Asymmetrical Nat issues with PAT

sorenson1e · ‎08-29-2013

Long story short, we converted an old firewall from ASA 7.2.4 to 9.0.2 recently and well...80% of the config carried over with all everything in the config functioning as intended....except NAT. I've been racking my mind around the nat rules and why almost all of them result in asymmetrical issues when I've doing pen tests with nmap and wireshark.

So I've come to the collective hive mind, hoping to gain some further understanding on the issue at hand and possibly ways to correct the issues (because so far all the migration giudes haven't been of any use)

I've included the show nat detail command for reference

Auto NAT Policies (Section 2)
1 (DMZ) to (customer) source static Static_IP G_PC   service tcp www www
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.30.35/32, Translated: 192.168.100.10/32
    Service - Protocol: tcp Real: www Mapped: www
2 (DMZ) to (inside) source static G_PC G_NAT
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.100.10/32, Translated: 192.168.222.10/32
3 (inside) to (customer) source static Web interface   service tcp www www
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.11/32, Translated: 192.168.30.1/24
    Service - Protocol: tcp Real: www Mapped: www
4 (inside) to (customer) source static Web-01 interface   service tcp https https
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.11/32, Translated: 192.168.30.1/24
    Service - Protocol: tcp Real: https Mapped: https
5 (inside) to (customer) source static PS1 interface   service tcp ftp ftp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.22/32, Translated: 192.168.30.1/24
    Service - Protocol: tcp Real: ftp Mapped: ftp
6 (inside) to (customer) source static PS1-01 interface   service tcp ftp-data ftp-data
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.22/32, Translated: 192.168.30.1/24
    Service - Protocol: tcp Real: ftp-data Mapped: ftp-data
7 (inside) to (customer) source static DS interface   service tcp 104 104
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.47/32, Translated: 192.168.30.1/24
    Service - Protocol: tcp Real: 104 Mapped: 104
8 (inside) to (customer) source static DS01 interface   service tcp 11112 11112
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.47/32, Translated: 192.168.30.1/24
    Service - Protocol: tcp Real: 11112 Mapped: 11112
9 (inside) to (customer) source static RA S_R_P   service tcp https https
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.62/32, Translated: 192.168.30.31/32
    Service - Protocol: tcp Real: https Mapped: https
10 (inside) to (customer) source static RT S_R_P   service tcp citrix-ica citrix-ica
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.63/32, Translated: 192.168.30.31/32
    Service - Protocol: tcp Real: citrix-ica Mapped: citrix-ica
11 (inside) to (customer) source static RPS1 Static_Remote_Plan   service tcp citrix-ica 1491
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.161/32, Translated: 192.168.30.31/32
    Service - Protocol: tcp Real: citrix-ica Mapped: 1491
12 (inside) to (customer) source static RPS2 Static_Remote_Plan  service tcp citrix-ica 1492
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.162/32, Translated: 192.168.30.31/32
    Service - Protocol: tcp Real: citrix-ica Mapped: 1492
13 (inside) to (customer) source static RPS3 Static_Remote_Plan   service tcp citrix-ica 1493
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.163/32, Translated: 192.168.30.31/32
    Service - Protocol: tcp Real: citrix-ica Mapped: 1493
14 (inside) to (DMZ) source static obj-192.168.222.0 192.168.222.0
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.0/24, Translated: 192.168.222.0/24
15 (DMZ) to (customer) source dynamic obj-192.168.100.0 interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.100.0/24, Translated: 192.168.30.1/24
16 (DMZ) to (Internet) source dynamic obj-192.168.100.0-01 interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.100.0/24, Translated: 1.2.3.4/24
17 (inside) to (customer) source dynamic obj-192.168.222.0-01 interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.0/24, Translated: 192.168.30.1/24
18 (inside) to (Internet) source dynamic obj-192.168.222.0-02 interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.222.0/24, Translated: 1.2.3.4/24

Jouni Forss · ‎08-29-2013

Hi,

Could you also provide the output of "show run nat"

What is the traffic that is generating the error messages?

Could you perhaps provide "packet-tracer" output of this traffic? I mean simulate a packet entering the ASA through some interface that you have tested from an actual host that resulted in the logs about asymmetric NAT.

For example

packet-tracer input tcp

Is the above all the NAT configurations on your firewall since I am only seeing Auto NAT. Though I dont know if you really need Manual NAT to build a basic configuration.

One option would also be to see the old 7.2 software format NAT configuration which might make easier to provide you with a corresponding configuration.

- Jouni

sorenson1e · ‎08-30-2013

Alright as requested the original 7.2 config is below:

global (customer) 1 interface
global (Internet) 1 interface
nat (inside) 1 192.168.222.0 255.255.255.0
nat (DMZ) 1 192.168.100.0 255.255.255.0
static (inside,customer) tcp interface www Web www netmask 255.255.255.255 
static (inside,customer) tcp interface https Web https netmask 255.255.255.255 
static (inside,customer) tcp interface 104 DS 104 netmask 255.255.255.255 
static (inside,customer) tcp interface 11112 DS 11112 netmask 255.255.255.255
static (inside,customer) tcp interface ftp PS1 ftp netmask 255.255.255.255 
static (inside,customer) tcp interface ftp-data PS1 ftp-data netmask 255.255.255.255 
static (inside,customer) tcp Static_Remote_Plan 1491 RPS1 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp Static_Remote_Plan 1492 RPS2 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp Static_Remote_Plan 1493 RPS3 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp Static_Remote_Plan citrix-ica RT citrix-ica netmask 255.255.255.255
static (inside,customer) tcp Static_Remote_Plan https RA https netmask 255.255.255.255
static (inside,DMZ) 192.168.222.0 192.168.222.0 netmask 255.255.255.0 
static (DMZ,inside) G_NAT G_PC netmask 255.255.255.255
static (DMZ,customer) tcp G_PC www Static_IP www netmask 255.255.255.255
static (inside,customer) tcp interface 9100 PS_Printer 9100 netmask 255.255.255.255

Odd thing is, every NAT rule here when tested fails on a Pen. Test and shows in the ASDM logs as a Asymmetrical NAT issues.

The only connections that don't result in the asymmetric issues are traffic (with the exception of G_PC to Static_IP) going from the DMZ interface to the inside or from the DMZ interface to the customer.

Packet Tracer from DMZ to Inside:

# packet-tracer input DMZ tcp 192.168.100.10 1065 192.168.222.1 23


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list


Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-192.168.222.0
 nat (inside,DMZ) static 192.168.222.0
Additional Information:
NAT divert to egress interface inside
Untranslate DRS/23 to DRS/23


Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_beam_off in interface DMZ
access-list dmz_beam_off extended permit tcp object G_PC object DRS eq telnet
Additional Information:


Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network G_PC
 nat (DMZ,inside) static G_NAT
Additional Information:
Static translate G_PC/1065 to G_NAT/1065


Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:


Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-192.168.222.0
 nat (inside,DMZ) static 192.168.222.0
Additional Information:


Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:


Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1068, packet dispatched to next module


Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Packet tracer from inside to DMZ

# packet-tracer input inside tcp 192.168.222.1 1065 192.168.100.10 20000


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list


Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.100.0   255.255.255.0   DMZ


Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_beam_off in interface inside
access-list inside_beam_off extended permit tcp object DRS object G_PC object-group TGWAutoWin
object-group service TGWAutoWin tcp
 description: ports required for the operation of the TGWAutoWin Service.
 port-object eq 20000
Additional Information:


Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-192.168.222.0
 nat (inside,DMZ) static 192.168.222.0
Additional Information:
Static translate DRS/1065 to DRS/1065


Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:


Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:


Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network G_PC
 nat (DMZ,inside) static G_NAT
Additional Information:


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎08-30-2013

Hi,

The first "packet-tracer" seems to go through.

The second "packet-tracer" probably fails because the IP you have targeted is actually NATed to some other IP address between these interfaces.

So you are probably targeting the real IP address of some server and the initial direction of this test goes through but the reverse check for the NAT shows that there is actually a NAT configuration for this host and therefore there is a fail in the NAT phase. You are probably targeting IP "G_PC" rather than the "G_NAT" IP address that the test matches in the reverse direction.

The old NAT configuration would be a bit more helpfull if I could see the IP addresses instead of the names given with the "name" configurations.

Do notice that if you actual situation is so that there is no need for NAT between your "inside" and "DMZ" interfaces then in the new software you dont have to configure anything between your local interfaces.

- Jouni

sorenson1e · ‎08-30-2013

Ah, sorry about the names in the old config, here's the original with replacement IP's

global (customer) 1 interface
global (Internet) 1 interface
nat (inside) 1 192.168.222.0 255.255.255.0
nat (DMZ) 1 192.168.100.0 255.255.255.0
static (inside,customer) tcp interface www 192.168.222.11 www netmask 255.255.255.255
static (inside,customer) tcp interface https 192.168.222.11 https netmask 255.255.255.255
static (inside,customer) tcp interface 104 192.168.222.47 104 netmask 255.255.255.255
static (inside,customer) tcp interface 11112 192.168.222.47 11112 netmask 255.255.255.255
static (inside,customer) tcp interface ftp 192.168.222.22 ftp netmask 255.255.255.255
static (inside,customer) tcp interface ftp-data 192.168.222.22 ftp-data netmask 255.255.255.255
static (inside,customer) tcp 192.168.30.31 1491 192.168.222.161 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp 192.168.30.31 1492 192.168.222.162 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp 192.168.30.31 1493 192.168.222.163 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp 192.168.30.31 citrix-ica 192.168.222.61 citrix-ica netmask 255.255.255.255
static (inside,customer) tcp 192.168.30.31 https 192.168.222.62 https netmask 255.255.255.255
static (inside,DMZ) 192.168.222.0 192.168.222.0 netmask 255.255.255.0
static (DMZ,inside) 192.168.222.10 192.168.100.10 netmask 255.255.255.255
static (DMZ,customer) tcp 192.168.100.10 www 192.168.30.31 www netmask 255.255.255.255
static (inside,customer) tcp interface 9100 192.168.30.100 9100 netmask 255.255.255.255

Jouni Forss · ‎08-30-2013

Hi,

Most of the configurations seem pretty straight forward but there are a couple of ones that I would like to clear up.

The below configuration essentially does a Static NAT for one DMZ host so that its translated to an IP address belonging to the INSIDE network. Is there a particular reason for this configuration? Is it really needed or could the users instead use the actual destination IP address of 192.168.100.10?

static (DMZ,inside) 192.168.222.10 192.168.100.10 netmask 255.255.255.255

The below configuration doesnt make sense on the basis of the other configurations you posted. According to the below configuration there is a host 192.168.30.31 behind the DMZ interface that is then NATed towards the CUSTOMER using a NAT IP address that belongs to the actual DMZ network 192.168.100.0/24

static (DMZ,customer) tcp 192.168.100.10 www 192.168.30.31 www netmask 255.255.255.255

The above configuration are mainly the ones which purpose is not clear to me. The first one mentioned might be used in some situation but the second one doesnt make sense according to the rest of the configuration.

- Jouni

sorenson1e · ‎08-30-2013

The below configuration doesnt make sense on the basis of the other configurations you posted. According to the below configuration there is a host 192.168.30.31 behind the DMZ interface that is then NATed towards the CUSTOMER using a NAT IP address that belongs to the actual DMZ network 192.168.100.0/24
static (DMZ,customer) tcp 192.168.100.10 www 192.168.30.31 www netmask 255.255.255.255

Ah, looking back on that one it appears I manually rolled back (8.4 to 7.2) that one incorrectly and swapped the source with the destination, it should be:

static (DMZ,customer) tcp 192.168.30.35 http 192.168.100.10 http netmask 255.255.255.255

Additionally here's the censored version of the current 8.4 NAT setup conversion has set us with:

object network obj-192.168.222.22
 nat (inside,customer) static interface service tcp ftp ftp 
object network obj-192.168.222.161
 nat (inside,customer) static obj-192.168.30.31 service tcp citrix-ica 1491 
object network obj-192.168.222.162
 nat (inside,customer) static obj-192.168.30.31 service tcp citrix-ica 1492 
object network obj-192.168.222.163
 nat (inside,customer) static obj-192.168.30.31 service tcp citrix-ica 1493 
object network obj-192.168.222.62
 nat (inside,customer) static obj-192.168.30.31 service tcp https https 
object network obj-192.168.222.63
 nat (inside,customer) static obj-192.168.30.31 service tcp citrix-ica citrix-ica 
object network obj-192.168.222.11
 nat (inside,customer) static interface service tcp www www 
object network obj-192.168.222.11-01
 nat (inside,customer) static interface service tcp https https 
object network obj-192.168.222.47
 nat (inside,customer) static interface service tcp 104 104 
object network obj-192.168.222.47-01
 nat (inside,customer) static interface service tcp 11112 11112 
object network obj-192.168.222.22-01
 nat (inside,customer) static interface service tcp ftp-data ftp-data 
object network obj-192.168.222.0
 nat (inside,DMZ) static 192.168.222.0
object network obj-192.168.222.0-01
 nat (inside,customer) dynamic interface
object network obj-192.168.222.0-02
 nat (inside,Internet) dynamic interface
 nat (customer,Internet) dynamic obj-0.0.0.0
object network obj-192.168.100.0
 nat (DMZ,customer) dynamic interface
object network obj-192.168.100.0-01
 nat (DMZ,Internet) dynamic interface
object network obj-192.168.30.35
 nat (DMZ,customer) static obj-192.168.100.0 service tcp www www 
object network obj-192.168.30.100
 nat (inside,customer) static interface service tcp 9100 9100

Jouni Forss · ‎08-31-2013

Hi,

I actually think that the above configuration contains more/different configurations than the ones you originally copy/pasted here from the original software? There is for example some configuration between "customer" and "Internet" interfaces that wasnt there.

I would imagine most of the below configurations are just like the conversion did them, only with different "object" name which dont have to be what they are below necesarily.

Dynamic PAT

Old

global (customer) 1 interface

global (Internet) 1 interface

nat (inside) 1 192.168.222.0 255.255.255.0

nat (DMZ) 1 192.168.100.0 255.255.255.0

New

object-group network INSIDE-PAT-SOURCE

network-object 192.168.222.0 255.255.255.0

object-group network DMZ-PAT-SOURCE

network-object 192.168.100.0 255.255.255.0

nat (inside,Internet) after-auto source dynamic INSIDE-PAT-SOURCE interface

nat (inside,customer) after-auto source dynamic INSIDE-PAT-SOURCE interface

nat (DMZ,Internet) after-auto source dynamic DMZ-PAT-SOURCE interface

nat (DMZ,customer) after-auto source dynamic DMZ-PAT-SOURCE interface

Static PAT (Port Forward)

Old

static (inside,customer) tcp interface www 192.168.222.11 www netmask 255.255.255.255

static (inside,customer) tcp interface https 192.168.222.11 https netmask 255.255.255.255

static (inside,customer) tcp interface 104 192.168.222.47 104 netmask 255.255.255.255

static (inside,customer) tcp interface 11112 192.168.222.47 11112 netmask 255.255.255.255

static (inside,customer) tcp interface ftp 192.168.222.22 ftp netmask 255.255.255.255

static (inside,customer) tcp interface ftp-data 192.168.222.22 ftp-data netmask 255.255.255.255

static (inside,customer) tcp 192.168.30.31 1491 192.168.222.161 citrix-ica netmask 255.255.255.255

static (inside,customer) tcp 192.168.30.31 1492 192.168.222.162 citrix-ica netmask 255.255.255.255

static (inside,customer) tcp 192.168.30.31 1493 192.168.222.163 citrix-ica netmask 255.255.255.255

static (inside,customer) tcp 192.168.30.31 citrix-ica 192.168.222.61 citrix-ica netmask 255.255.255.255

static (inside,customer) tcp 192.168.30.31 https 192.168.222.62 https netmask 255.255.255.255

static (DMZ,customer) tcp 192.168.30.35 http 192.168.100.10 http netmask 255.255.255.255

New

object network WWW

host 192.168.222.11

nat (inside,customer) static interface service tcp 80 80

object network HTTPS

host 192.168.222.11

nat (inside,customer) static interface service tcp 443 443

object network TCP104

host 192.168.222.47

nat (inside,customer) static interface service tcp 104 104

object network TCP11112

host 192.168.222.47

nat (inside,customer) static interface service tcp 11112 11112

object network FTP

host 192.168.222.22

nat (inside,customer) static interface service tcp 21 21

object network FTP-DATA

host 192.168.222.22

nat (inside,customer) static interface service tcp 20 20

object network TCP1491

host 192.168.222.161

nat (inside,customer) static 192.168.30.31 service tcp citrix-ica 1491

object network TCP1492

host 192.168.222.162

nat (inside,customer) static 192.168.30.31 service tcp citrix-ica 1492

object network TCP1493

host 192.168.222.163

nat (inside,customer) static 192.168.30.31 service tcp citrix-ica 1493

object network CITRIX-ICA

host 192.168.222.61

nat (inside,customer) static 192.168.30.31 service tcp citrix-ica citrix-ica

object network HTTPS-2

host 192.168.222.62

nat (inside,customer) static 192.168.30.31 service tcp 443 443

object network WWW-2

host 192.168.100.10

nat (DMZ,customer) static 192.168.30.35 service tcp 80 80

Configurations that I am not sure about

static (inside,DMZ) 192.168.222.0 192.168.222.0 netmask 255.255.255.0

static (inside,customer) tcp interface 9100 192.168.30.100 9100 netmask 255.255.255.255

static (DMZ,inside) 192.168.222.10 192.168.100.10 netmask 255.255.255.255

First configuration I usually leave out from the configurations completely as there is no need to do Identity NAT between local interfaces (NAT the network to itself)
Second configuration seems to again have an IP address 192.168.30.100 that is NOT located behind the "inside" interface
Third configuration is a bit unusual but can be converted to the below format

object network DMZ-192.168.100.10

host 192.168.100.10

nat (DMZ,inside) static 192.168.222.10

- Jouni