topic Re: ASA 5506-X NAT issue SSH in Network Security

ASA 5506-X NAT issue SSH

david.brewerton — Fri, 21 Feb 2020 16:47:07 GMT

I feel like I'm on the cusp of figuring it out, but I've had issues and spent many, many hours hitting this with every form of documentation and help forum. I'm trying to do a NAT with an ACL from an external static IP to an internal one on a DMZ.

To try and be as clear and concise as I can: I have a static external IP. This is routed by my ISP to an intermediate IP, which is assigned to my ASA 5506-X. E.g. 8.8.8.8 (external) assigned to 1.2.3.4 (internal, assigned to my outside interface). I have a DMZ, where I'm trying to NAT port 22 from my external IP through to that sub network using PAT.

I've cleared some of the running config, and removed some sensitive information, but I hope this is enough to clarify my issue. Italicized is what I think is most relevant. I've included packet tracers for both 8.8.8.8 to my external IP, and 8.8.8.8 to the internal one (not the given one assigned to Outside but the actual SSH server). I'm still unable to SSH in, even though an 8.8.8.8 tcp on 22 is "allowed" to the DMZ from outside.

object network ssh
host 192.168.10.10
access-list outside_DMZ extended permit tcp any object ssh eq ssh
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log

object network ssh
nat (dmz,outside) static <external IP> service tcp ssh ssh
access-group outside_SSH_DMZ in interface outside

Running Config

: Saved

:
: Serial Number:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(1)
!
hostname ciscoasa
enable password <hashed mess>
names
dns-guard

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <intermediate internal IP> 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside_1
dns domain-lookup inside_3
dns domain-lookup inside_4
dns domain-lookup inside_5
dns domain-lookup inside_6
dns domain-lookup inside_7
dns domain-lookup inside
dns server-group DefaultDNS
name-server 1.1.1.1 outside
name-server 1.0.0.1 outside
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network DMZ
object network ssh
host 192.168.10.10
access-list outside_DMZ extended permit tcp any object ssh eq ssh
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu dmz 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network ssh
nat (dmz,outside) static <external IP> service tcp ssh ssh
access-group outside_SSH_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 <internal intermediate IP> 1

Packet Tracer External IP to Internal

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 22 192.168.10.10 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.10 using egress ifc dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_SSH_DMZ in interface outside
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network ssh
nat (dmz,outside) static <external-IP> service tcp ssh ssh
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Packet Tracer External IP to External

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 22 <external-IP> 22

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ssh
nat (dmz,outside) static <external-IP> service tcp ssh ssh
Additional Information:
NAT divert to egress interface dmz
Untranslate <external-IP>/22 192.168.10.10/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_SSH_DMZ in interface outside
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network ssh
nat (dmz,outside) static <external-IP> service tcp ssh ssh
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 19180, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Re: ASA 5506-X NAT issue SSH

Kasun Bandara — Fri, 08 Feb 2019 09:36:27 GMT

Hi check below command,
access-list outside_DMZ extended permit tcp any object ssh eq ssh

normally source devices using random private port to communicate with other devices. destination port is ok as SSH port. for ex.
source - 8.8.8.8
source port - 65128
destination - NAT IP
destination port - 22

source device not using SSH port as a source port to communicate. so try allowing any source port to contact the destination 22 port

regards,

let us know how it goes.
please rate helpful things..

Re: ASA 5506-X NAT issue SSH

david.brewerton — Fri, 08 Feb 2019 16:04:30 GMT

Hi, my apologies for the poor naming. That's an object I created called ssh. However it isn't attached to the outside interface (which if you can let me know if that's relevant or not would be good to know). The primary hits I'm looking at in ASDM are for

access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log

Below is the ssh object. If I understand the above command: tcp any source going to host 192.168.10.10 port 22.

The other object if I understand correctly is anything matching my ssh object, so going to host 192.168.10.10 on NAT hitting the service ssh. If I'm to re-write the nat rule nat (dmz,outside) static <external IP> service tcp ssh ssh for any external source port, how would I do that? nat (dmz,outside) static <external IP> service tcp any ssh???

object network ssh
host 192.168.10.10

object network ssh
nat (dmz,outside) static <external IP> service tcp ssh ssh

Re: ASA 5506-X NAT issue SSH

Kasun Bandara — Sat, 09 Feb 2019 14:12:40 GMT

try below command to check where is the drop.

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 65123 <external-IP> 22

Re: ASA 5506-X NAT issue SSH

david.brewerton — Sat, 09 Feb 2019 16:24:43 GMT

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 65123 40.<external-ip> 22

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ssh
nat (dmz,outside) static 40.132.235.222 service tcp ssh ssh
Additional Information:
NAT divert to egress interface dmz
Untranslate 40.132.235.222/22 to 192.168.10.10/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_SSH_DMZ in interface outside
access-list outside_SSH_DMZ extended permit tcp any host 192.168.10.10 eq ssh log
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network ssh
nat (dmz,outside) static 40.132.235.222 service tcp ssh ssh
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 163838, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

That's the weird part. It's allowed. But when I try to just ssh in from the external IP, both internally and from other sources, it just rejects it. I can ssh internally, so I know the sshd daemon is allowing it. The auth log says nothing of a failed attempt or me even reaching it. SSH connect to host port 22: resource temporarily unavailable. An nmap scan of my external port 22 says it's filtered.

To add: tcp6 0 0 :::22 :::* LISTEN 15969/sshd

It's not just listening on localhost

I tried just to do it from the other end (try SSH, since it seems packet-tracer isn't replicating it correctly).

Feb 09 2019

09:18:23

710003

61152

TCP access denied by ACL from <external-ip>/61152 to outside:<intermediate internal-ip>/22

Do I need a separate ACL to go from my external to my intermediate IP?

Re: ASA 5506-X NAT issue SSH

david.brewerton — Sat, 09 Feb 2019 16:47:25 GMT

Thanks for your help. You helped me think outside of the box. So I did some digging in the logs, and just tested SSH against it and watched logs. It turns out, it needed a NAT against my outside interface (the internal IP address attached to the outside interface) and not the external IP that is forwarded to my outside interface.

So I did that, it was then considered a "real IP packet" that was being denied, it even let me create an ACL rule based on it, I changed it based on your suggestion (any external port, since it tried a bunch of arbitrary ports in the 6000 range), and ta-da it works! Thanks.