topic You are doing the packet in Network Security

Cisco ASA NAT

emckenzie1 — Fri, 21 Feb 2020 13:51:05 GMT

I have a cisco ASA 5512 my scenario is the following:

I have a Cisco ASA on a datacenter. My provider gives me a public /29 routed through a private ip. I want to be able to access my cisco asa using ssh or asdm using the public ip assigned. I know i can't use a secondary ip, so a nat is the way to go. I have http and ssh enabled. At the moment i'm not able to do it. Currently i have the following configuration:

interface GigabitEthernet0/0

channel-group 1 mode on

no nameif

no security-level

no ip address

interface GigabitEthernet0/1

channel-group 1 mode on

no nameif

no security-level

no ip address

interface Port-channel1

no nameif

no security-level

no ip address

interface Port-channel1.1124

vlan 1124

nameif Untrust

security-level 0

ip address 172.20.0.196 255.255.255.248

object network PUBLIC-IP

host x.x.x.x

object network PUBLIC-IP

nat (Untrust,Untrust) static interface

object-group service DM_INLINE_SERVICE
service-object ip
service-object icmp
service-object tcp-udp destination eq domain

access-list public-access extended permit object-group DM_INLINE_SERVICE any object PUBLIC-IP

route Untrust 0.0.0.0 0.0.0.0 172.20.0.193 1

Hi

Francesco Molino — Sat, 18 Jun 2016 00:32:20 GMT

I'm sorry I've not understood your requirement.

You want to access your ASA from the internet to its outside interface?

If Yes, let's assume you don't have any specific host to filter from internet and everyone can access.

I assume that aaa commands have been setup.

Below the configuration for ssh and http:

ssh 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 outside

PS: Please don't forget to rate and mark as correct answer if this solved your issue

That part is already in my

emckenzie1 — Sat, 18 Jun 2016 02:21:53 GMT

That part is already in my config. I forgot to add it. But still dont work.

To answer you question, thats correct i want to access the device using the Outside interface (Untrust). Like i mentioned, the interface has a private ip assigned, but my provider is routing a public ip trought that private address. I want to be able to assigned one of those public address to access the device. I already tried with a nat, as shown in my config, but without luck.

Just before troubleshooting

Francesco Molino — Sat, 18 Jun 2016 02:34:38 GMT

Just before troubleshooting your config, could you share asa logging and/or packet capture output when you are trying to ssh from outside?

I would like to see if packets are coming into asa or not.

I don't see any log.

emckenzie1 — Mon, 20 Jun 2016 14:03:36 GMT

I don't see any log. I ran a packet trace with the following result

ciscoasa# packet-tracer input Untrust tcp x.x.x.x 443 172.20.0.193 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.0.192 255.255.255.248 Untrust

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network PUBLIC-IP
nat (Untrust,Untrust) static interface
Additional Information:
Static translate x.x.x.x/443 to 172.20.0.196/443

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,Untrust) dynamic x.x.x.x
Additional Information:

Result:
input-interface: Untrust
input-status: up
input-line-status: up
output-interface: Untrust
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

You are doing the packet

Francesco Molino — Mon, 20 Jun 2016 15:44:26 GMT

You are doing the packet-tracer with an IP ending by 193 while on your config is ending bh 196, is it a typo error or I missed something?

I was talking about capture and/or logging capabilities to see if you try a ssh from outside, if the packet arrives to ASA or not. And how it's handling that connection.

Thanks

you were right about the ip,

emckenzie1 — Mon, 20 Jun 2016 15:59:33 GMT

you were right about the ip, i didn't notice. But even more weird now, the packet tracer finish without problem. About the logs, i dont see any log. I have an extended ping from my pc, but i don't see anything on the ASDM log.

Are you sure your isp is

Francesco Molino — Mon, 20 Jun 2016 16:44:43 GMT

Are you sure your isp is forwarding traffic to your asa?

You're trying a ping. Do you have a reply back of your ping?

Thanks

If i point to another IP on

emckenzie1 — Mon, 20 Jun 2016 18:33:31 GMT

If i point to another IP on the same public network i see the denied packets, but if i point to the correct public ip i don't see anything on the logs.

If has to be access-list. Look what happened if i do it the other way around. From inside to the outside

ciscoasa# packet-tracer input UNtrust tcp 10.213.29.129 443 98.139.183.24 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Untrust

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,Untrust) dynamic 186.x.x.x
Additional Information:
Dynamic translate 10.213.29.129/443 to 186.x.x.x/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,Untrust) dynamic 186.x.x.x
Additional Information:

Result:
input-interface: Untrust
input-status: up
input-line-status: up
output-interface: Untrust
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

If you are using the right IP

Francesco Molino — Mon, 20 Jun 2016 20:07:18 GMT

If you are using the right IP and nothing come on ASA that means that nothing is forwarded by your ISP (You must see something even if it's deny or permit on ASA logging on CLI and/or ASDM). You have activated the debugging mode on ASA ASDM monitor logging?

Could you check that before ?

Why not using another public IP that your ISP is forwarding to your ASA (The ones you see as denied on ASA).

Thanks

Same, if i change the ip to

emckenzie1 — Mon, 20 Jun 2016 20:14:21 GMT

Same, if i change the ip to the one i was seeing denies, i stop seeing anything.

Ok I maybe missed a part.

Francesco Molino — Mon, 20 Jun 2016 20:35:37 GMT

Ok I maybe missed a part.

From outside, if you try a ssh connection, icmp or whatever, does you icmp get echo-reply or timeout?

And do you see traffic (denied or permitted) on asa. Put your monitor as debugging on asdm to see everything.

If not, you may ask your isp to verify if he's forwarding all traffic back to your outside asa interface.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

C:\Users\emckenzie>ping 186.x

emckenzie1 — Mon, 20 Jun 2016 21:01:29 GMT

C:\Users\emckenzie>ping 186.x.x.x -t

Pinging 186.x.x.x with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

That's what i get when i try to access the interface from the outside.

What I try to meant is that, let suppose the ip on the nat is 186.x.x.1. If i try to ping that ip i don't see anything on the asa logs, but if i try to ping 186.x.x.2 i see deny packets. If i then change the nat to 186.x.x.2, i stop seeing the deny packets, but still cannot access the device. I get either way in my computer "Request timed out"

I don't know if that answer your question.

Sorry for my late answer.

Francesco Molino — Tue, 21 Jun 2016 04:05:09 GMT

Sorry for my late answer.

First of all, with the nat you've done (1st post), you will have asymmetric NAT issue.

You're not seeing any traffic coming from internet to Public IP you have.

I'm not sure that what you want to achieve will work, I mean ssh the ASA interface by doing a NAT. I've never tried in that way. I can't lab it right now, I'm sorry

When your IP are forwarded to your ASA, to reach ASA (icmp) from internet, I would do the following NAT:

nat (untrust,any) source static any any destination static PUBLIC-IP ASA-OUTSIDE-INTERFACE

The best way to achieve what you want to do and the simplest way as well, would be to ask your ISP to do port-forwarding on their router.

If you manipulate a bit all NAT to try what you want, you can face spoofing issue.