ASA 5510 NONAT/NAT

Kimberly Adams · ‎01-30-2012

Hey Everyone,

I have a really odd requirement for a NAT and then a NONAT on my firewalls.

One interface on our ASA 5510 version 8.2(1) connects into our vendor's network and they only allow for one address to be allowed through the firewall. This allowed address is the interface IP and it is overloaded. The subnet is a 24-bit mask but I have 2 systems on my inside interface that need to have a connection to them from this Vendor network on one address.

This connection is OPC which is our DCOM and initiates a (MS) DCERPC connection. The NAT Overload is working and we have full commands and visibility but no OPC/DCOM/DCERPC control from that one server to our servers. I have tried to set up a NONAT for this one address to our servers and also a static to the address to by-pass the NAT; neither of these worked to allow the communications.

Please let me know what more information you need to help me out with this.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Julio Carvajal · ‎01-31-2012

Hello Kim,

Okay so in order to access the other site on one of the interface of your ASA you are allowed to go through their network by having only one ip address, but there is also a requirement for them to access two internal servers on your ASA.

Are they tring to connect from a lower to a higher security level, if this is the case nat control is enable by default and you will need a bi-directional NAT rule ( Static Nat or NAT 0 with ACL)

I would like to know if the connection is being innitiated on the lower security level, the nat statement and also the ACL applied to the interface allowing the connection, then we will use packet-tracer an captures.

Regards,

Julio

Do rate helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kimberly Adams · ‎02-02-2012

Julio,

Thank you for your response and this is what I have; this is part of the configuration.

ASA Version 8.2(1)

!

hostname SC1-E-FW1

domain-name wosrpt.us

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.41.2.254 255.255.255.240

!

interface Ethernet0/1

nameif GAMESA

security-level 50

ip address 192.168.20.253 255.255.224.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.41.95.254 255.255.254.0 standby 10.41.95.253

!

interface Ethernet0/3

nameif SUB_P&C_NET

security-level 100

ip address 10.241.4.1 255.255.255.0

!

interface Management0/0

description LAN/STATE Failover Interface

!

ftp mode passive

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network PDXRPT

network-object 10.41.0.0 255.255.0.0

object-group network SC1EMS

network-object 10.41.94.0 255.255.254.0

object-group network SUBSTATION_NET

network-object 10.241.4.0 255.255.255.0

object-group network SC1_UCC_SERVERS

network-object host 10.41.95.241

network-object host 10.41.95.242

network-object host 10.41.95.240

access-list outside extended permit icmp any any echo-reply

access-list outside extended permit icmp any any source-quench

access-list outside extended permit icmp any any unreachable

access-list outside extended permit icmp any any time-exceeded

access-list outside extended permit ip object-group PDXRPT object-group SC1EMS

access-list SUBSTATION extended permit ip host 10.41.95.239 object-group SUBSTATION_NET

access-list SUBSTATION extended permit icmp host 10.41.95.239 object-group SUBSTATION_NET

access-list SUBSTATION extended permit ip object-group SUBSTATION_NET host 10.41.95.239

access-list SUBSTATION extended permit icmp object-group SUBSTATION_NET host 10.41.95.239

access-list GAMESA extended permit ip any 192.168.0.0 255.255.224.0

access-list GAMESA extended permit icmp any any

access-list GAMESA extended permit icmp any any echo-reply

access-list GAMESA extended permit icmp any any source-quench

access-list GAMESA extended permit icmp any any unreachable

access-list GAMESA extended permit icmp any any time-exceeded

access-list GAMESA extended permit ip host 192.168.20.254 object-group SC1_UCC_SERVERS

access-list NONAT extended permit ip object-group PDXRPT object-group SC1EMS

access-list NONAT extended permit ip object-group SC1EMS object-group PDXRPT

access-list NONAT extended permit ip object-group SC1EMS object-group SUBSTATION_NET

mtu outside 1500

mtu inside 1500

mtu SUB_P&C_NET 1500

mtu GAMESA 1500

icmp unreachable rate-limit 10 burst-size 5

icmp permit any outside

icmp permit any inside

icmp permit any SUB_P&C_NET

icmp permit any GAMESA

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (GAMESA) 1 interface

nat (outside) 0 access-list NONAT

nat (inside) 0 access-list NONAT

nat (inside) 1 10.41.95.241 255.255.255.255

nat (inside) 1 10.41.95.242 255.255.255.255

nat (GAMESA) 0 access-list NONAT

static (inside,GAMESA) 192.168.21.1 10.41.95.25 netmask 255.255.255.255

access-group outside in interface outside

access-group SUBSTATION in interface SUB_P&C_NET

access-group GAMESA in interface GAMESA

route outside 0.0.0.0 0.0.0.0 10.41.2.242 1

timeout xlate 3:00:00

And now I am also having another issue with this firewall between our PDXRPT and 1 device at the site. It is coming back as a TCP Reset-I.

Any help with either of these issues would be very much appreciated.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Julio Carvajal · ‎02-02-2012

Hello Kim,

Can you be a little bit more specific here, I mean where is the connection being innitiated,where is the connection going to, if you run a packet tracer what do you get.

I would be more than glad to help.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kimberly Adams · ‎02-02-2012

Julio,

The reset is coming from our core network and here is the syslog messages:

Feb 02 2012 12:49:06: %ASA-7-609001: Built local-host inside:10.41.95.21

Feb 02 2012 12:49:06: %ASA-6-302013: Built inbound TCP connection 9634632 for outside:10.41.40.35/1617 (10.41.40.35/1617) to inside:10.41.95.21/20000 (10.41.95.21/20000)

Feb 02 2012 12:49:06: %ASA-6-302014: Teardown TCP connection 9634632 for outside:10.41.40.35/1617 to inside:10.41.95.21/20000 duration 0:00:00 bytes 0 TCP Reset-I

Feb 02 2012 12:49:06: %ASA-7-609002: Teardown local-host inside:10.41.95.21 duration 0:00:00

That is for the TCP Reset-I issue. The other issue this firewall is having is IP address 192.168.20.254 needs to talk directly to my two servers without natting. These two servers are 10.41.95.241 and .242.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Kimberly Adams · ‎02-03-2012

Please Anyone,

I am still looking for some help with this issue. Please let me know if you require any further information.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Julio Carvajal · ‎02-03-2012

Hello Kim,

The reset I, well there is nothing we can do as one host on the inside is sending that Reset.

You could try to do a tcp state by pass to see if that makes a difference ( Only to see if the ASA is dropping the connection)

access-list tcp_bypass permit tcp host 10.41.40.35 host 10.41.95.21

access-list tcp_bypass permit tcp host 10.41.95.21 host 10.41.40.35

class-map tcp_bypass

match access-list tcp_bypass

policy-map global_policy

class tcp_bypass

set connection advanced -options tcp-state-bypass

Regarding the other issue

access-list 2issue permit ip host 192.168.20.254 host 10.41.95.241

access-list 2issue permit ip host 192.168.20.254 host 10.41.95.242

static (inside,outside) 192.168.20.254 access-list 2issue

access-list outside permit ip host 10.41.95.241 host 192.168.20.254

access-list outside permit ip host 10.41.95.242 host 192.168.20.254

Do rate all the helpful posts!!

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC