topic Re: Local NAT on ASA 5505 in Network Security

Local NAT on ASA 5505

LSAEleander — Mon, 11 Mar 2019 14:15:16 GMT

Hello,

I'm quit new to these boards so I'll try to explain my problem as best as I can.

If something is missing or incorrect pls inform me so I can update.

I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.

Here you have the config as it is on the ASA right now.

Local server IP: 10.0.74.5

Required NAT address: 192.168.222.1

Customer range: 10.10.10.0/24

VPN Config:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 200.200.200.200

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key "key"

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT

I'm allowing this first before I start narrowing it down to only ftp!

access-list outside_access_in extended permit tcp any host 192.168.222.1

access-list outside_access_in extended permit ip any host 192.168.222.1

access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list outboundnat2

nat (inside) 1 0.0.0.0 0.0.0.0

Any help would be grately appreciated!

Kind regards,

Eleander

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 10:20:28 GMT

Eleander

You can remove this line

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

because traffic will be from the Natted address ie. NAT happens before the crypto-map access-list check.

The remote peer needs to have a mirror image of this access-list so

access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 host 192.168.222.1

You could also remove the following

access-list outside_access_in extended permit tcp any host 192.168.222.1

as your next line permitting ip covers tcp. But then you say you will be looking to narrow that down.

The only other thing is you need to be aware that with a L2L VPN there are 2 ways in terms of acl's it can be setup

1) "sysopt connection permit-vpn" If you have this line in your config then traffic coming from the remote site down the tunnel is unencrypted and then it bypasses the acl attached to the outside interface ie. the acl on the outside interface does not have any effect on the traffic

2) If you don't have "sysopt connection permit-vpn" then the traffic will be then checked against the acl on the outside interface after being decrypted.

To see whether you are running sysopt connection permit-vpn run

"sh running-config sysopt"

I believe it is on y default.

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 10:32:03 GMT

Jon,

Thx for the quick reply.

Changed as you proposed but I can't find any sysopt connection entry.

Kind regards,

Eleander

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 10:37:08 GMT

Eleander

What is the output of running the command

sh running-config sysopt

if you want to turn off bypassing the acl then you will need to enter

asa(config)# no sysopt connection permit-vpn

but that is only if you want the traffic to be subject to your acl on the outside interface.

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 10:42:58 GMT

Jon,

No response, just a blank line.

Included the complete config in attachement!

Thx for the quick replies!

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 11:23:50 GMT

Okay no problem. I just checked the command references and this is on by default -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

So if you want to bypass the acl on the outside interface you don't need to do anything. If you want the incoming VPN traffic to be checked against the acl on the outside interface then you need to enter

asa(config)# no sysopt connection permit-vpn

Still bit of a mystery as to why it doesn't show the sysopt settings -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s6_72.html#wp1287358

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 11:31:54 GMT

Jon,

I've changed the config as you proposed and mailed the customer to try the connection again?

Did you by any chance had a look at the added config in my previous post? To see I didn't made any mistakes in the ACL's?

Kind regards,

Eleander

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 11:39:16 GMT

Eleander

You will need to add the following

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

FTP is a funny one. Do you know if it is passive ftp or not ?

If you have problems getting the FTP to work then you may need to adjust your acl. But first things first, need to see if the VPN tunnel comes up 🙂

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 12:19:42 GMT

Jon,

I addedd the information you requested and also the FTP into the access-list. (see attached word doc)

But now I'm having these problems.

"Rejecting IPSec Tunnel: no matching crypto map entry for remote proxy 10.10.10.87/255.255.255.255/0/0 local proxy 192.168.222.1/255.255.255.255/0/0 on interface outside"

Looking into them right now.

What ACL am I missing?

Really appreciate you spending this much time to find a solution!

Kind regards,

Eleander

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 12:20:43 GMT

And here's teh attachement! 🙂

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 12:33:07 GMT

Eleander

Is this coming up on the ASA we have been modifying the config on ?

Do you happen to have the config for both devices ie. the one we have been dealing with and the other one ?

Just as a quick test could you add this line to your crypto-map access-list and retry

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 host 10.10.10.87

It really should not make a difference but just in case.

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 12:46:30 GMT

Jon,

Added the ACL but nothing changes.

In the attachement you can find the latest config.

We only manage this one firewall, which is a pitty and moreso because the firewall on the other site isn't a Cisco. 😞

Before making your proposed change for the sysopt the L2L was working. SO it must be in the access lists!

Thx a lot.

Kind regards,

Eleander

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 14:09:13 GMT

Eleander

Can you remove the sysopt line and then let me know if it is working ie.

pix(config)# sysopt connection permit-vpn

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 14:13:28 GMT

Jon,

I also dug a little further and the site-to-site seems to be comming active.

There was a problem within the traffix selection for the L2L.

Thx a lot for the support on the access-list!

Just having this problem right now:

6 Nov 19 2008 16:58:29 302013 10.10.10.87 10.0.74.5 Built inbound TCP connection 5460 for outside:10.10.10.87/37590 (10.10.10.87/37590) to inside:10.0.74.5/21 (192.168.222.1/21)

6 Nov 19 2008 16:58:59 302014 10.10.10.87 10.0.74.5 Teardown TCP connection 5460 for outside:10.10.10.87/37590 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

So connection goes through but time's out!

think changing/adding the ftp instead of the ftp-data will resolve my issue!

Thx a lot!!!

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 14:17:36 GMT

Eleander

Do you think you have it working now or at least know what to do ?

I'm dying to get out on my mountain bike but happy to hang around if you need further help.

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 14:22:06 GMT

Jon,

I've made several changes, but the customer also has a ISDN router, on that router I just added the needed entries. (completely forgot about that one)

Get out on your MTB and go out there.

I thank you a lot for your help allready and really appreciate it.

If I can't solve it I'll repost in here.

Tomorrow is another day.

btw I'm situated in Belgium so on the GMT+1 time.

Have fun and hopefully i'll see you around.

Thx again!

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 14:28:28 GMT

"Have fun and hopefully i'll see you around"

Will do. I'm in UK so it's dark by about 4:00 (2:30 at the moment) so i'll check later or tomorrow morning.

Jon

Re: Local NAT on ASA 5505

LSAEleander — Wed, 19 Nov 2008 15:30:05 GMT

Jon,

I've tested with inspect ftp (enabled or disable) -> no reslut!

I can see that L2L is active within the ASDM logging. (there are only 2 L2L configs on this ASA and they semm both active)

FTP from one site works well. (but the data is exempted)

When checking the log I see SYN Timeouts for this connection.

Added the 10.10.10.0 network within my Cisco 800 router to pass by the firewall (10.0.74.252) to be sure.

I'm quit in the dark here. I'm overseeing something or I'm misunderstanding somthing.

The sysopt is still active though.

Just let me know when you're back so we look any further!

Thx

Re: Local NAT on ASA 5505

Jon Marshall — Wed, 19 Nov 2008 17:02:44 GMT

Okay. Quick test to see if it is the outside acl that is the problem. Can reenable sysopt connection permit-vpn ie.

asa(config)# sysopt connection permit-vpn

and then retest and let me know. If it works at least we can concentrate on the acl.

Jon

Re: Local NAT on ASA 5505

LSAEleander — Thu, 20 Nov 2008 08:07:41 GMT

Good mornig Jon,

Hope you had a nice ride yesterday.

I've changed the sysopt again and awaiting confirmation from the other side.

In attachement the current running & working config for our customer.

I've exempted trafic from one site and everything works well for them, but to the other site (due to sec reasons) I an only allow ftp! (STill not working)

Getting SYN timeouts within the log but I see the translation is made! Really don't get it.

Kind regards,

Eleander