicates that there's no response from the outside host.

It sounds like traffic is going out but not replied received.

This is not a problem with the ACL, because the ACL applied to the outside interface only checks inbound traffic (not replies for traffic originated from inside).

In other words, the outside ACL only check inbound traffic initiated from the outside coming inside the ASA.

Questions:

Can you actually PING the outside host from the internal device? Or from the ASA?

Perhaps this outside device is just not responding to your requests.

Federico.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 22:30:37 GMT

Sorry, I forgot the meaning of the term stateful firewall. Ha ha.

I am able to ping any internet host from the client that is being NAT-ted. The issue I am having is while trying to browse to a website, or IE: whatismyip.com to see if the NAT is working, or even just google or yahoo. No matter what website I go to, the page will not come up since there is no communication back from the server side.

Re: ASA NAT Issue

Federico Coto Fajardo — Tue, 21 Dec 2010 22:35:44 GMT

So, the host defintely gets to the internet (PING), the problem is just opening a web page (any page)?

This could be a DNS issue... can you check the ''nslookup cisco.com'' from the PC to make sure the DNS resolves correctly?

Can you set the DNS to 4.2.2.2 as a test?

What about opening a browser to: http://198.133.219.25 (should get cisco.com)

Federico.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 22:43:36 GMT

Nope, I tried pointing to sites via IP address and using nslookup and was still not getting a response. From EVERYTHING I have read online and in Cisco documentation, the NAT and Global entries are all I should need to make the outgoing/public IP address different than the standard Global pool. I have seen the Static command used also and have tried that also on a single host with the same response, or lack thereof.

Assuming this is correct, my issue would most likely lie with the routing being done ahead of me based on the fact that I do not get a response from the distant host. Correct, or am I missing something?

Thanks again Federico, you are helping keep another IT colleague sane for 1 more day.

Re: ASA NAT Issue

bboston85 — Tue, 21 Dec 2010 23:28:08 GMT

I also forgot to mention one thing. If I set the ASA's outside interface vlan IP to the IP I am trying to nat the inside client to, I cannot pass traffic. I would again assume the issue is down the line from me from this observation.

Re: ASA NAT Issue

Federico Coto Fajardo — Wed, 22 Dec 2010 02:12:01 GMT

Bryan,

Let's nailed down the problem.

1. You say that you can PING the internet from the inside host? ie ping 4.2.2.2

2. If this is true, nat/global are working fine and you might have an ACL applied to the inside interface not allowing web or dns traffic.

3. To check that traffic is flowing through the ASA in the outbound direction, can do a ''sh xlate local x.x.x.x'' where x.x.x.x is the IP of the inside device. This will show the translation taking place.

4. To reassure that traffic is being sent out by the ASA can apply an ACL outbound to the outside interface

ie access-list TEST permit tcp host PUBLIC_IP any eq 80

access-list TEST permit ip any any

access-group TEST out interface outside

If you do get hitcounts on the first line ''sh access-list TEST'' then traffic is being sent out by the ASA for outgoing web requests.

5. To check if traffic is coming back to the ASA, we can check the logs.

For web connections, the TCP should establish the three-way handshake.

After this, you can share with us the running-config so we can check it out for you.

Federico.

Re: ASA NAT Issue

bboston85 — Wed, 22 Dec 2010 04:40:15 GMT

Ok, I will try this out and get back to you with the results. If I'm still not successful I will send my config also.

Thanks.

Re: ASA NAT Issue

bboston85 — Thu, 23 Dec 2010 04:58:06 GMT

I may have a chance to visit the client tomorrow. I will put together the config for what you have suggested and report back.

I did hear back from the ISP and they say the address I am using is routed back to me, so I was wrong about that unfortunately.

Thanks again for your help.

-Bryan

Re: ASA NAT Issue

bboston85 — Thu, 06 Jan 2011 20:45:12 GMT

Ok, so I was able to figure out my issue here. Sorry for the long delay. I spoke with the ISP again after trying these suggestions and then just plugging my laptop in after the router and used the new public IP I was trying to set and also testing the original one that works on the ASA. As I suspected, I was able to get out with the same IP as our ASA but not with the new IP. I then found out that they block all traffic, aside from ICMP, with access lists so that they can prevent usage on other IP's withoug first using their proxy filter. I asked them to add the new IP to the access-list and voila... it works.

Thankfully that is over and I can not try to re-grow my hair again.

Thanks again for all of your help.

Bryan.