topic Re: source NAT in Network Security

source NAT

WILLIAM STEGMAN — Mon, 11 Mar 2019 18:23:14 GMT

I thought I had this figured out in a previous discussion board, but I haven't been able to get it to work. The configuration below is supposed to turn Internet clients into the address 10.21.5.5, which would be local to the DMZ and allow a load balancer to route return traffic using the connected interface route rather than the default route, which points to another interface and would cause an asymetric routing pattern through the firewall. I was expecting to see the connection from a show conn to be between 10.21.5.5 and 10.21.5.13, but instead the client will show as its real Internet address.

nat (outside,CustDMZ_1) source static any PNAT-A10_10.21.5.5 destination static AXA-Citrix-A10_21.21.24.25 AXA-Citrix-A10_21.21.24.25

object network AXA-Citrix-A10_10.21.5.13
host 10.21.5.13

nat (CustDMZ_1,outside) static 21.21.24.25

object network PNAT-A10_10.21.5.5
host 10.21.5.5

object network AXA-Citrix-A10_21.21.24.25
host 216.21.248.251

TCP outside 74.92.84.70:25008 CustDMZ_1 10.21.5.13:80, idle 0:00:03, bytes 0, flags SaAB

NAT from CustDMZ_1:10.21.5.13 to outside:21.21.24.25

thank you,

Bill

Re: source NAT

Nagaraja Thanthry — Tue, 10 Aug 2010 13:28:41 GMT

Hello,

As per your configuration, you are trying to statically map entire internet

IP address range to one host IP on the inside. This is incorrect. You need

to use dynamic as the translations will have to pick dynamic ports for every

internet address.

nat (outside,CustDMZ_1) source dynamic any PNAT-A10_10.21.5.5 destination

static AXA-Citrix-A10_10.21.5.13 AXA-Citrix-A10_10.21.5.13

This will ensure that the internet hosts use 10.21.5.5 when coming into your

network.

Hope this helps.

Regards,

Re: source NAT

WILLIAM STEGMAN — Tue, 10 Aug 2010 13:48:06 GMT

I see you switched the destination to be the 10.21.5.13 object instead of the public 21.21.24.25 object, is that correct?

I tried both nat commands anyway though, but it still doesn't work. It doesn't look like the 3 way handshake can complete.

TCP outside 74.92.84.70:25024 CustDMZ_1 10.21.5.13:80, idle 0:00:02, bytes 0, flags SaAB

I do get this warning when configuring the nat command:

WARNING: Pool (10.21.5.5) overlap with existing pool

Re: source NAT

Nagaraja Thanthry — Tue, 10 Aug 2010 14:27:42 GMT

Hello,

Did you remove the old configuration before configuring the new one? If not,

can you try that?

Regards,

Re: source NAT

WILLIAM STEGMAN — Tue, 10 Aug 2010 15:10:09 GMT

I removed all the objects and the twice nat config, re-added, but no change.

Re: source NAT

Nagaraja Thanthry — Wed, 11 Aug 2010 04:45:13 GMT

Hello,

Can you put a capture and see if the traffic is actually hitting the DMZ?

access-list cap permit tcp any host 10.21.5.13 eq 80

access-list cap permit tcp host 10.21.5.13 eq 80 any

capture capdmz access-list cap interface CustDMZ_1

After the above configuration, try accessing the web page from internet and

then collect the capture output:

show capture capdmz

Also, can you run a packet tracer to see if the traffic is taking the NAT

rule that you have configured (one that I had suggested):

packet-tracer input outside tcp 100.1.1.1 1024 21.21.24.25 80 detailed

Please post the corresponding outputs here so we can take a look at it.

Regards,

Re: source NAT

WILLIAM STEGMAN — Wed, 11 Aug 2010 12:55:02 GMT

HBG-ASA(config)# sh cap capdmz

10 packets captured

   1: 08:42:56.927243 802.1Q vlan#550 P0 98.11.11.10.50483 > 10.21.5.13.80: S 1303442613:1303442613(0) win 5840
   2: 08:42:56.927396 802.1Q vlan#550 P0 10.21.5.13.80 > 98.11.11.10.50483: S 893564468:893564468(0) ack 1303442614 win 5840
   3: 08:42:56.961788 802.1Q vlan#550 P0 98.11.11.10.50483 > 10.21.5.13.80: . ack 893564469 win 46
   4: 08:42:56.964442 802.1Q vlan#550 P0 98.11.11.10.50483 > 10.21.5.13.80: P 1303442614:1303443024(410) ack 893564469 win 46
   5: 08:42:56.964641 802.1Q vlan#550 P0 10.21.5.13.80 > 98.11.11.10.50483: . ack 1303443024 win 54
   6: 08:42:56.964702 802.1Q vlan#550 P0 10.21.5.13.80 > 98.11.11.10.50483: P 893564469:893564572(103) ack 1303443024 win 54
   7: 08:42:56.964732 802.1Q vlan#550 P0 10.21.5.13.80 > 98.11.11.10.50483: F 893564572:893564572(0) ack 1303443024 win 54
   8: 08:42:56.999170 802.1Q vlan#550 P0 98.11.11.10.50483 > 10.21.5.13.80: . ack 893564572 win 46
   9: 08:42:56.999826 802.1Q vlan#550 P0 98.11.11.10.50483 > 10.21.5.13.80: F 1303443024:1303443024(0) ack 893564573 win 46
10: 08:42:57.000000 802.1Q vlan#550 P0 10.21.5.13.80 > 98.11.11.10.50483: . ack 1303443025 win 54
10 packets shown

HBG-ASA(config)# packet-tracer input outside tcp 98.11.11.10 1024 216.21.24$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace4bf20, priority=1, domain=permit, deny=false
    hits=416724451, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network AXA-Citrix-A10_10.21.5.13
nat (CustDMZ_1,outside) static 21.21.24.25
Additional Information:
NAT divert to egress interface CustDMZ_1
Untranslate 21.21.24.25/80 to 10.21.5.13/80

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object-group Web_Public object-group HTTP_HTTPS
object-group network Web_Public
group-object Comm_Public
group-object Crump_Public
object-group service HTTP_HTTPS tcp
port-object eq www
port-object eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae528950, priority=13, domain=permit, deny=false
    hits=5, user_data=0xa907d4c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=10.21.5.13, mask=255.255.255.255, port=80, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map http-map1
match any
policy-map global_policy
class http-map1
set connection advanced-options mss-map
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadf59490, priority=7, domain=conn-set, deny=false
    hits=3121678, user_data=0xadf56dc8, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace4e718, priority=0, domain=inspect-ip-options, deny=true
    hits=6183745, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadf50d08, priority=70, domain=inspect-http, deny=false
    hits=657295, user_data=0xadf4ef30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad939da0, priority=13, domain=ipsec-tunnel-flow, deny=true
    hits=1390002, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 9
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map CustDMZ_1-class
match any
policy-map CustDMZ_1-policy
class CustDMZ_1-class
set connection conn-max 0 embryonic-conn-max 0 random-sequence-number disable
set connection timeout idle 0:00:00 embryonic 0:00:30 half-closed 0:10:00
        idle 0:00:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
service-policy CustDMZ_1-policy interface CustDMZ_1
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadf5e2a8, priority=8, domain=conn-set, deny=false
    hits=242230, user_data=0xadf5d3c8, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=any, output_ifc=CustDMZ_1

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network AXA-Citrix-A10_10.21.5.13
nat (CustDMZ_1,outside) static 21.21.24.25
Additional Information:
Forward Flow based lookup yields rule:
out id=0xafc04ca8, priority=6, domain=nat-reverse, deny=false
    hits=75, user_data=0xaea61348, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=10.21.5.13, mask=255.255.255.255, port=0, dscp=0x0
    input_ifc=outside, output_ifc=CustDMZ_1

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xaccab170, priority=0, domain=inspect-ip-options, deny=true
    hits=439017, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=CustDMZ_1, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6779869, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: CustDMZ_1
output-status: up
output-line-status: up
Action: allow

Re: source NAT

Nagaraja Thanthry — Thu, 12 Aug 2010 04:20:44 GMT

Hello,

Can you please remove

nat (outside,CustDMZ_1) source dynamic any PNAT-A10_10.21.5.5 destination

static AXA-Citrix-A10_10.21.5.13 AXA-Citrix-A10_10.21.5.13

and

nat (CustDMZ_1,outside) static 21.21.24.25

Instead, add the following line:

object network AXA-CITRIX-A_21.21.24.25

host 21.21.24.25

nat (outside,CustDMZ_1) source dynamic any PNAT-A10_10.21.5.5 destination

static AXA-CITRIX-A10_21.21.24.25 AXA-Citrix-A10_10.21.5.13

Hope this helps.

Regards,

Re: source NAT

WILLIAM STEGMAN — Thu, 12 Aug 2010 12:45:20 GMT

That's it!

HBG-ASA(config)# sh cap capdmz

12 packets captured

   1: 08:35:38.499943 802.1Q vlan#550 P0 10.21.5.5.32318 > 10.21.5.13.80: S 3132904649:3132904649(0) win 64512
   2: 08:35:38.500172 802.1Q vlan#550 P0 10.21.5.13.80 > 10.21.5.5.32318: S 3966946819:3966946819(0) ack 3132904650 win 64512
   3: 08:35:38.528415 802.1Q vlan#550 P0 10.21.5.5.32318 > 10.21.5.13.80: . ack 3966946820 win 64512
   4: 08:35:38.535037 802.1Q vlan#550 P0 10.21.5.5.32318 > 10.21.5.13.80: . 3132904650:3132905910(1260) ack 3966946820 win 64512
   5: 08:35:38.535082 802.1Q vlan#550 P0 10.21.5.5.32318 > 10.21.5.13.80: P 3132905910:3132906067(157) ack 3966946820 win 64512
   6: 08:35:38.535220 802.1Q vlan#550 P1 10.21.5.13.80 > 10.21.5.5.32318: . ack 3132905910 win 7560
   7: 08:35:38.535281 802.1Q vlan#550 P4 10.21.5.13.80 > 10.21.5.5.32318: . ack 3132906067 win 7560
   8: 08:35:38.535311 802.1Q vlan#550 P5 10.21.5.13.80 > 10.21.5.5.32318: P 3966946820:3966946938(118) ack 3132906067 win 7560
   9: 08:35:38.535342 802.1Q vlan#550 P5 10.21.5.13.80 > 10.21.5.5.32318: F 3966946938:3966946938(0) ack 3132906067 win 7560
10: 08:35:38.564393 802.1Q vlan#550 P0 10.21.5.5.32318 > 10.21.5.13.80: . ack 3966946939 win 64394
11: 08:35:38.569871 802.1Q vlan#550 P0 10.21.5.5.32318 > 10.21.5.13.80: F 3132906067:3132906067(0) ack 3966946939 win 64394
12: 08:35:38.569947 802.1Q vlan#550 P1 10.21.5.13.80 > 10.21.5.5.32318: . ack 3132906068 win 7560

Though I don't understand it entirely. If a user comes from the Interent (any) it will get translated to 10.21.5.5 when its destination is 21.21.24.25, which is then translated to the object, 10.21.5.13, and the object has object nat applied to it, which translates its real IP to a public IP. I'm a little dizzy, but thank you very much Nagaraja.