topic Re: Inbound and outbound traffic at the same interface in Network Security

Inbound and outbound traffic at the same interface

elecorbalan — Mon, 11 Mar 2019 14:17:22 GMT

Hello,

I pass default traffic from inside to outside interface. Also I have to pass inside traffic back to inside interface to get some servers. I have configured default route to outside and a route to this servers subnet to inside.

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

I have also configured

same-security-traffic permit intra-interface

clear xlate

But traffic icmp does not pass through and I can ping the server from the firewall.

Do I forget any command?

Re: Inbound and outbound traffic at the same interface

Farrukh Haroon — Mon, 24 Nov 2008 13:45:32 GMT

Can you give more details about the problem/topology...your question is not clear (atleast to me).

Regards

Farrukh

Re: Inbound and outbound traffic at the same interface

elecorbalan — Mon, 24 Nov 2008 14:39:35 GMT

Yes, of course.

I have as default gateway for LAN PCs the inside ASA interface 10.0.0.22

But this PCs need access to server on a DMZ not configured in the ASA. The address to this DMZ is --.89.192 255.255.255.192

This DMZ is reached through the ASA inside interface.

To ping an DMZ server from a PC 10.0.0.114, the packet must arrive to ASA inside interface check a static route, and then get out from the same inside interface.

I can ping from ASA to a DMZ server, but I cannot ping from a PC to a server.

The config I have is:

interface Ethernet0/0

nameif outside

security-level 0

ip address --.74.50 255.255.255.252

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.0.22 255.255.255.0

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any --.74.48 255.255.255.252 echo-reply

access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_1 any eq domain

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended deny ip any any

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit any echo inside

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

priority-queue outside

tx-ring-limit 256

priority-queue inside

tx-ring-limit 256

class-map TunelVPNmap

match tunnel-group TunelVPN

policy-map TunelVPNpol

class TunelVPNmap

priority

service-policy TunelVPNpol interface outside

service-policy TunelVPNpol interface inside

Re: Inbound and outbound traffic at the same interface

srue — Mon, 24 Nov 2008 20:38:20 GMT

how is there a dmz reachable on the inside interface of your ASA?

is there an internal router/L3 switch on your LAN?

Re: Inbound and outbound traffic at the same interface

Farrukh Haroon — Tue, 25 Nov 2008 08:27:31 GMT

Exclude this inside >> dmz traffic from NAT using nat exemption or add the following:

global (inside) 101 interface

NAT exemption:

nat (inside) 0 access-list NONAT

access-list NONAT permit ip

Regards

Farrukh

Re: Inbound and outbound traffic at the same interface

elecorbalan — Tue, 25 Nov 2008 10:28:48 GMT

I still have the problem after doing clear xlate for modifying NAT.

Y have oppened nonat for:

access-list inside_nat0_outbound_2 extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192

access-list inside_nat0_outbound_4 extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 0 access-list inside_nat0_outbound_4 outside

nat (inside) 101 0.0.0.0 0.0.0.0

But when I send a telnet to a server --89.203

In ASDM logs I see the message:

%ASA-3-305005: No translation group found for protocol src interface_name:10.0.0.114/1710 dst interface_name: --.89.203/23

Re: Inbound and outbound traffic at the same interface

Farrukh Haroon — Tue, 25 Nov 2008 10:57:34 GMT

Remove this line and it should be OK

nat (inside) 0 access-list inside_nat0_outbound_4 outside

If it does not work...post the logs...and please don't change the 'interface_name' in the log. post the correct one.

Regards

Farrukh

Re: Inbound and outbound traffic at the same interface

elecorbalan — Tue, 25 Nov 2008 11:16:01 GMT

It doesn't work. And I have passed the command

The logs are

3|Nov 25 2008|12:12:08|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

3|Nov 25 2008|12:12:02|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

3|Nov 25 2008|12:11:59|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

4|Nov 25 2008|12:11:59|106100|10.0.0.114|1876|62.97.89.203|23|access-list inside_access_in permitted tcp inside/10.0.0.114(1876) -> inside/--.89.203(23) hit-cnt 1 first hit [0xd26734b7, 0x0]

Re: Inbound and outbound traffic at the same interface

Farrukh Haroon — Tue, 25 Nov 2008 11:37:04 GMT

Make sure the source/destination IPs in your NONAT acl are correct.

Secondly please clear connections and xlates on the firewall:

clear local-host

clear xlate

Regards

Farrukh

Re: Inbound and outbound traffic at the same interface

elecorbalan — Tue, 25 Nov 2008 11:58:04 GMT

It is correct and I have don clear xlate and clear local-host ans no nat-control

But sill doesn't works

Re: Inbound and outbound traffic at the same interface

Farrukh Haroon — Tue, 25 Nov 2008 12:20:01 GMT

Ok then paste the output of the following command:

packet-tracer input inside tcp 10.0.0.114 1876 62.97.89.203 23 detailed

Regards

Farrukh

Re: Inbound and outbound traffic at the same interface

elecorbalan — Tue, 25 Nov 2008 12:24:14 GMT

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd5a654e0, priority=12, domain=capture, deny=false

hits=1080441, user_data=0xd4516260, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd566de58, priority=1, domain=permit, deny=false

hits=522895, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 62.97.89.192 255.255.255.192 inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 62.97.89.192 255.255.255.192 log warnings

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd58b39d0, priority=12, domain=permit, deny=false

hits=45, user_data=0xd5c89428, cs_id=0x0, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.255.255.0, port=0

dst ip=62.97.89.192, mask=255.255.255.192, port=0, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd5670928, priority=0, domain=permit-ip-option, deny=true

hits=10549, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Re: Inbound and outbound traffic at the same interface

elecorbalan — Tue, 25 Nov 2008 12:24:29 GMT

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 10.0.0.0 255.255.255.0 inside 62.97.89.192 255.255.255.192

NAT exempt

translate_hits = 57, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd56ac6c8, priority=6, domain=nat-exempt, deny=false

hits=56, user_data=0xd5a93390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.255.255.0, port=0

dst ip=62.97.89.192, mask=255.255.255.192, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd45d1b80, priority=1, domain=nat, deny=false

hits=257, user_data=0xd45d1ae0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 101 (62.97.74.50 [Interface PAT])

translate_hits = 853, untranslate_hits = 38

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd45d17c8, priority=1, domain=host, deny=false

hits=16941, user_data=0xd55170d0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd56ab510, priority=1, domain=nat-reverse, deny=false

hits=117, user_data=0xd45d1ae0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Inbound and outbound traffic at the same interface

Farrukh Haroon — Tue, 25 Nov 2008 12:29:25 GMT

Please add the global command I mentioned above.

global (inside) 101 interface

Regards

Farrukh

Re: Inbound and outbound traffic at the same interface

ajanowska1 — Wed, 10 Dec 2008 21:09:21 GMT

Did you worked out solution, I am working on similar scenario, my inbound traffic is on same interface but the subnets are not off the firewall they are routed through firewall so the gateway is same for both subnets.

Thanks

Re: Inbound and outbound traffic at the same interface

Alan Huseyin Kayahan — Wed, 10 Dec 2008 22:06:28 GMT

Hello Elena,

Please read my answer and description about your issue in following link.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc28b9a

Regards

Re: Inbound and outbound traffic at the same interface

Alan Huseyin Kayahan — Wed, 10 Dec 2008 22:10:16 GMT

RPF check drops because you have the following line

nat (inside) 101 0.0.0.0 0.0.0.0

Since you mention ANY!, the return traffic gets involved in nat statement. Change it as

no nat (inside) 101 0.0.0.0 0.0.0.0

nat (inside) 101 10.0.0.0 255.255.255.0

Re: Inbound and outbound traffic at the same interface

ajanowska1 — Wed, 10 Dec 2008 22:11:08 GMT

Thanks,

We actually don't use nat and have no nat controll so I think I found solution by "same-security traffic permit" command and reviewing the access list for that interface.

Anna

Re: Inbound and outbound traffic at the same interface

SOL10 — Fri, 12 Dec 2008 12:20:22 GMT

hi hussycisco

im having a similar issue where i get the error "Flow is a loopback" although i have applied same-security-traffic permit intra-interface command.

here are the no nat statements:

nat (inside) 0 access-list no-nat

access-list no-nat line 11 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat line 12 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

here is the static route:

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside (172.16.1.1 is ip of the ISA servers outside interface)

please find attached the network diagram.

Regards

Re: Inbound and outbound traffic at the same interface

Alan Huseyin Kayahan — Fri, 12 Dec 2008 12:38:02 GMT

Hello Suleiman,

I am assuming you get this "flow is a loopback" error when you try to reach webserver from 192.168.1.97 or vice versa. This issue is the same with the one I described in above link. Thats why you shouldnt use exempt nat, assuming that your webserver's gateway is ASA. Please post your entire NAT and global statemens in firewall then let me advise accordingly.

But for security best practises, I highly recommend you to move webserver to another interface of ASA like DMZ, if you dont have a physical interface for achieving this, create a virtual sub-interface.

Regards