Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
5
Helpful
3
Replies

Help with configuring Twice NAT from Internal Address to Internal Webserver

Go to solution
_Pouzaj24
Level 1
Level 1

‎02-07-2014 08:30 AM - edited ‎03-11-2019 08:42 PM

Hello,

This is my first time posting to the Support Community, and I'm hoping some folks with more insight into the "new" NAT structures in post 8.3 can shed some light on what's going wrong with this strange configuration that's been requested of me...

Our sysadmins are decommissioning DNS zones for domains which we are not authoratative for.  I understand that this is a good idea.  DNS requests now go to an authoratative server via the internet, so instead of allowing direct internal communications to the webservers via our DNS and RFC1918 addressing, the communication now must route to the public (global) IP associated with our hosted webserver.

The initial problem is that we were routing everything through a Websense proxy to the internet, and that traffic was all PAT'd to the outside interface IP of 200.1.1.254 (scrubbed).  If traffic would try to re-enter via the existing static NAT to the webserver (200.1.1.88 >> 192.168.2.188), I'd get denies via an IP spoof error.  I determined to try PAT'ing this traffic to a new PAT IP using Twice NAT to identify the particular communication.

My configuration is below.

! Cisco Adaptive Security Appliance Software Version 9.0(x)

!

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 200.1.1.254 255.255.255.0 standby 200.1.1.253

!

interface GigabitEthernet0/1

nameif dmz1

security-level 41

ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253

!

interface GigabitEthernet0/2

nameif dmz2

security-level 43

ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 172.22.16.254 255.240.0.0 standby 172.22.16.253

!

!

!

object network obj-src-real

subnet 192.168.1.0 255.255.255.0

!

object network obj-src-nat

host 200.1.1.200

!

object network obj-dst-webserver-nat

host 200.1.1.88

!

object network obj-dst-webserver-real

host 192.168.2.188

!

!

!

object-group PROXY-SERVERS

description Network Proxy Servers

network-object host 192.168.1.36

!

!

!

route outside 0.0.0.0 0.0.0.0 201.1.1.1

!

!

!

access-group dmz1 in interface dmz1

!

access-group outside in interface outside

!

access-list dmz1 extended permit ip object-group PROXY-SERVERS any4

!

access-list outside extended permit tcp any4 host 192.168.2.188 eq https

!

!

!

object network obj-dst-webserver-real

nat (dmz2,outside) static 200.1.1.88

!

object network obj-src-real

nat (dmz1,outside) dynamic interface

!

nat (dmz1,outside) source dynamic obj-src-real obj-src-nat destination static obj-dst-webserver-nat obj-dst-webserver-nat

!

The twice NAT is perplexing to me, as I can only get an xlate if I specify the mapped (outside) address twice in the destination portion of the syntax.  I do not know if this is correct.  I see the xlate build, no denies on the firewall, and the connections table on the firewall using the mapped (outside address) indicates a three-way handshake (saA flags), but no data passes.

The proxy logs indicate the same 504 "bad gateway" errors that I've been struggling with since the beginning.

I've attached packet traces and a diagram for reference.  If anyone can help me make some sense of this, I'd be very happy.  Thanks in advance.

Labels:
Preview file
61 KB
15375405-PTrace_xlate_conn__output.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎02-08-2014 11:46 PM

Hello, Jeff.

I guess you'ld better to fix DNS replies (so clients could be connecting using internal IP-addresses).

To do this, you could use DNS doctoring with keyword "dns" under NAT staement, like:

object network obj-dst-webserver-real

nat (dmz2,outside) static 200.1.1.88 dns

PS: refer to

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bf4132.shtml for details.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎02-08-2014 11:46 PM

Hello, Jeff.

I guess you'ld better to fix DNS replies (so clients could be connecting using internal IP-addresses).

To do this, you could use DNS doctoring with keyword "dns" under NAT staement, like:

object network obj-dst-webserver-real

nat (dmz2,outside) static 200.1.1.88 dns

PS: refer to

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bf4132.shtml for details.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Vasilii Mikhailovskii

‎02-09-2014 03:17 AM

In addition to what Mikhailovsky has mentioned, keep in mind that with DNS doctoring, all traffic after DNS resolution will be sent directly to the web server real IP, so you will need to make sure that there are ACLs in place to permit such traffic.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Go to solution
_Pouzaj24
Level 1
Level 1
In response to Marius Gunnerud

‎02-10-2014 07:57 AM

Many thanks, guys.  This is exactly what I was looking for.  From what I've read, the DNS Hairpin could've been configured, but by comparison it is overly-complicated for my purposes anyway.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card