ASA 8.4 NAT HELP on DMZ

SOL10 · ‎09-12-2012

Hi guys

its been a while since ive worked on an ASA and never on 8.4

Ive set up the ASA so i can access(From my office) some devices behind the inside interface (at the DC) this works fine- so nat is working fine and ACL's are ok as well.... the problem I'm having is trying to access a server on SSH from the same Office but behind the DMZ interface. i really am finding it hard with this nat statements ... ,my config is below and any help would be appreciated.

ASA Version 8.4(3)

!

hostname FW

domain-name xx.local

names

!

interface Ethernet0/0

switchport access vlan 200

!

interface Ethernet0/1

switchport access vlan 100

!

interface Ethernet0/2

description OOBSW:F0/7

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif OOBDMZ

security-level 50

ip address 172.17.2.125 255.255.255.128

!

interface Vlan100

description INSIDE INT

nameif inside

security-level 100

ip address 172.18.1.253 255.255.255.0

!

interface Vlan200

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.x

!

ftp mode passive

clock timezone GMT 1

dns server-group DefaultDNS

domain-name xx.local

object network OOBTS1

host 172.18.1.250

object network OOBTS2

host 172.18.1.251

object network OFFICE

host x.x.x.141

object network MNGMNTSRVR

host 172.17.2.73

object network MNGMNTSRVRPUBLIC

host x.x.x.x.x

object-group network SUPPLIERSIP

description SUPP IP's

network-object host 3.3.3.3

network-object host 2.2.2.2

network-object host 1.1.1.1

access-list outside_in extended permit tcp object OFFICE host 172.18.1.250 eq 2001

access-list outside_in extended permit tcp object OFFICE host 172.18.1.250 eq telnet

access-list outside_in extended permit tcp host x.x.x.x host 172.17.2.73 eq ssh

access-list outside_in extended deny ip any any

access-list dmz_in extended permit ip object MNGMNTSRVR object OFFICE

pager lines 24

logging enable

logging timestamp

logging buffer-size 91218

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu OOBDMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (OOBDMZ,outside) source dynamic MNGMNTSRVR MNGMNTSRVRPUBLIC destination static OFFICE OFFICE

!

object network OOBTS1

nat (inside,outside) static x.x.x.60

object network OOBTS2

nat (inside,outside) static x.x.x.61

object network MNGMNTSRVR

nat (OOBDMZ,outside) static x.x.x.56

access-group outside_in in interface outside

access-group dmz_in in interface OOBDMZ

route outside 0.0.0.0 0.0.0.0 x.x.x.1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh OFFICE 255.255.255.255 outside

ssh 172.18.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:7434b79b1af3df10cd9b3bfaa22ae40d

: end

FW#

thanks

Sol

Julio Carvajal · ‎09-12-2012

Hello,

I would say this is the NAT in play:

object network MNGMNTSRVR

nat (OOBDMZ,outside) static x.x.x.56

object network MNGMNTSRVR

host 172.17.2.73

That host ip address is not on the OOBDMZ subnet as the DMZ is on the 172.18.1.0/24 subnet.

Also remember to add the ACL to allow the traffic to the right server

Any other question...Let me know.. Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

SOL10 · ‎09-12-2012

Julio

thanks for the reply. But im lost -

you say "That host ip address is not on the OOBDMZ subnet as the DMZ is on the 172.18.1.0/24 subnet." but as far as I can see the DMZ interface is Vlan 1 and the IP is 172.17.2.125 /25

would you mind elaborating on your point.

much appreciated

Regards

Sol

Julio Carvajal · ‎09-12-2012

Hello.

Got confused ( Too much work)

interface Vlan1

nameif OOBDMZ

security-level 50

ip address 172.17.2.125 255.255.255.128

NAT that involves that interface

object network MNGMNTSRVR

nat (OOBDMZ,outside) static x.x.x.56

object network MNGMNTSRVR

host 172.17.2.73

Do the following:

packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.56 21

Any other question...Let me know.. Just remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

SOL10 · ‎09-12-2012

Julio

in my ACL the following line

access-list outside_in extended permit tcp host x.x.x.x host 172.17.2.73 eq ssh

where x.x.x.x is the IP of my office - should this not allow me to connect on port 22 to the remote host?

i appreciate your time and help on this

Julio Carvajal · ‎09-12-2012

The ACL is okay.....

Run the packet tracer and let me know the output.

packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.56 22

Rate all the answers that help, for the community that is as important as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

SOL10 · ‎09-12-2012

Julio

I can see this in the log which is baffling:

Inbound TCP connection denied from officeIP/35040 to x.x.x.56/22 flags SYN on interface outside

althought the ACL is ok - i also added the following line in the ACL jus to make sure but i cant see the hitcounter increase -

access-list outside_in line 10 extended permit tcp host officeip host x.x.x.56 eq ssh (hitcnt=0)

ran packet tracer as follows:

packet-tracer input outside tcp officeip 1025 x.x.x.56 22

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in x.x.156.0 255.255.255.192 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvajal · ‎09-12-2012

Hello,

Add the following;

access-list outside_in extended permit tcp any host 172.17.2.73 eq ssh

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

SOL10 · ‎09-12-2012

Julio

that entry is already there

access-list outside_in extended permit tcp host officeip host 172.17.2.73 eq ssh

do i really this statement:

nat (OOBDMZ,outside) source dynamic MNGMNTSRVR MNGMNTSRVRPUBLIC destination static OFFICE OFFICE

thanks

Julio Carvajal · ‎09-12-2012

Hello Sol,

I would not think you need that.

Please removed it.

no nat (OOBDMZ,outside) source dynamic MNGMNTSRVR MNGMNTSRVRPUBLIC destination static OFFICE OFFICE

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC