topic Re: ASA 8.0(4) - NAT Issues - Returning Traffic Not Working in Network Security

ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

vialves — Mon, 11 Mar 2019 19:06:33 GMT

Hello,

I have the following problem doing natting in between my inside and dmz_sp interface here is the diagram:

· I need to, whenever these three hosts on the dmz_sp access the inside network, it should be translated to the Inside interface IP address.

· Static configuration is not an option, once that they don't have Inside addresses for this;

· NAT0 is not an option, because internal network overlaps

Based on these needs, I deployed the following configuration:

nat (dmz_sp) 2 10.241.48.136 255.255.255.255 outside

nat (dmz_sp) 2 10.241.48.151 255.255.255.255 outside

nat (dmz_sp) 2 10.241.48.171 255.255.255.255 outside

global (inside) 2 interface

Here's the actual relevant configuration he already had there before I applied the config above:

no nat-control

nat (inside) 0 access-list acl_nonat

nat (dmz) 1 access-list ACL_SCAN_MAIL

nat (inside) 1 172.16.0.0 255.240.0.0

global (dmz) 1 interface

global (dmz_sp) 1 10.120.0.254

global (dmz_net) 1 10.120.3.254

Now, I have the following problem after I added my dmz_sp nat configurartion:

Whenever the hosts in the network on 172.16x.x are trying to access these three servers on dmz_sp, the FW is not even capable to build the connection, showing me the following error message:

Nov 08 2010 16:46:27 FW-1 : %ASA-6-305011: Built dynamic TCP translation from inside:172.21.120.190/1223 to dmz_sp:10.120.0.254/11609

Nov 08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433

The weird thing is that it shows up in the xlate table but the connection is dropped anyway.

The problem doesn't happen when the Inside network is trying to access any different host in the same network on dmz_SP.

Is this an expected behavior? What should be done in order to work around this issue?

If any configuration is needed, please let me know. But as I said before, we can assume that routing and permissions are ok.

Re: ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

Kureli Sankar — Tue, 09 Nov 2010 13:52:31 GMT

If the DMZ_SP host is going to look like the inside interface IP address (hiding behind a pat pool) then, why is the inside host 172.21.120.190 trying to access it using its real IP address 10.241.48.136?

With what you have configured only the DMZ_SP hosts can initiate traffic and the inside hosts can only respond to them. Traffic cannot be initiated from the inside hosts to the dmz hosts.

Nov 08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433

It appear that you do not have a choice but to use static (inside,dmz_sp) instead of nat/global outside for the dmz hosts.

Remember you cannot reach the hosts hiding behind a pat pool. This will be like google trying to reach all your inside hosts hiding behind a pat pool. Just not possible unless you configure static NAT or PAT.

-KS

Re: ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

vialves — Tue, 09 Nov 2010 17:02:36 GMT

Thanks for your swift answer. It was very useful. I'll talk to my customer in order to re-arrange it. The returning traffic was something he didn't comment before.

Anyway, thanks for this!