topic Re: ASA 5505 NAT issue in Network Security

ASA 5505 NAT issue

darin.miller — Mon, 11 Mar 2019 18:17:09 GMT

Hello,

I tried searching for the answer but I couldn't relevant data, so I apologize if this is a repost.

Anyways, I have an ASA 5505 base model. On the inside vlan I have directly connected another router. The ASA and the router are OSPF peers. I can ping the router's interfaces from the ASA, but I can't ping them from a pc that is connected to the inside vlan. I did notice that if I take out the statement nat (inside) 1 0.0.0.0 0.0.0.0 then the ping goes ok, but I have no internet connectivity. How can I enable NAT for all devices outbound the internet interface but still disable NAT for all internal networks?

Thanks in advance.

ASA Version 7.2(4)

interface Vlan1

description Default internal vlan on max

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

interface Vlan2

description Internet vlan on max

nameif Internet

security-level 0

ip address dhcp setroute

ospf cost 10

interface Vlan3

description DMZ vlan on max

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 10.100.100.1 255.0.0.0

ospf cost 10

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 3

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Xbox_port tcp-udp

description TCP-UDP 3074

port-object eq 3074

object-group service Xbox_port_2 udp

description UDP port 88

port-object eq 88

object-group network Internal_Networks

network-object 10.0.0.0 255.255.255.0

network-object 10.1.0.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive

access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive

access-list inside_access_in extended permit ip any any

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any unreachable

access-list acl-outside extended permit icmp any any traceroute

access-list acl-outside extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging buffer-size 10000

logging buffered critical

logging asdm informational

logging debug-trace

mtu inside 1500

mtu Internet 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any Internet

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group acl-outside in interface Internet

router ospf 1

router-id 192.168.1.1

network 192.168.1.0 255.255.255.0 area 0

log-adj-changes

redistribute static subnets

default-information originate

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 76.10.192.197 255.255.255.255 Internet

ssh timeout 30

console timeout 0

dhcpd auto_config Internet

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

: end

Re: ASA 5505 NAT issue

manish arora — Wed, 28 Jul 2010 00:19:19 GMT

You need an Nat Exempt statement :-

access-list nonat ext permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

{ x.x.x.x are the subnets you dont want any natting to be done }

then add a statement

nat (inside) 0 access-list nonat

thanks

Manish

Re: ASA 5505 NAT issue

darin.miller — Wed, 28 Jul 2010 00:46:32 GMT

Hi Manish,

I tried that but still same result. It still keeps pointing to that dynamic NAT statement:

max# packet-tracer input inside icmp 192.168.1.2 0 8 10.0.0.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 192.168.1.0 255.255.255.0 inside 10.0.0.0 255.255.255.0

NAT exempt

translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 2, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA 5505 NAT issue

manish arora — Wed, 28 Jul 2010 02:12:26 GMT

Ok , so you are trying to ping from inside to dmz interface or vice versa. since DMZ is security 50 .., so you need to allow that range to have access to inside interface using access-list inside permit dmz any any and applying it to out direction of the inside interface. also add no nat for

nat ( DMZ) 0 access-list nonat1

nat ( DMZ) 1 0.0.0.0 0.0.0.0

i will follow up in more detail later on.

Thanks

Manish

Re: ASA 5505 NAT issue

darin.miller — Wed, 28 Jul 2010 02:25:24 GMT

No, the DMZ is not touched in this example. The PC(192.168.1.2) attached at eth0/1 on the ASA, is attempting to ping an interface(10.0.0.1) on a router that is reached thru the same vlan(192.168.1.0/24) via eth0/2.

The router has an IP of 192.168.1.30 on the near interface:

max# traceroute 10.0.0.1

Type escape sequence to abort.

Tracing the route to 10.0.0.1

1 192.168.1.30 0 msec * 0 msec

Re: ASA 5505 NAT issue

Jitendriya Athavale — Wed, 28 Jul 2010 05:01:49 GMT

try this

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

same-security permit intra interface

sysopt noproxy-arp inside

Re: ASA 5505 NAT issue

darin.miller — Wed, 28 Jul 2010 05:17:45 GMT

I figured it out!

First thing I did was take out this statement: nat (inside) 1 0.0.0.0 0.0.0.0

This temporarily killed my Internet access but no big deal for now. Then I created an object group of my internal networks adjacent to my ASA:

object-group network Internal_Networks

network-object 10.0.0.0 255.255.255.0

network-object 10.1.0.0 255.255.255.0

network-object 172.16.0.0 255.255.255.0

Then I created an ACL exemption that permitted nonat from my ASA vlan to the internal networks:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks

Then I added this statement:

nat (inside) 0 access-list nonat

Connectivity between the internal networks has been established! However, Internet access is still limited because I'm not natting data passing thru the Internet interface, so I put in this statement:

nat (inside) 1 192.168.1.0 255.255.255.0

This returns internet connectivity. At this point all internal interfaces can ping each other, as well as internet IP's. I'm not entirely sure why this works, but it does. If anybody can explain the logic behind this, I'd love to hear it!

Thanks for your help, Manish!

Re: ASA 5505 NAT issue

Nagaraja Thanthry — Wed, 28 Jul 2010 05:24:25 GMT

Hello,

The issue is due to asymmetric routing in the network. The easiest/best solution would be to make the router the default gateway for 192.168.1.0 subnet. This will ensure that you have two-way connectivity between the 192.168.1.0 subnet and 10.0.0.0 subnet. If you are not worried about two-way communication and all you are looking for is ICMP connectivity, then you could do the following:

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

same-security-traffic permit intra-interface

This will ensure that all traffic originated from 192.168.1.0 subnet towards 10.0.0.0 subnet will go to the router with ASA's inside interface IP address. In this way, the return traffic will come to the firewall and then the firewall will deliver it to the actual host. This way, you can also initiate TCP sessions from 192.168.1.0 subnet to 10.0.0.0 subnet (not vice versa) and have successful communication.

On the other hand, if you configure the router as the default gateway for 192.168.1.0 subnet and then configure ASA as the default gateway for the router, then all the 10.0.0.0 subnet will be locally routed by the router and all other traffic will be sent to the ASA.

Hope this helps.

Regards,