08-24-2012 09:25 AM - edited 03-11-2019 04:46 PM
Hi
We are configuring a twice-nat to send traffic for scansafe, its on a asa5505 ve 8.4(3) on a remote location for the customes. The nat redirecion is working but we also have a VPN tunnel to the corporate network. Through the tunnel we need to reach a http server.
The problem we are having is that when we add the scan-safe nat, all http traffic gets redirected to scansafe, includind the traffic to the http server on the corporate network.
10.2.1.0 ---<ASA5505> ---Internet,scansafe ---- <Corporate> --- 10.1.1.0
the http server is 10.1.1.75
the remote location network is 10.2.1.0/24
this the nat and object configuration:
object network MTY_inside2
subnet 10.2.1.0 255.255.255.0
object service www
service tcp destination eq www
object network internet
subnet 0.0.0.0 0.0.0.0
object network ScanSafe
host 69.174.87.59
object service proxy8080
service tcp destination eq 8080
object network bstl10.1.1.0
subnet 10.1.1.0 255.255.255.0
object-group network BSTL_MX
network-object 10.1.1.0 255.255.255.0
network-object 10.5.1.0 255.255.255.0
network-object 192.168.0.0 255.255.224.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
BSTL-MTY-ASA(config)# sh run nat
nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0
nat (LAN,outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX
nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static BSTL_MX BSTL_MX
nat (WLAN,outside) source static MTY_WLAN MTY_WLAN destination static BSTL_MX BSTL_MX
nat (LAN,outside) source dynamic MTY_LAN interface destination static internet ScanSafe service www proxy8080
nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080
nat (WLAN,outside) source dynamic MTY_WLAN interface destination static internet ScanSafe service www proxy8080
nat (LAN,outside) source dynamic MTY_LAN interface
nat (inside2,outside) source dynamic MTY_inside2 interface
nat (WLAN,outside) source dynamic MTY_WLAN interface
The identity nat lines are on top, over the scansafe nat lines; If Im not wrong they should match first. Here is the NAT detail:
Manual NAT Policies (Section 1)
1 (inside2) to (outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0
translate_hits = 83, untranslate_hits = 253
Source - Origin: 10.2.1.0/24, Translated: 10.2.1.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
2 (LAN) to (outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX
translate_hits = 234, untranslate_hits = 43
Source - Origin: 192.168.40.0/24, Translated: 192.168.40.0/24
Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24
3 (inside2) to (outside) source static MTY_inside2 MTY_inside2 destination static BSTL_MX BSTL_MX
translate_hits = 124, untranslate_hits = 72
Source - Origin: 10.2.1.0/24, Translated: 10.2.1.0/24
Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24
4 (WLAN) to (outside) source static MTY_WLAN MTY_WLAN destination static BSTL_MX BSTL_MX
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.41.0/26, Translated: 192.168.41.0/26
Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24
5 (LAN) to (outside) source dynamic MTY_LAN interface destination static internet ScanSafe service www proxy8080
translate_hits = 10, untranslate_hits = 10
Source - Origin: 192.168.40.0/24, Translated: 200.66.94.66/29
Destination - Origin: 0.0.0.0/0, Translated: 69.174.87.59/32
Service - Origin: tcp destination eq www , Translated: tcp destination eq 8080
6 (inside2) to (outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080
translate_hits = 148, untranslate_hits = 173
Source - Origin: 10.2.1.0/24, Translated: 200.66.94.66/29
Destination - Origin: 0.0.0.0/0, Translated: 69.174.87.59/32
Service - Origin: tcp destination eq www , Translated: tcp destination eq 8080
7 (WLAN) to (outside) source dynamic MTY_WLAN interface destination static internet ScanSafe service www proxy8080
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.41.0/26, Translated: 200.66.94.66/29
Destination - Origin: 0.0.0.0/0, Translated: 69.174.87.59/32
Service - Origin: tcp destination eq www , Translated: tcp destination eq 8080
8 (LAN) to (outside) source dynamic MTY_LAN interface
translate_hits = 43, untranslate_hits = 18
Source - Origin: 192.168.40.0/24, Translated: 200.66.94.66/29
9 (inside2) to (outside) source dynamic MTY_inside2 interface
translate_hits = 27, untranslate_hits = 0
But every time user try to get access to 10.1.1.75, the scansafe nat is matched, here is a trace:
( I will skip steps to keep the post short)
BSTL-MTY-ASA(config)# sh cap test trace
50 packets captured
1: 21:59:39.905135 802.1Q vlan#1 P0 10.2.1.3.21867 > 10.1.1.75.80: S 2591301289:2591301289(0) win 8192 <mss 1460,nop,nop,sackOK>
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.75/80 to 69.174.87.59/8080
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside2,outside) source dynamic MTY_inside2 interface
Additional Information:
Dynamic translate 10.2.1.3/21867 to 200.66.94.66/21867
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080
Additional Information:
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow
We also founf bug CSCtt11890 "ASA: Manual NAT rules inserted above others may fail to match traffic" the workaround was to clear the nat configuration, or reboot the device. We cleared the nat configuration, added back again, reboot the device, and the behavior was the same.
If we take out the scansafe nat out, we can reach the corporate server, using the corresponding NAT (I removed some steps to keep the post short..):
7: 22:11:22.543764 802.1Q vlan#1 P0 10.2.1.3.49389 > 10.1.1.75.80: S 3794798427:3794798427(0) win 8192 <mss 1460,nop,nop,sackOK>
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0
Additional Information:
Static translate 10.2.1.3/49389 to 10.2.1.3/49389
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Am I missing something?
Thanks
Alejandro Moran
Solved! Go to Solution.
08-24-2012 04:33 PM
Hello Alejandro,
The problem is that the traffic is taking first the destination source based, after using the new nat entries did you clear the xlate table?
If not add it and give it a try
Also check bug CSCtq47028 witch I think is the one you are hitting
Regards,
08-24-2012 09:58 AM
Hello Alejando,
Please do the following:
Create a different object group for the same internal subnet .
Example
object network inside2_subnet
subnet 10.2.1.0 255.255.255.0
And then try to create a nat with that object to the remote lan
no nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0
nat (inside2,outside) 1 source static inside2_subnet destination static bstl10.1.1.0 bstl10.1.1.0
Clear xlate
Give it a try and let me know
Regards,
Julio
08-24-2012 01:18 PM
thanks Julio
We tried that, unfortunately we got the same behavior.
BSTL-MTY-ASA(config)# sh cap test trace
20 packets captured
1: 14:57:20.734718 802.1Q vlan#1 P0 10.2.1.3.61023 > 10.1.1.75.80: S 3180640583:3180640583(0) win 8192
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.75/80 to 69.174.87.59/8080
here is the nat we added:
object network mty10.2.1.0
subnet 10.2.1.0 255.255.255.0
nat (inside2,outside) 1 source static mty10.2.1.0 mty10.2.1.0 destination static bstl10.1.1.0 bstl10.1.1.0
Manual NAT Policies (Section 1)
1 (inside2) to (outside) source static mty10.2.1.0 mty10.2.1.0 destination static bstl10.1.1.0 bstl10.1.1.0
translate_hits = 12, untranslate_hits = 6
Source - Origin: 10.2.1.0/24, Translated: 10.2.1.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
2 (LAN) to (outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX
translate_hits = 35703, untranslate_hits = 8878
Source - Origin: 192.168.40.0/24, Translated: 192.168.40.0/24
Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24
192.168.101.0/24
regards.
08-24-2012 01:42 PM
Hello Alejandro,
Sh run nat please
Regards,
08-24-2012 01:51 PM
Hello Julio,
sure, here is it:
BSTL-MTY-ASA(config)# sh run nat
nat (inside2,outside) source static mty10.2.1.0 mty10.2.1.0 destination static bstl10.1.1.0 bstl10.1.1.0
nat (LAN,outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX
nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static BSTL_MX BSTL_MX
nat (WLAN,outside) source static MTY_WLAN MTY_WLAN destination static BSTL_MX BSTL_MX
nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080
nat (WLAN,outside) source dynamic MTY_WLAN interface destination static internet ScanSafe service www proxy8080
nat (LAN,outside) source dynamic MTY_LAN interface
nat (inside2,outside) source dynamic MTY_inside2 interface
nat (WLAN,outside) source dynamic MTY_WLAN interface
basically, I have the identity nats on top, then the scansafe redirection nats and finally the dynamic PAT... Since the 10.1.1.75 server is important for the customer operation, we had to remove the scansafe nats after testing.
regards
08-24-2012 04:33 PM
Hello Alejandro,
The problem is that the traffic is taking first the destination source based, after using the new nat entries did you clear the xlate table?
If not add it and give it a try
Also check bug CSCtq47028 witch I think is the one you are hitting
Regards,
08-25-2012 09:55 AM
Hello Julio
thanks, you are right it looks its CSCtq47028, but the trick is to create 2 objects for the destination, not only on the source. I made an offline test and it seems to match the correct nat line.
I'll test it with the customer on monday.
08-25-2012 10:09 AM
Hello Alejandro,
Yes, I was doing some research on this and found that
It seems like the bug was created for a scenario just like this ( Using the scansafe cloud)
Remember to rate all the helpful posts my friends and pleaseeeeeeee keep me updated
Julio
09-03-2012 11:12 AM
finally we got the maintainance window, I used 2 objects for the same subnet, and it took the order as it should...
For what I see, looking at the trace captures, the 3rd step is a route lookup or a un-nat, before the NAT step, having nat from the same object at same object throws a route lookup. Using the different objects for the same network on the nat,
throws the un-nat.
thanks for your help!
09-03-2012 11:24 AM
Hello Alejandro,
Great, Thanks for the rate and the information
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide