topic Re: ASA NAT: any to any issue in Network Security

ASA NAT: any to any issue

andreas.dahlberg — Fri, 21 Feb 2020 16:55:06 GMT

Hello!

Just had to troubleshoot an issue where an internal firewall messed upp the network on its outside interface. The clients could not get addresses from the local DHCP server.

This is the network Layout:

On the "Internal ASA" there was this NAT rule:

nat (inside,outside) source static any any no-proxy-arp route-lookup

which caused the clients on the 192.168.5.0 network to not get any addresses from the DHCP server.

default route on Internal ASA is configured as:

route outside 0.0.0.0 0.0.0.0 192.168.5.1

Why is that?

The key here is that the 172.16.0.0 network behind Internal ASA should not be accessible from 192.168.5.0 network at all.

Actually, that 172.16.0.0 network is an remote network for a site to site VPN Connection which is only used for lab purposes.

I cannot see why the Internal ASA would cause the DHCP server not being able to respond to broadcast DHCP requests..??

Re: ASA NAT: any to any issue

Kasun Bandara — Fri, 08 Mar 2019 12:23:30 GMT

Hi,

Have you configured DHCP relay in internal asa?

Please check.below guide.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

Re: ASA NAT: any to any issue

andreas.dahlberg — Fri, 08 Mar 2019 13:28:54 GMT

Hi!
I've edited the original post.
Actually, the 172.16.0.0 network should not be considered in this, it is only used as a remote network in a site to site VPN.
The thing here is that the clients and DHCP server is on the same subnet so i cannot understand why the Internal ASA would cause the DHCP not being able to distribute addresses.. but something has to do with the NAT statement, because removing it get things working again..

Re: ASA NAT: any to any issue

Kasun Bandara — Fri, 08 Mar 2019 13:53:57 GMT

Hi,

Normally asa not passing broadcasts to other side. I guess you have configured the dhcp relay.

In your case you can block these subnet communication with ACLs. Also asa will not reply to arp request because of 'no proxy arp'

I am not sure whether it is having some affect. You can try removing that command and 'route lookup' too for testing.

Re: ASA NAT: any to any issue

andreas.dahlberg — Fri, 08 Mar 2019 14:35:52 GMT

But how can the Internal ASA have anything to with the 192.168.5.0/24 clients not receiving DHCP leases from the DHCP server on the same subnet?
The 172.16.0.0/29 clients is supposed to be isolated from 192.168.5.0/24.

Re: ASA NAT: any to any issue

Ilkin — Fri, 08 Mar 2019 21:27:55 GMT

Is it correct that when "nat (inside,outside) source static any any no-proxy-arp route-lookup" is removed" from Internal firewall, clients are able to get addresses from the DHCP server?

If yes, then in terms of DHCP workflow and at packet level what specifically is the difference when this nat exists on Internal ASA?
It can be useful to analyze packet captures on ASA outside, DHCP server and clients in the non-working scenario.

Re: ASA NAT: any to any issue

andreas.dahlberg — Sat, 09 Mar 2019 08:42:49 GMT

Yes, when that is removed, clients in the 192.168.5.0/24 network gets its DHCP leases again.

Would be interesting to see how that internal ASA really is connected, I don't have admin access to their LAN, just the internal ASA. But I am suspicious that it isn't connected as per the image in the original post.

Re: ASA NAT: any to any issue

Kasun Bandara — Sun, 10 Mar 2019 10:04:53 GMT

Hi
Try without 'no proxy arp' in nat command for testing.

Also without clear understanding of other side its difficult to say issue point exactly. Can you get how they connected each device on that side?

Re: ASA NAT: any to any issue

andreas.dahlberg — Tue, 12 Mar 2019 22:08:49 GMT

Solution was to remove the NAT statement all together as it wasn't really necessary.

Exactly, did nog get a decent answer on how they all was connected, but as i understood, they where all connected to the same switch in a central location.
It should be impossible for the ASA to break anything on the 192.168.5.0/24 network, or am i missing something?

Re: ASA NAT: any to any issue

KevA — Wed, 10 Jul 2024 03:48:47 GMT

I had similar issue but in my topology I had ISP routers between my firewalls. The DHCP offer was being dropped by Branch Firewall. I saw the advice above to remove the NAT statement and once I did such my PC got its IP assignment. I could the dhcp binding on the DHCP and the DHCP offer traversed from HQ FW to Branch FW.. However, when I set up the lab in packet tracer, I had no issues at all so just curious as to why it worked in packet tracer. I used gns3 and eveng to determined if it was a issue with my simulation environment but results was the same. Again, once I removed the NAT statement it works fine.

p.s. HQ FW has two internal zones, a dmz zone and outside zone. Branch only has inside and outside zones so it this the case as to why NAT was not needed on the Branch firewall?

Re: ASA NAT: any to any issue

andreas.dahlberg — Tue, 03 Sep 2024 18:45:07 GMT

In my topology, the internal firewall was setting up a policy based site-to-site VPN to a off site firewall.

There was no route pointing to the 172.16.0.0/29 network.

This was some years ago now, and this network is now decommissoned. 🙂

But a too generous (any, any) NAT rule will cause the firewall to respond to ARPs. I think you would need to make the global address more precise or use another subnet for the global addresses.