topic Re: ASA 5505 as internet gateway (needs reverse NAT) in Network Security

ASA 5505 as internet gateway (needs reverse NAT)

Nick Sinyakov — Fri, 21 Feb 2020 12:14:22 GMT

Hi all Cisco guru,

I have this scheme:

Office -> Cisco 877 -> Internet -> ASA 5505 -> remote network

Office network: 192.168.10.0/24

Cisco 877 internal IP: 192.168.10.200

Cisco 877 external IP: a.a.a.a

ASA 5505 external IP: b.b.b.b

ASA 5505 internal IP: 192.168.17.3 and 192.168.1.3

Remote network: 192.168.17.0/24 and 192.168.1.0/24

VPN tunnel is OK and up. I have access from Office to remote network, and access from remote network to office via tunnel.

But when I'm trying to get access in remote network (there are 2 vlans: Management and OLD-Private) to internet, ASA replies me:

305013 *.*.64.9 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 denied due to NAT reverse path failure

Ping from OLD-Private interface to google result:

110003 192.168.17.2 0 66.102.7.104 0 Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

Traceroute result

How can I solve reverse NAT and make ASA as internet gateway?

There is my full config

!
ASA Version 8.2(2)
!
hostname ASA2
domain-name default.domain.invalid
enable password password encrypted
passwd password encrypted
names
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0002
nameif WAN
security-level 100
ip address b.b.b.b 255.255.248.0
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0202
nameif OLD-Private
security-level 0
ip address 192.168.17.3 255.255.255.0
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0206
nameif Management
security-level 0
ip address 192.168.1.3 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
banner login                    ** W A R N I N G **
banner login   Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login            to the fullest extent of the law.
banner motd                    ** W A R N I N G **
banner motd   Unauthorized access prohibited. All access is
banner motd monitored, and trespassers shall be prosecuted
banner motd            to the fullest extent of the law.
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit ip interface OLD-Private interface WAN log debugging inactive
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP host 192.168.10.7 any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list capin extended permit ip host 192.18.17.155 host 192.168.10.7
access-list capin extended permit ip host 192.168.10.7 host 192.168.17.155
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging debug-trace
logging class auth trap debugging
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host a.a.a.a WAN
icmp deny any WAN
icmp permit host 192.168.10.7 WAN
icmp permit host b.b.b.b WAN
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (WAN) 1 0.0.0.0 0.0.0.0

nat (WAN) 0 access-list inside_nat0_outbound
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config Management
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN_IP
username administrator password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool VPN_Admin_IP
default-group-policy admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
default-group-policy admin
tunnel-group a.a.a.a ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!

Thanks for your time and help

Re: ASA 5505 as internet gateway (needs reverse NAT)

PAUL GILBERT ARIAS — Fri, 04 Feb 2011 21:48:25 GMT

is there a particular reason why your internet interface has security level 100 and the private interface 0? It should be the other way around. That might be causing some issues.

With this setup if you want to pass traffic from OLD-Private (sec level 0) to the WAN (sec level 100) you will need a static translation and the proper ACLS allowing the traffic.

Please check that out.

Re: ASA 5505 as internet gateway (needs reverse NAT)

Nick Sinyakov — Sun, 06 Feb 2011 23:54:40 GMT

Hi Paul,

I've changed security-level on all interfaces, unfortunatelly it didn't help. What else should I check?

Thanks

Re: ASA 5505 as internet gateway (needs reverse NAT)

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 13:55:43 GMT

hi, can you paste again the packet tracer after changing the security levels?

Re: ASA 5505 as internet gateway (needs reverse NAT)

Nick Sinyakov — Mon, 07 Feb 2011 21:50:10 GMT

Hi Paul,

I've changed nat settings before security-level. There is my new nat settings and packet tracer results:

access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 any
nat (OLD-Private) 0 access-list WAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0

It looks ok in Packet Capture, but when I'm trying to ping 66.102.7.104 throw OLD-Private interface ASDM log show me

110003 192.168.17.2 0 66.102.7.104 0 Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

What's wrong with my config?

Re: ASA 5505 as internet gateway (needs reverse NAT)

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 22:03:10 GMT

why are you using that type of NAT?

access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 any
nat (OLD-Private) 0 access-list WAN_nat0_outbound

You are basically telling the ASA not to NAT the traffic. This private IP range will not be routed on the Internet. Is this traffic meant to be sent to the Internet? If so, then that ALC should not be there.

If you want to NAT the traffic to a public IP on the outside of the ASA you will need to remove that line and let the NAT and GLOBAL work:

nat (OLD-Private) 1 0.0.0.0 0.0.0.0

global (WAN) 1 interface

Re: ASA 5505 as internet gateway (needs reverse NAT)

Nick Sinyakov — Mon, 07 Feb 2011 22:11:05 GMT

You are genius!

It's working. Just last easy question for you. When I've removed these strings, I lost reverse access from remote lan to my local lan. Before it I could ping 192.168.10.7 and RDP or smth. else, but not now.

Can you help with it?

Re: ASA 5505 as internet gateway (needs reverse NAT)

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 22:18:18 GMT

did you remove the command " nat (OLD-Private) 0 access-list WAN_nat0_outbound". You need that line for the VPN traffic to avoid NAT

Make sure you still have the commands:

crypto map WAN_map interface WAN
crypto isakmp enable WAN

Re: ASA 5505 as internet gateway (needs reverse NAT)

Nick Sinyakov — Mon, 07 Feb 2011 22:30:37 GMT

I've restore and reverse access backed also I have ASA as gateway.

nat (OLD-Private) 0 access-list WAN_nat0_outbound

and reverse access back also I have ASA as gateway!

There are all my nat settings:

access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (OLD-Private) 0 access-list WAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0

And I have these commands as well.

crypto map WAN_map interface WAN
crypto isakmp enable WAN

Thanks a lot! Great solution - great man!

Re: ASA 5505 as internet gateway (needs reverse NAT)

PAUL GILBERT ARIAS — Mon, 07 Feb 2011 22:33:37 GMT

you are welcome my friend.