topic Re: static nat on the inside. ASA 8.2 NAT reverse Path.. in Network Security

static nat on the inside. ASA 8.2 NAT reverse Path..

WILLEM KUTSCHRUITER — Mon, 11 Mar 2019 19:13:02 GMT

Dear all.

I have the following situation for which i appreciated some assistance...

Inside a host 10.81.34.55

inside interface 10.81.34.80

using a VPN connection sessions from the datacenter (AMS) are setup to the 10.81.34.55 hosts (INDIA).

These sessions must be translated based on a portnumber to either 10.81.34.97 (port 6004) and 10.81.34.98 (port 6005).

currently we have the following (only relevant) defined:

access-list outside_cryptomap_35 extended permit ip object-group INDIA-XY-SERVERS object-group AMS-XY-SERVERS
access-list outside_access_in extended permit tcp object-group AMS-XY-SERVERS object-group INDIA-XY-SERVERS
access-list PROD extended permit tcp host AMS-PROD host INDIA-XY eq 6004
access-list TEST extended permit tcp host AMS-PROD host INDIA-XY eq 6005
.....
arp timeout 14400
global (outside) 100 IP-PROD
global (outside) 101 IP-TEST
global (outside) 102 interface
nat (inside) 100 access-list PROD
nat (inside) 101 access-list TEST
nat (inside) 102 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.22.38.9 1

....

crypto map outside_map 35 match address outside_cryptomap_35
crypto map outside_map 35 set peer 123.244.232.4
crypto map outside_map 35 set transform-set ESP-3DES-MD5
crypto map outside_map 35 set reverse-route
crypto map outside_map interface outside

for some reason i can not get it work.

I get the following message..

Nov 22 2010 13:58:07: %ASA-7-609001: Built local-host outside:AMS-PROD
Nov 22 2010 13:58:07: %ASA-7-609001: Built local-host inside:INDIA-MC
Nov 22 2010 13:58:07: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:AMS-PROD/33087 dst inside:INDIA-MC/6005 denied due to NAT reverse path failure
Nov 22 2010 13:58:07: %ASA-7-609002: Teardown local-host outside:AMS-PROD duration 0:00:00
Nov 22 2010 13:58:07: %ASA-7-609002: Teardown local-host inside:INDIA-MC duration 0:00:00

I'm running version 8.2(2)16

Public IP number are fake.

Looking forward.

Willem..

Re: static nat on the inside. ASA 8.2 NAT reverse Path..

Maykol Rojas — Tue, 23 Nov 2010 00:01:45 GMT

Hello,

This what is stating is that you have a mismatch of NAT rules...Meaning that you have a Well define NAT rule for bidirectional traffic and Also a dynamic NAT.

Woul you please do a packet tracer and send us the output?

Cheers

Mike

Re: static nat on the inside. ASA 8.2 NAT reverse Path..

WILLEM KUTSCHRUITER — Tue, 23 Nov 2010 08:45:13 GMT

I currently have configured:

....

!
ip verify reverse-path interface inside
!

....

global (inside) 101 MIP-TEST
global (inside) 100 MIP-PROD
nat (outside) 100 access-list PROD
nat (outside) 101 access-list TEST
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 125.21.37.9 1

MC-India# packet-tracer input inside tcp 10.127.200.12 40000 10.81.34.55 6004 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.81.34.0 255.255.255.0 inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in AMS-PROD 255.255.255.255 outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

MC-India#

This last bit, Reverse-path, is giving me a headache...

Re: static nat on the inside. ASA 8.2 NAT reverse Path..

Maykol Rojas — Tue, 23 Nov 2010 12:57:05 GMT

Hello,

I see, so the destination where is it exactly located? On the AMD Prod or on the inside? Can you paste the output of the show asp table routing? The main issue here is that the ASA can see 2 routes and dependeing on the NAT statements that you have he may think it as asymetric.

Cheers.

Mike

Re: static nat on the inside. ASA 8.2 NAT reverse Path..

WILLEM KUTSCHRUITER — Tue, 23 Nov 2010 13:07:00 GMT

Mike,

sessions from 10.127.200.12 coming accross the VPN tunnel from the outside need to be translated into either 10.81.34.97 (port 6004) and 10.81.34.97 (port 6005) to the 10.81.34.55 server. This one only accepts sessions from 10.81.34.0/24 on the inside.

the requested routing table..

MC-India# sho asp table routing

in   255.255.255.255 255.255.255.255 identity
in   125.21.37.10    255.255.255.255 identity
in   192.168.1.1     255.255.255.255 identity
in   FW-IN-LAN       255.255.255.255 identity
in   AMS-DB          255.255.255.255 outside
in   AMS-PROD        255.255.255.255 outside
in   AMS-DG          255.255.255.255 outside
in   125.21.37.8     255.255.255.252 outside
in   10.81.34.0      255.255.255.0   inside
in   0.0.0.0         0.0.0.0         outside
out 255.255.255.255 255.255.255.255 management
out 224.0.0.0       240.0.0.0       management
out 255.255.255.255 255.255.255.255 inside
out 10.81.34.0      255.255.255.0   inside
out 224.0.0.0       240.0.0.0       inside
out 255.255.255.255 255.255.255.255 outside
out AMS-DB          255.255.255.255 via 125.21.37.9, outside
out AMS-PROD        255.255.255.255 via 125.21.37.9, outside
out AMS-DG          255.255.255.255 via 125.21.37.9, outside
out 125.21.37.8     255.255.255.252 outside
out 224.0.0.0       240.0.0.0       outside
out 0.0.0.0         0.0.0.0         via 125.21.37.9, outside
out 0.0.0.0         0.0.0.0         via 0.0.0.0, identity
out ::              ::              via 0.0.0.0, identity
MC-India#

Re: static nat on the inside. ASA 8.2 NAT reverse Path..

WILLEM KUTSCHRUITER — Tue, 23 Nov 2010 20:56:53 GMT

LS,

Using the following static I do get the desired result for one session...

MC-India(config)# static (outside,inside) MIP-TEST AMS-PROD netmask 255.255.25$
MC-India(config)#
MC-India# sho nat

NAT policies on Interface outside:
match ip outside host AMS-PROD inside any
static translation to MIP-TEST
translate_hits = 0, untranslate_hits = 0
MC-India#
MC-India# clear logging buff
MC-India# sho capture
capture in-cap type raw-data interface inside [Capturing - 1244 bytes]
MC-India# sho capture in-cap decode det

17 packets captured

   1: 20:24:54.124367 c84c.7522.49cb 0014.5e15.699d 0x0800 82: 10.81.34.98.33109 > 10.81.34.55.6005: S [tcp sum ok] 21689707:21689707(0) win 49640 (DF) (ttl 63, id 59322)
   2: 20:24:54.124520 0014.5e15.699d ffff.ffff.ffff 0x0806 60: arp who-has 10.81.34.98 (ff:ff:ff:ff:ff:ff) tell 10.81.34.55
   3: 20:24:54.124612 c84c.7522.49cb 0014.5e15.699d 0x0806 42: arp reply 10.81.34.98 is-at c8:4c:75:22:49:cb
   4: 20:24:54.124718 0014.5e15.699d c84c.7522.49cb 0x0800 66: 10.81.34.55.6005 > 10.81.34.98.33109: S [tcp sum ok] 714406307:714406307(0) ack 21689708 win 5520 (DF) (ttl 64, id 39269)
   5: 20:24:54.328352 c84c.7522.49cb 0014.5e15.699d 0x0800 54: 10.81.34.98.33109 > 10.81.34.55.6005: . [tcp sum ok] 21689708:21689708(0) ack 714406308 win 49680 (DF) (ttl 63, id 59323)
   6: 20:25:05.598144 c84c.7522.49cb 0014.5e15.699d 0x0800 60: 10.81.34.98.33109 > 10.81.34.55.6005: P [tcp sum ok] 21689708:21689714(6) ack 714406308 win 49680 (DF) (ttl 63, id 59324)

A telnet to 10.81.34.55 6005 does work.

If i do it using:

MC-India(config)# access-list TEST extended permit ip host AMS-PROD host INDIA$
MC-India(config)# static (outside,inside) MIP-TEST access-list TEST
MC-India(config)#
MC-India#
MC-India# sho nat

NAT policies on Interface outside:
match ip outside host AMS-PROD inside host INDIA-MC
static translation to MIP-TEST
translate_hits = 0, untranslate_hits = 0
MC-India#

Same positive result...

Now make it aware of portnumbers..

access-list TEST extended permit tcp host AMS-PROD host INDIA-MC eq 6005

MC-India(config)# static (outside,inside) tcp MIP-TEST 6005 access-list TEST
ERROR: Missing local port in access-list used in static pat
MC-India(config)#

Adding the local port is not a solution as this port number is variable....

I also have tried the following...

access-list TEST extended permit tcp host AMS-PROD host INDIA-MC eq 6005
global (inside) 5 MIP-TEST
nat (outside) 5 access-list TEST

for whatever reason the translation does not work.

Nov 23 2010 21:30:46: %ASA-7-609001: Built local-host outside:AMS-PROD
Nov 23 2010 21:30:46: %ASA-7-609001: Built local-host inside:INDIA-MC
Nov 23 2010 21:30:46: %ASA-6-302013: Built inbound TCP connection 5622 for outside:AMS-PROD/33112 (AMS-PROD/33112) to inside:INDIA-MC/6005 (INDIA-MC/6005)
Nov 23 2010 21:31:08: %ASA-6-302014: Teardown TCP connection 5622 for outside:AMS-PROD/33112 to inside:INDIA-MC/6005 duration 0:00:22 bytes 0 TCP Reset-O
Nov 23 2010 21:31:08: %ASA-7-609002: Teardown local-host outside:AMS-PROD duration 0:00:22
Nov 23 2010 21:31:08: %ASA-7-609002: Teardown local-host inside:INDIA-MC duration 0:00:22
MC-India(config)# sho capture in-cap deco det

4 packets captured

   1: 21:30:46.117852 c84c.7522.49cb 0014.5e15.699d 0x0800 82: 10.127.200.12.33112 > 10.81.34.55.6005: S [tcp sum ok] 266933649:266933649(0) win 49640 (DF) (ttl 63, id 40057)
   2: 21:30:49.503559 c84c.7522.49cb 0014.5e15.699d 0x0800 82: 10.127.200.12.33112 > 10.81.34.55.6005: S [tcp sum ok] 266933649:266933649(0) win 49640 (DF) (ttl 63, id 40058)
   3: 21:30:56.273301 c84c.7522.49cb 0014.5e15.699d 0x0800 66: 10.127.200.12.33112 > 10.81.34.55.6005: S [tcp sum ok] 266933649:266933649(0) win 49640 (DF) (ttl 63, id 40059)
   4: 21:31:08.863206 c84c.7522.49cb 0014.5e15.699d 0x0800 54: 10.127.200.12.33112 > 10.81.34.55.6005: R [tcp sum ok] 266933650:266933650(0) win 49640 (DF) (ttl 63, id 40060)
4 packets shown
MC-India(config)#

Who knows how to proceed...

What is the solution...

Willem

Re: static nat on the inside. ASA 8.2 NAT reverse Path..

WILLEM KUTSCHRUITER — Thu, 25 Nov 2010 10:33:04 GMT

All,,

it is solved using:

access-list PROD extended permit tcp host 10.127.200.12 host 10.81.34.55 eq 6004
access-list TEST extended permit tcp host 10.127.200.12 host 10.81.34.55 eq 6005
access-list TEST1 extended permit tcp host 10.81.34.55 eq 6005 host 10.127.200.12
access-list PROD1 extended permit tcp host 10.81.34.55 eq 6004 host 10.127.200.12
....
global (inside) 4 10.81.34.97 netmask 255.255.255.255
global (inside) 5 10.81.34.98 netmask 255.255.255.255
nat (outside) 4 access-list PROD outside
nat (outside) 5 access-list TEST outside
static (inside,outside) tcp 10.81.34.55 6005 access-list TEST1
static (inside,outside) tcp 10.81.34.55 6004 access-list PROD1

Enjoy,

Thanks to Hamzah Kardame who worked out this solution.

Thanks to Jephte Mwen for working with me to get this to work.

Willem