Re: ASA 5505 9.2 - NAT Reflection / Loopback

kimilisecco · ‎01-16-2018

Hi

How to access an internal IP via the public/WAN IP with port forward enabled?

Port 8001 is forwarded to 8000 for 192.168.1.100

I like to access 8001 via the public IP.

So users can access the server the same way regardless of where they are.

object network Server1
 nat (inside,outside) static interface service tcp 8000 8001

/Kim

Bogdan Nita · ‎01-16-2018

Not sure I understood the problem. Wouldn't the following work:

object network Server1
 nat (inside,outside) static interface service tcp 8001 8001

kimilisecco · ‎01-16-2018

Wouldn't that just forward port 8001 to 8001 ?

I need the outside/wan IP to be accessed from the inside, and also forward port 8001 to 8000.

Bogdan Nita · ‎01-16-2018

Yes that would just forward port 8001 to 8001.

I did not understand what you are trying to do.

I guess you could have a nat something like this:

nat (inside,inside) source static obj-inside-ips obj-fake-inside-ips destination static obj-public-ip obj-server1-ip service obj-8000 obj-8001

, judging by the config you posted the clients and the server are on the same network, so the return traffic will not be sent through the asa, unless the source ips are nated as well.

You could also use dns to resolve the name with different ips. Probably a better and cleaner solution, than the nat one.

kimilisecco · ‎01-16-2018

Thanks Bogdan!

Just to clarify, what should obj-fake-inside-ips be?

DNS is not an option when using different port in- and outside.

Bogdan Nita · ‎01-17-2018

Hi kimilisecco,

As I said in the previous post it seems that your clients and server are actually on the same network, if this is the case the return traffic from the server will be sent directly to the client and because of that the second packet sent by the client will be dropped by the ASA. To get around this the source IPs could be nated as well in order to make the return traffic to go through the ASA.

So the obj-fake-inside-ips are just used for that and it could be any unused ip range in your network.

Also in order to make this work you would need the same-security-traffic permit intra-interface command.

HTH

Bogdan

kimilisecco · ‎01-17-2018

Hi Bogdan

Yes clients are on same network.

I can't get it to work..

object network obj-192.168.5.0
 subnet 192.168.5.0 255.255.255.0

object network obj-fake-inside-ips
 range 192.168.5.220 192.168.5.240

 object network obj-public-ip
 host 5.x.x.8
 
 object network obj-nvr1-ip
 host 192.168.5.242

 object-group service obj-8001 tcp-udp
 port-object eq 8001
 
object-group service obj-8000 tcp-udp
 port-object eq 8000

 nat (inside,inside) source static obj-192.168.5.0 obj-fake-inside-ips destination static obj-public-ip obj-nvr1-ip service obj-8000 obj-8001

Is that correct?

/Kim

Bogdan Nita · ‎01-17-2018

Hi Kim,

The obj-fake-inside-ips can not be in the same range as your internal IPs.

You could use for instance 192.168.6.0/24, if you are not using it for something else.

I tested the config in my lab. Bellow relevant config and show commands.

I used port 80 instead of 8000 and 81 instead of 8001.

! NAT for external access
!
object network Server1
 host 192.168.5.242
 nat (inside,outside) static interface service tcp www 81
!
! NAT for internal access
!
object network obj-192.168.5.0
 subnet 192.168.5.0 255.255.255.0
object network obj-192.168.6.0
 subnet 192.168.6.0 255.255.255.0
object network obj-public-ip
 host 5.5.5.8
object network obj-nvr1-ip
 host 192.168.5.242
object service obj-80
 service tcp destination eq 80
object service obj-81
 service tcp destination eq 81
!
nat (inside,inside) source static obj-192.168.5.0 obj-192.168.6.0 destination static obj-public-ip obj-nvr1-ip service obj-81 obj-80
!
!permit traffic comming and exiting the same interface
!
same-security-traffic permit intra-interface


ciscoasa# packet-tracer input inside tcp 192.168.5.10 1025 5.5.5.8 81

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static obj-192.168.5.0 obj-192.168.6.0 destination static obj-public-ip obj-nvr1-ip service obj-81 obj-80
Additional Information:
NAT divert to egress interface inside
Untranslate 5.5.5.8/81 to 192.168.5.242/80

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,inside) source static obj-192.168.5.0 obj-192.168.6.0 destination static obj-public-ip obj-nvr1-ip service obj-81 obj-80
Additional Information:
Static translate 192.168.5.10/1025 to 192.168.6.10/1025

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside) source static obj-192.168.5.0 obj-192.168.6.0 destination static obj-public-ip obj-nvr1-ip service obj-81 obj-80
Additional Information:

Phase: 10
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ciscoasa# sh capture
capture CAP type raw-data interface inside [Capturing - 2372 bytes]

ciscoasa# sh capture CAP

30 packets captured

 1: 15:45:39.514698 192.168.5.10.14566 > 5.5.5.8.81: S 3807755150:3807755150(0) win 4128 <mss 536>
 2: 15:45:39.515125 192.168.6.10.14566 > 192.168.5.242.80: S 864605413:864605413(0) win 4128 <mss 536>
 3: 15:45:39.524463 192.168.5.242.80 > 192.168.6.10.14566: S 3129893081:3129893081(0) ack 864605414 win 4128 <mss 536>
 4: 15:45:39.524509 5.5.5.8.81 > 192.168.5.10.14566: S 187882781:187882781(0) ack 3807755151 win 4128 <mss 536>
 5: 15:45:39.534548 192.168.5.10.14566 > 5.5.5.8.81: . ack 187882782 win 4128
 6: 15:45:39.534609 192.168.6.10.14566 > 192.168.5.242.80: . ack 3129893082 win 4128
 7: 15:45:39.534762 192.168.5.10.14566 > 5.5.5.8.81: . ack 187882782 win 4128
 8: 15:45:39.534792 192.168.6.10.14566 > 192.168.5.242.80: . ack 3129893082 win 4128
 9: 15:45:41.520984 192.168.5.10.14566 > 5.5.5.8.81: P 3807755151:3807755153(2) ack 187882782 win 4128
 10: 15:45:41.521014 192.168.6.10.14566 > 192.168.5.242.80: P 864605414:864605416(2) ack 3129893082 win 4128
 11: 15:45:41.530947 192.168.5.10.14566 > 5.5.5.8.81: P 3807755153:3807755154(1) ack 187882782 win 4128
 12: 15:45:41.530963 192.168.6.10.14566 > 192.168.5.242.80: P 864605416:864605417(1) ack 3129893082 win 4128
 13: 15:45:41.732628 192.168.5.242.80 > 192.168.6.10.14566: . ack 864605417 win 4125
 14: 15:45:41.732643 5.5.5.8.81 > 192.168.5.10.14566: . ack 3807755154 win 4125
 15: 15:45:44.228580 192.168.5.10.14566 > 5.5.5.8.81: P 3807755154:3807755155(1) ack 187882782 win 4128
 16: 15:45:44.228595 192.168.6.10.14566 > 192.168.5.242.80: P 864605417:864605418(1) ack 3129893082 win 4128
 17: 15:45:44.429741 192.168.5.242.80 > 192.168.6.10.14566: . ack 864605418 win 4124
 18: 15:45:44.429772 5.5.5.8.81 > 192.168.5.10.14566: . ack 3807755155 win 4124
 19: 15:45:44.751044 192.168.5.10.14566 > 5.5.5.8.81: P 3807755155:3807755157(2) ack 187882782 win 4128
 20: 15:45:44.751059 192.168.6.10.14566 > 192.168.5.242.80: P 864605418:864605420(2) ack 3129893082 win 4128
 21: 15:45:44.761831 192.168.5.242.80 > 192.168.6.10.14566: . 3129893082:3129893204(122) ack 864605420 win 4122
 22: 15:45:44.761847 5.5.5.8.81 > 192.168.5.10.14566: . 187882782:187882904(122) ack 3807755157 win 4122
 23: 15:45:44.762045 192.168.5.242.80 > 192.168.6.10.14566: FP 3129893204:3129893204(0) ack 864605420 win 4122
 24: 15:45:44.762076 5.5.5.8.81 > 192.168.5.10.14566: FP 187882904:187882904(0) ack 3807755157 win 4122
 25: 15:45:44.771780 192.168.5.10.14566 > 5.5.5.8.81: . ack 187882905 win 4006
 26: 15:45:44.771871 192.168.6.10.14566 > 192.168.5.242.80: . ack 3129893205 win 4006
 27: 15:45:44.772070 192.168.5.10.14566 > 5.5.5.8.81: FP 3807755157:3807755157(0) ack 187882905 win 4006
 28: 15:45:44.772115 192.168.6.10.14566 > 192.168.5.242.80: FP 864605420:864605420(0) ack 3129893205 win 4006
 29: 15:45:44.782384 192.168.5.242.80 > 192.168.6.10.14566: . ack 864605421 win 4122
 30: 15:45:44.782414 5.5.5.8.81 > 192.168.5.10.14566: . ack 3807755158 win 4122

HTH

Bogdan

kimilisecco · ‎01-17-2018

Hi

Does not work for me:

packet-tracer input inside tcp 192.168.5.10 1025 5.x.x.8 8001
 
 Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   5.x.x.8    255.255.255.255 identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

object service obj-8000
 service tcp destination eq 8000 
object service obj-8001
 service tcp destination eq 8001

object network obj-fake-inside-ips
 subnet 172.16.80.0 255.255.255.0

Bogdan Nita · ‎01-18-2018

Did you configure same-security intra-interface ?

same-security-traffic permit intra-interface

kimilisecco · ‎01-18-2018

Yes

Bogdan Nita · ‎01-18-2018

did you permit traffic on the inside access-list ?

kimilisecco · ‎01-18-2018

Yes, that's also permitted by default.