01-26-2013 01:12 AM - edited 03-11-2019 05:52 PM
Hi guys.
I was wondering if anyone has any experience with the new 5512x firewalls and NAT egress interfaces.
In the past I know it was possible using destination NAT to push traffic out of a specific interface; the example being where you have 2 ISP connections.
However, following many different examples and logic I cannot get this to work on this version.
Using packet tracer the Firewall is consistently performing route-lookup first in spite of a matching NAT statement with destination interface chosen.
Does anyone have any ideas?
Many thanks.
Solved! Go to Solution.
01-27-2013 08:55 AM
Sorry, direction needs to be opposite. For
nat (Office,VDSL3) source static SERVER1 interface
If right now you try to access from vdsl3 from any ip to interface of vdsl3 you will see UN-NAT to SERVER1 which will determine egress interface as office.
If you want to see that with your rule change it to:
nat (VDSL3,Office) source static any any destination static interface SERVER1
Then your packet-tracer command will do UN-NAT for traffic going from SERVER1 (unnat to interface address with egress interface vdsl3)
---
Michal
01-26-2013 02:14 AM
Hi Mike,
Normally egress interface is determined by NAT rule.
Route-lookup is performed when it is not possible (not specified interface in nat command).
For identity NAT that behavior has changed in 8.4.2.
Before it was always using route-lookup, starting from 8.4.2 it's not - you need to add "route-lookup" to get that functionality. "Route-lookup" will be available for identity nat only when you specify both ingress and egress interfaces.
There were no big changes regarding NAT when moving from 8.4.2 to 8.6.
---
Michal
01-26-2013 05:09 AM
Thanks Michal.
I've read the notes for 8.4.2+ and it all sounds correct.
I can see that it is definitely performing route-lookup first though whatever I do. And is clearly ignoring the NAT statements.
Have you configured this yourself?
Mike
01-26-2013 05:26 AM
Mike, it depends on your rules, can you show me:
1. your nat rules
2. packet-tracer results
I have configured rules (especially when using 2 ISP) when the first step was UN-NAT.
Example from my lab (version 8.4.2) - i expect same results on 8.6.
10.0.3.2 - R3_REAL on inside
10.0.3.100 - ASA-TO-R3-NATTED (address used as destination for packet tracer)
10.0.1.2 - R1_REAL on outside
ASA# packet-tracer input inside icmp 10.0.3.2 8 0 10.0.3.100 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static R1_REAL ASA-TO-R3-NATTED destination static R3_REAL R3_REAL
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.3.100/0 to 10.0.1.2/0
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd996e7b0, priority=0, domain=inspect-ip-options, deny=true
hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd996e388, priority=66, domain=inspect-icmp-error, deny=false
hits=3, user_data=0xd996d9a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any ASA-TO-R1-NATTED destination static R1_REAL R1_REAL
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd99909c0, priority=6, domain=nat, deny=false
hits=3, user_data=0xd998fe90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.1.2, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static R1_REAL ASA-TO-R3-NATTED destination static R3_REAL R3_REAL
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd9994190, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xd9993760, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.3.2, mask=255.255.255.255, port=0
dst ip/id=10.0.1.2, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
---
Michal
01-26-2013 05:56 AM
Thanks again for the reply
i've stripped it down completely and now only have 3 NAT rules
i've tried manual nat for server1 to force out of adsl3 and object nat on server2 to force out of adsl5
the packet tracer below was using SERVER1 ; 10.103.1.16 for reference connecting to 8.8.8.8 on http
it always drops to adsl4 nat rule after performing a route-lookup
---------------------NAT------------------------
nat (Office,VDSL3) source static SERVER1 interface
!
object network SERVER2
nat (Office,VDSL5) static interface no-proxy-arp
!
nat (Office,VDSL4) after-auto source dynamic Office_net interface
----------------------TRACE------------------
packet-tracer input office tcp 10.103.1.16 33111 8.8.8.8$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 128.0.0.0 VDSL4
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Office_access_in in interface Office
access-list Office_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_2 any log warnings
access-list Office_access_in
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_2
network-object object SERVERS
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa3af88b0, priority=13, domain=permit, deny=false
hits=138, user_data=0x7fff9ecc7840, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.103.1.16, mask=255.255.255.252, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=Office, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2c473f0, priority=0, domain=inspect-ip-options, deny=true
hits=484019, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Office, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect http
service-policy global-policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa3afcc80, priority=70, domain=inspect-http, deny=false
hits=39746, user_data=0x7fffa365b4c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=Office, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Office,VDSL4) after-auto source dynamic Office_net interface
Additional Information:
Dynamic translate 10.103.1.16/33111 to 192.168.4.1/61816
Forward Flow based lookup yields rule:
in id=0x7fffa41076f0, priority=6, domain=nat, deny=false
hits=28600, user_data=0x7fffa4a905e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.103.1.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Office, output_ifc=VDSL4
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa2b5bb50, priority=0, domain=inspect-ip-options, deny=true
hits=135327, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=VDSL4, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 628321, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Office
input-status: up
input-line-status: up
output-interface: VDSL4
output-status: up
output-line-status: up
Action: allow
01-26-2013 06:01 AM
Hi,
So I did a very simple test on my home ASA 5505 running 9.1(1) (Base License)
Heres my basic configuration
Some notes
INTERFACES
interface Vlan1
description LAN
nameif LAN
security-level 100
ip address 10.0.10.2 255.255.255.0
!
interface Vlan10
description WAN
nameif WAN
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan20
no forward interface Vlan1
nameif WAN-SEC
security-level 50
ip address 10.10.234.1 255.255.255.0
ROUTES
route WAN 0.0.0.0 0.0.0.0 y.y.y.y 1
route WAN-SEC 0.0.0.0 0.0.0.0 10.10.234.2 2
NAT OBJECTS
object service WWW
service tcp destination eq www
object service SMTP
service tcp destination eq smtp
NAT CONFIGURATIONS
nat (LAN,WAN) source dynamic any interface service WWW WWW
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
!
!
nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface
PACKET-TRACER OUTPUT
WWW-TRAFFIC
ASA(config)# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic any interface service WWW WWW
Additional Information:
NAT divert to egress interface WAN
Untranslate 1.2.3.4/80 to 1.2.3.4/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic any interface service WWW WWW
Additional Information:
Dynamic translate 10.0.0.100/1025 to x.x.x.x/1025
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic any interface service WWW WWW
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 112793, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow
SMTP TRAFFIC
ASA# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
Additional Information:
NAT divert to egress interface WAN-SEC
Untranslate 1.2.3.4/25 to 1.2.3.4/25
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
Additional Information:
Dynamic translate 10.0.0.100/1025 to 10.10.234.1/1025
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 112797, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN-SEC
output-status: up
output-line-status: up
Action: allow
This was the only setup I could get the "packet-tracer" output seem what its "supposed" to show when the traffic would leave to different WAN interface.
Hopefully you can get something out of this. I wont be able to proper lab this unless I use equipment and WAN connections at my work. But that wont happen until maybe after a week or so.
Let me know if you have already tried this and it doesnt work. And also if you havent yet tried it let me know did it help at all.
- Jouni
01-26-2013 11:00 AM
Mike, add destination or service to this rule:
nat (Office,VDSL3) source static SERVER1 interface
---
Michal
01-26-2013 02:48 PM
Hi Michal.
The destination needs to be any as I want to statically source 1 server out of a particular ISP.
The service I could set but will this make a difference? Should any service not work for all services?
Mike
01-27-2013 08:55 AM
Sorry, direction needs to be opposite. For
nat (Office,VDSL3) source static SERVER1 interface
If right now you try to access from vdsl3 from any ip to interface of vdsl3 you will see UN-NAT to SERVER1 which will determine egress interface as office.
If you want to see that with your rule change it to:
nat (VDSL3,Office) source static any any destination static interface SERVER1
Then your packet-tracer command will do UN-NAT for traffic going from SERVER1 (unnat to interface address with egress interface vdsl3)
---
Michal
01-27-2013 02:22 PM
Perfect that did it!
Though i'm not 100% sure why.
I had thought that the original and reverse direction of the nat(office,vdsl3) should in bidirectional mode account for both incoming and outgoing, but clearly not.
Anyway with nat(vdsl3,office) the NAT works in both directions. The port is diverted inbound and outbound the egress interface is altered as expected.
Thanks for your time testing this. Much appreciated!
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide