topic NAT Rule Blocking Traffic? in Network Security

NAT Rule Blocking Traffic?

iglablues — Mon, 11 Mar 2019 19:09:49 GMT

I am pretty confused about a firewall setup I inherited that is causing me some problems. It's an ASA 5505 configured with the standard Inside and Outside networks, plus a DMZ and a Test LAN. I am trying to get a backup solution configured that of course requires agents installed on the hosts to talk to the central console. The central console is installed on the DMZ in the 192.168.10.0/24 network. The server with the agent is installed on the 192.168.100.0/24 Test network. I added an ACL via the ADSM as follows:

access-list TEST_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_2 host 192.168.10.4 any
access-list TEST_access_in line 3 extended permit ip host 192.168.10.4 any
access-list TEST_access_in line 3 extended permit icmp host 192.168.10.4 any
access-list TEST_access_in line 3 extended permit tcp host 192.168.10.4 any

When I tested this through the packet trace tool, it failed. It says it failed due to the following:

nat (TEST) 1 0.0.0.0 0.0.0.0
nat-control
match ip TEST any inside any
dynamic translation to pool 1 (192.168.20.1 [Interface PAT])
translate_hits=2, untranslate_hits=0

I have asolutely no idea what this means. I thought NAT just determined what kind of address translation you have for your unrouteable IPs. I don't know why it would be blocking access between two networks. Can anyone give me some ideas or information about what this is referring to and what I might be doing wrong?

Thanks in advance.

Re: NAT Rule Blocking Traffic?

Panos Kampanakis — Mon, 15 Nov 2010 18:39:10 GMT

Please post the interface and nat configuration. This is a natting issue. Also, it would be nice if you could post the packet tracer output and the ip addresses you are testing from.

Re: NAT Rule Blocking Traffic?

iglablues — Mon, 15 Nov 2010 20:42:10 GMT

Thanks! Here is the config of the interfaces:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 155.212.203.186 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan13
nameif TEST
security-level 100
ip address 192.168.100.1 255.255.255.0

Here are the NAT statetements:

access-list dmz_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.100.0 255.255.255.0
*********************************
nat-control
global (inside) 1 interface
global (outside) 1 interface
global (dmz) 2 interface
global (TEST) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (TEST) 1 0.0.0.0 0.0.0.0
static (TEST,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 dns
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,TEST) 192.168.100.0 192.168.20.0 netmask 255.255.255.0
static (TEST,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
***************************
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group TEST_access_in in interface TEST

I am trying to connect from IP 192.168.10.4 in the DMZ network to 192.168.20.220 on the inside LAN. With no changes to the configuration from me I do a packet trace from the DMZ. The output is this

I perform the same test on the inside interface, no change made to the existing config, and I get this:

So, I figure I need to add an ACL to prevent the implicit deny rule. I create a rule permitting source 192.168.10.4 to 192.168.20.220, protocols IP and TCP, and apply it to the inside of the inside interface. I do the same test as before and I get this:

Having thought about this since my post, I do need to mention that the source IP (192.168.10.4) has a static NAT to a public IP in the config. So, presumably when traffic from that host leaves the ASA it gets translated to the public IP. I did try changing my ACLs to the public IP instead, but that also didn't work so I doubt that I'm barking up the right tree.

Re: NAT Rule Blocking Traffic?

Panos Kampanakis — Mon, 15 Nov 2010 20:50:41 GMT

You are not running packet tracer for the return traffic properly.

If you run it for traffic hitting the inside the sourced will be 192.168.20./24 destined to 192.168.10.4.

The config looks good for this flow..