topic Re: Ping and NAT in Network Security

Ping and NAT

thundercisco — Mon, 11 Mar 2019 19:12:35 GMT

Hi Folks,

I am having issue with pinging from one server on inside (Security level 100) to other subinterface (Security level 60). Server which is pinging is 10.74.20.56 and it is pinging to destination 10.128.4.33. and this 10.128.4.33 is natted to 192.168.14.131 (Destination NATing).

I have allowed icmp(1), snmp,snmp-trap,syslog towards 10.74.20.56.

Here is some of the config:

object-group service SOLARWINDS_ACCESS
description ech
service-object icmp
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq syslog

access-list Inside_access_in remark ***Allow All Traffic from Inside ***
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in remark *** TEST ACE ***
access-list Inside_access_in extended deny ip any any
access-list TUNN_INT_access_in remark *** Allow access to Solarwinds ***
access-list TUNN_INT_access_in extended permit object-group SOLARWINDS_ACCESS 10.128.3.0 255.255.255.0 host SOLARWINDS
access-list TUNN_INT_access_in remark *** Allow all traffic***
access-list TUNN_INT_access_in extended permit ip any host SOLARWINDS
access-list UPS_INT_access_in remark *** Allow PING to Solarwinds ****
access-list UPS_INT_access_in extended permit icmp 192.168.14.0 255.255.255.0 host SOLARWINDS object-group ICMP-TRAFF
access-list UPS_INT_access_in remark *** Allow All Traffic ***
access-list UPS_INT_access_in extended permit object-group SOLARWINDS_ACCESS 192.168.14.0 255.255.255.0 host SOLARWINDS
access-list MGT_iDIRECT_access_in remark *** Allow access to Solarwinds ***
access-list MGT_iDIRECT_access_in extended permit object-group SOLARWINDS_ACCESS 10.128.4.0 255.255.255.0 host SOLARWINDS
access-list MGT_iDIRECT_access_in remark *** Allow all access to Solarwinds ***
access-list MGT_iDIRECT_access_in extended permit ip 10.128.4.0 255.255.255.0 host SOLARWINDS inactive
access-list MGT_iDIRECT_access_in remark *** Deny access to all unknown traffic ***
access-list MGT_iDIRECT_access_in extended permit ip any any
access-list PERMIT_ICMP extended permit icmp any object-group NMS-SRV object-group ICMP-TRAFF log
access-list Solarwinds_NMS1 extended permit ip host NMS1 host SOLARWINDS
access-list Solarwinds_NMS2 extended permit ip host NMS2 host SOLARWINDS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
static (UPS_INT,Inside) 10.128.4.34 access-list Solarwinds_NMS2
static (UPS_INT,Inside) 10.128.4.33 access-list Solarwinds_NMS1
access-group MGT_iDIRECT_access_in in interface MGT_iDIRECT
access-group UPS_INT_access_in in interface UPS_INT
access-group TUNN_INT_access_in in interface TUNN_INT
access-group Inside_access_in in interface Inside

As far as documentation, i should be able to ping it as i am pining from higer to lower level and return traffic is allowed

Please suggest

Re: Ping and NAT

Federico Coto Fajardo — Mon, 22 Nov 2010 15:31:19 GMT

Hi,

When traffic comes from a higher security interface to a lower security interface, the replies are allowed for TCP/UDP traffic.

In case of ICMP, it has to be either allowed by an ACL or inspected.

Check to make sure that the ACL applied to the lower security interface permits the ICMP echo-replies or that ICMP is being inspected by the service-policy to allow the return packets back.

Federico.

Re: Ping and NAT

thundercisco — Wed, 24 Nov 2010 08:01:17 GMT

Hi,

Thnx for response, but problem is that when state inpection is enable it will add original address in statetable and return traffic will not match this state entry and will be denied. e.g

lets say ping source is 10.47.20.56 and destination is 10.128.4.33 and when packet hit interface , entry will be made to state table. and then destination address will be natted to 192.168.14.131, because i am having destination nat enable,. When packet returns back then source will be 192.168.14.131 and destination will be 10.47.20.56 and when this entry will not match to state entry it will be denied

Please suggest

Re: Ping and NAT

cadet alain — Wed, 24 Nov 2010 10:58:28 GMT

Hi,

do some nat exemption for echo-replies to your server.

Regards.

Re: Ping and NAT

thundercisco — Wed, 24 Nov 2010 11:30:09 GMT

Hi,

Please elaborate.

Re: Ping and NAT

cadet alain — Wed, 24 Nov 2010 14:44:00 GMT

Example:

nat (inside) 0 access-list no_nat : nat 0 is nat exemption and the ACL tells
 which traffic to exempt from nat.

Re: Ping and NAT

thundercisco — Wed, 24 Nov 2010 14:49:39 GMT

But lets say if issue nat (0) for traffic coming from inside then i

will no be able to rach my servers, as servers real ip address is 192.168.14.131 and this address not reachable from inside.

So i will have to NAT this is the reason i did destination nat. Source 10.47.20.56 dest 10.128.4.33 and when packet arrives this way then destination will be NATed to 192.168.14.131. It will reach the destination i could see it capture, but on the way back they are dropped. I

Re: Ping and NAT

thundercisco — Fri, 26 Nov 2010 18:41:01 GMT

Problem is fixed, i found that packet coming back was coming on different interface than orignating. so ifixed routing and problem solved