Solved: Re: 9.0.1 , dynamic nat problem with several nat rules

dm · ‎03-04-2013

Hello!

I have my computer behind ASA dynamic nat:

object network obj-192.168.22.229

host 192.168.22.229

nat (inside,outside) source dynamic obj-192.168.22.229 interface

All works OK, and I have hosts with static nat, they work too.

then I need to give access to all users to some host , but only to http, so I add:

object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.0.0

object service obj-tcp-eq-80

service tcp destination eq www

host we need to access ( this one is for test)

object network obj-66.7.199.108

host 66.7.199.108

and nat rule:

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-66.7.199.108 obj-66.7.199.108 service obj-tcp-eq-80 obj-tcp-eq-80

OK, now users can access 66.7.199.108 port 80.

But I can't!

dm@dm:~$ telnet 66.7.199.108 80

Trying 66.7.199.108...

telnet: Unable to connect to remote host: Connection refused

The same is with static nat hosts.

If I disable

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-66.7.199.108 obj-66.7.199.108 service obj-tcp-eq-80 obj-tcp-eq-80

or change it to

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-66.7.199.108 obj-66.7.199.108

i.e. without port all is OK, but I need to limit access to port 80, and, afair, all was OK with 8.x.

Could you tell me how can I solve this problem?

Thank you!

Julio Carvajal · ‎03-04-2013

Hello,

nat (inside,outside) 2 source dynamic obj-192.168.0.0 interface destination static obj-66.7.199.108 obj-66.7.199.108 service obj-tcp-eq-80 obj-tcp-eq-80

Then try it and if it does not make a difference capture the traffic

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎03-04-2013

Hello,

Based on what you explain you are looking to filter traffic and for that we have ACL's, so no need to use NAT

access-list inside_outside permit tcp object obj-192.168.0.0 host 66.7.199.108 eq 80

access-list inside_outside deny ip object obj-192.168.0.0 host 66.7.199.108

access-list inside_outside permit ip any any

access-group inside_outside in interface outside

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dm · ‎03-04-2013

Thank you!

Yes, sure, I can filter, but, really, more interesting thing why nat doesn't work as expected.

And I'd like to filter only natted traffic for these hosts, i.e. I don't want to limit my computer and/or static nats, etc.

Yes, it is possible to apply more complex filter, but...

Any ideas?

Julio Carvajal · ‎03-04-2013

Well, lets do something,

Can you share the show run nat ?

Also what is your IP address and what other IP's cannot access this host,

I would recommend you to do captures

capture capin interface inside match tcp host your_private_ip host server_public_ip eq 80 trace

Then generate some traffic from your PC and afterwards

do:

show cap capin

show cap capin trace packet-number 1

Share entire outputs please

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dm · ‎03-04-2013

Here is

# show run nat

nat (inside,any) source static obj-192.168.42.128 obj-192.168.42.128 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp

nat (inside,any) source static obj-192.168.42.128 obj-192.168.42.128 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp

nat (inside,any) source static obj-192.168.200.198 obj-192.168.200.198 destination static obj-192.168.200.197 obj-192.168.200.197 no-proxy-arp

nat (inside,outside) source static obj-192.168.42.131 obj-88.80.32.211

nat (inside,outside) source static obj-192.168.42.130 obj-88.80.32.212

nat (inside,outside) source dynamic obj-192.168.22.231 interface

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-84.52.87.98 obj-84.52.87.98

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.230.101 obj-87.249.230.101 service obj-tcp-eq-3306 obj-tcp-eq-3306

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.230.101 obj-87.249.230.101 service obj-tcp-eq-5555 obj-tcp-eq-5555

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.230.101 obj-87.249.230.101 service obj-udp-eq-55777 obj-udp-eq-55777

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-131.107.115.36 obj-131.107.115.36 service obj-tcp-eq-443 obj-tcp-eq-443

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-89.111.181.74 obj-89.111.181.74 service obj-tcp-eq-3345 obj-tcp-eq-3345

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-89.111.181.74 obj-89.111.181.74 service obj-tcp-eq-5690 obj-tcp-eq-5690

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-89.111.181.74 obj-89.111.181.74 service obj-tcp-eq-4477 obj-tcp-eq-4477

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.230.101 obj-87.249.230.101 service obj-tcp-eq-2226 obj-tcp-eq-2226

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.230.101 obj-87.249.230.101 service obj-udp-eq-2226 obj-udp-eq-2226

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-217.67.178.45 obj-217.67.178.45

nat (inside,outside) source dynamic obj-192.168.24.223 interface

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.228.66 obj-87.249.228.66

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-87.249.226.18 obj-87.249.226.18

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-83.220.37.114 obj-83.220.37.114

nat (inside,outside) source dynamic obj-192.168.24.9 interface

nat (inside,outside) source dynamic obj-192.168.22.19 interface

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-194.79.35.83 obj-194.79.35.83

nat (inside,outside) source dynamic obj-192.168.22.31 interface

nat (inside,any) source static obj-10.64.252.242 obj-10.64.252.242 destination static obj-10.64.252.241 obj-10.64.252.241 no-proxy-arp

nat (inside,outside) source static obj-192.168.22.202 obj-88.80.32.213

nat (inside,outside) source dynamic obj-192.168.24.8 interface

nat (inside,outside) source static obj-192.168.22.110 obj-88.80.32.214

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-188.127.228.215 obj-188.127.228.215

nat (inside,outside) source dynamic obj-192.168.28.0 interface

nat (inside,outside) source dynamic obj-10.0.0.0 interface destination static obj-83.220.37.114 obj-83.220.37.114

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-83.151.12.218 obj-83.151.12.218

nat (inside,outside) source static obj-192.168.42.135 obj-88.80.32.216

nat (inside,outside) source static obj-192.168.42.136 obj-88.80.32.217

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.214.0 obj-192.168.214.0 no-proxy-arp

nat (inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.214.0 obj-192.168.214.0 no-proxy-arp

nat (inside,any) source static obj-192.168.201.8 obj-192.168.201.8 destination static obj-192.168.201.9 obj-192.168.201.9 no-proxy-arp

nat (inside,any) source static obj-192.168.201.142 obj-192.168.201.142 destination static obj-192.168.201.141 obj-192.168.201.141 no-proxy-arp

nat (inside,outside) source dynamic obj-192.168.22.229 interface

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-89.250.217.234 obj-89.250.217.234

nat (inside,outside) source dynamic obj-192.168.0.0 interface destination static obj-66.7.199.108 obj-66.7.199.108 service obj-tcp-eq-80 obj-tcp-eq-80

!

object network obj_any

nat (inside,outside) dynamic obj-0.0.0.0

I'll capture trafic and post it here :-)

Thank you!

dm · ‎03-04-2013

here is trace

show cap capin

2 packets captured

1: 10:34:59.784841 192.168.22.229.52685 > 66.7.199.108.80: S 1509935962:1509935962(0) win 14600

2: 10:34:59.784902 66.7.199.108.80 > 192.168.22.229.52685: R 0:0(0) ack 1509935963 win 14600

2 packets shown

show cap capin trace packet-number 1

2 packets captured

1: 10:34:59.784841 192.168.22.229.52685 > 66.7.199.108.80: S 1509935962:1509935962(0) win 14600

1 packet shown

And what I got:

dm@dm:~$ telnet 66.7.199.108 80

Trying 66.7.199.108...

telnet: Unable to connect to remote host: Connection refused

Julio Carvajal · ‎03-04-2013

Hello,

nat (inside,outside) 2 source dynamic obj-192.168.0.0 interface destination static obj-66.7.199.108 obj-66.7.199.108 service obj-tcp-eq-80 obj-tcp-eq-80

Then try it and if it does not make a difference capture the traffic

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dm · ‎03-04-2013

unfortunately, no difference :-(

show cap capin

2 packets captured

1: 10:41:10.420235 192.168.22.229.52717 > 66.7.199.108.80: S 2096723792:2096723792(0) win 14600

2: 10:41:10.420296 66.7.199.108.80 > 192.168.22.229.52717: R 0:0(0) ack 2096723793 win 14600

2 packets shown

show cap capin trace packet-number 1

2 packets captured

1: 10:41:10.420235 192.168.22.229.52717 > 66.7.199.108.80: S 2096723792:2096723792(0) win 14600

1 packet shown

dm · ‎03-04-2013

sorry, I forgot to remove previous rule :-) - user just called me and , you know...

Really, it works

dm@dm:~$ telnet 66.7.199.108 80

Trying 66.7.199.108...

Connected to 66.7.199.108.

Escape character is '^]'.

Thank you!

Could you explain me what we did? :-)

Julio Carvajal · ‎03-05-2013

Hello,

The list was almost at the bottom so we just add at the top so it take precedence,

That's it

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC