Solved: Identity Firewall not work with NAT

Rodrigo Rosa da Silva · ‎09-21-2011

We are implementing an environment that restrict the Internet access with rules based on users and groups of Active Directory.

There was a lot of dificulties but the actual state is:

- The "Test" of AD Server Group on Firewall-> Identity Options results GOOD

- The "Test" of Active Directory Agent on Windows-> Identity Options results GOOD

- The Rules that we applied on the Inside Interface based on Identity Firewal are no 'respected'.

The enviroment:

- We have two ASA 5520 in FailOver.

- There is four Contexts in that pair of ASA.

- By now we are activating the Identity firewall only in one context.

- Obviously, the AD are in one of the inside networks of that context.

On the Configuration Guide of the Identity Firewal, at

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_idfw.html#wp1349541

we saw that there is a lot of features that are not supported:

...

The following ASA features do not support using the identity-based object and FQDN:

- route-map

- Crypto map

- WCCP

- NAT

- group-policy (except VPN filter)

- DAP

...

When use NAT not work, just removing NAT.

How configure this functionality? Identity work with NAT?

zhijliu · ‎09-23-2011

Here is the reason you did not get any user-ip mappings in ASA.

The domain name configured in ASA should be netbios domain name and it needs to be matched with the one you see in "adacfg dc list" output, otherwise ASA will drop any user-ip reports from AD agent.

You may have a try with the following new configs.

user-identity domain TEST4 aaa-server AD-TEST4

user-identity default-domain TEST4

access-list inside_access_in extended deny ip user TEST4\rodrigo any any

View solution in original post

zhijliu · ‎09-22-2011

Actually there are some limitation for IDFW to work with NAT.

Basically, AD server and users should be at the same side of ASA.

Here is a deployment scenario.

For example, AD server and logon users are in inside network. Users from inside network can access outside network via NAT or PAT.

In this example, ASA is able to create user-ip mappings for its inside users, and basically AD server sees the real IP address of logon users, then ASA admin can configure ACL rules in inside interface to control outbound traffic.

On the other hand, if AD server is in outside network. Inside users need to access and get authenticated by AD server via NATed or PATed IP address, then AD will only see those translated IP addresses. This scenario is not supported because multiple users may be mapped to single IP address.

Rodrigo Rosa da Silva · ‎09-22-2011

Is wrong:

When use NAT not work, just removing NAT.

Is correct:

When use NAT not work, just removing access-rules user-based (IDFW) and configure access-rules IP based.

The AD Server and Desktop Users are same side of ASA (inside interface).

See the image attached.

zhijliu · ‎09-22-2011

We may have different network deployment scenarios. Whether or not IDFW is supporting NAT really depends on the deployment. For IDFW to work with NAT, the base line is that AD /ASA should see the real IP address of AD logon user.

In your deployment diagram, are you saying IDFW/NAT is not working? Can you please elaborate it a little bit? is 3560 a switch? I assume NAT is only happening in ASA. In your case, AD and users are in the same side, AD should be able to see the user's IP address. As long as ASA sees and receives the traffic from user's real IP address, you may config IDFW rules to control the network access for the user.

Thanks,

Rodrigo Rosa da Silva · ‎09-23-2011

Yes 3560 is a switch working layer 3 with vrf.

Nat is only in ASA.

Context configuration:*some settings omitted

hostname test4

!

interface inside

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface outside

nameif outside

security-level 0

ip address 172.16.100.4 255.255.255.0

!

same-security-traffic permit intra-interface

object network Invalida_Calsse-A

subnet 10.0.0.0 255.0.0.0

object network Invalida_Classe-B

subnet 172.16.0.0 255.240.0.0

object network Invalida_Classe-C

subnet 192.168.0.0 255.255.0.0

object network router-loopback

host 192.168.14.254

object network 172.16.4.1

host 172.16.4.1

object network 172.16.4.254

host 172.16.4.254

object network all

subnet 0.0.0.0 0.0.0.0

access-list inside_access_in extended deny ip user test4.local\rodrigo any any

access-list inside_access_in extended permit ip any any

access-list global_access extended permit ip any any

access-list outside_access_in extended permit ip any any

!

object network router-loopback

nat (any,any) static 172.16.4.254

object network all

nat (inside,outside) dynamic 172.16.4.1

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 172.16.100.254 1

route inside 192.168.0.0 255.255.0.0 192.168.200.254 1

aaa-server AD-TEST4 protocol ldap

aaa-server AD-TEST4 (inside) host 192.168.4.10

ldap-base-dn DC=test4,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=administrator,CN=users,DC=test4,DC=local

server-type microsoft

aaa-server AG-TEST4 protocol radius

ad-agent-mode

aaa-server AG-TEST4 (inside) host 192.168.4.10

key *****

user-identity domain test4.local aaa-server AD-TEST4

user-identity default-domain test4.local

no user-identity action mac-address-mismatch remove-user-ip

user-identity logout-probe netbios local-system

user-identity ad-agent aaa-server AG-TEST4

****************************************************

asa5520-frw/test4# sh access-list inside_access_in

access-list inside_access_in; 2 elements; name hash: 0x433a1af1

access-list inside_access_in line 1 extended deny ip user test4.local\rodrigo any any (hitcnt=0) 0xd663546c

access-list inside_access_in line 2 extended permit ip any any (hitcnt=7037) 0xa925365e

asa5520-frw/test4# sh access-list inside_access_in

access-list inside_access_in; 3 elements; name hash: 0x433a1af1

access-list inside_access_in line 1 extended deny ip user test4.local\rodrigo any any (hitcnt=0) 0xd663546c

access-list inside_access_in line 2 extended deny ip object Desktop_test any (hitcnt=0) 0x8036771b

access-list inside_access_in line 2 extended deny ip host 192.168.4.50 any (hitcnt=8) 0x8036771b

access-list inside_access_in line 3 extended permit ip any any (hitcnt=7037) 0xa925365e

zhijliu · ‎09-23-2011

First of all, I 'd like to check if ASA correctly receives user-ip mapping for test4.local\rodrigo from AD agent.

Can you please collect the output of the following CLIs in AD agent server?

adacfg dc list

adacfg cache list

Also the CLI in ASA and check if the user-ip is created in ASA.

show user-identity user all list detail.

show user-idneityt ad-agent

zhijliu · ‎09-23-2011

Two more CLIs to collect.

Here is the new list.

in AD agent server

adacfg dc list

adacfg cache list

adacfg client list

in ASA

show user-identity user all list detail.

show user-idneityt ad-agent

show user-idneityt ad-agent statis

Also you may tuen on debug "debug user-identity ad-agent" and collect more info.

Rodrigo Rosa da Silva · ‎09-23-2011

PS C:\IBF\CLI> .\adacfg.exe dc list

Name Host/IP Username Domain-Name Latest Status

----------- ----------------------- ------------- ----------- -------------

ASA-TEST4 2k8test.test4.local administrator TEST4 up

PS C:\IBF\CLI> .\adacfg.exe cache list

IP User-Name Domain Responds-To-Probe Mapping-Type Mapping-Origin Create-Time

------------ ------------- ------- ----------------- ------------ -------------- --------------------

192.168.4.50 teste TEST4 true DC TEST4 2011-09-23T14:54:52Z

192.168.4.10 Administrator TEST4 true DC TEST4 2011-09-23T19:04:51Z

PS C:\IBF\CLI> .\adacfg.exe client list

Name IP/Range

---------- ----------------

AG-TEST4 192.168.200.1/24

asa5520-frw/test4# show user-identity user all list detail

Total users: 4 Total IP addresses: 0

test4.local\Administrator: 0 active conns

test4.local\teste: 0 active conns

test4.local\bunda: 0 active conns

test4.local\rodrigo: 0 active conns

asa5520-frw/test4# show user-identity ad-agent

Primary AD Agent:

Status up (registered)

Mode: full-download

IP address: 192.168.4.10

Authentication port: udp/1645

Accounting port: udp/1646

ASA listening port: udp/3799

Interface: inside

Up time: 8 hours 22 mins

Average RTT: 0 msec

AD Domain Status:

Domain TEST4: up

asa5520-frw/test4# show user-identity ad-agent statis

Primary AD Agent Total Last Activity

------------------------- ---------- ------------------------

Input packets: 4 5 mins 44 secs

Output packets: 2022 6 secs

Send updates: 0 N/A

Recv updates: 4 5 mins 44 secs

Keepalive failed: 2 8 hours 24 mins

Send update failed: 0 N/A

Query failed: 0 N/A

Update pending: 0 N/A

Update high-watermark: 0 N/A

Update dropped: 0 N/A

zhijliu · ‎09-23-2011

Here is the reason you did not get any user-ip mappings in ASA.

The domain name configured in ASA should be netbios domain name and it needs to be matched with the one you see in "adacfg dc list" output, otherwise ASA will drop any user-ip reports from AD agent.

You may have a try with the following new configs.

user-identity domain TEST4 aaa-server AD-TEST4

user-identity default-domain TEST4

access-list inside_access_in extended deny ip user TEST4\rodrigo any any

Rodrigo Rosa da Silva · ‎09-23-2011

Thank you for help Liu.

Very nice the new feature of ASA 8.4.

Now Identity is work! \o/

[ ]' s