ASA NAT: any to any issue

andreas.dahlberg · ‎03-08-2019

Hello!

Just had to troubleshoot an issue where an internal firewall messed upp the network on its outside interface. The clients could not get addresses from the local DHCP server.

This is the network Layout:

On the "Internal ASA" there was this NAT rule:

nat (inside,outside) source static any any no-proxy-arp route-lookup

which caused the clients on the 192.168.5.0 network to not get any addresses from the DHCP server.

default route on Internal ASA is configured as:

route outside 0.0.0.0 0.0.0.0 192.168.5.1

Why is that?

The key here is that the 172.16.0.0 network behind Internal ASA should not be accessible from 192.168.5.0 network at all.

Actually, that 172.16.0.0 network is an remote network for a site to site VPN Connection which is only used for lab purposes.

I cannot see why the Internal ASA would cause the DHCP server not being able to respond to broadcast DHCP requests..??

Kasun Bandara · ‎03-08-2019

Hi,

Have you configured DHCP relay in internal asa?

Please check.below guide.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

andreas.dahlberg · ‎03-08-2019

Hi!
I've edited the original post.
Actually, the 172.16.0.0 network should not be considered in this, it is only used as a remote network in a site to site VPN.
The thing here is that the clients and DHCP server is on the same subnet so i cannot understand why the Internal ASA would cause the DHCP not being able to distribute addresses.. but something has to do with the NAT statement, because removing it get things working again..

Kasun Bandara · ‎03-08-2019

Hi,

Normally asa not passing broadcasts to other side. I guess you have configured the dhcp relay.

In your case you can block these subnet communication with ACLs. Also asa will not reply to arp request because of 'no proxy arp'

I am not sure whether it is having some affect. You can try removing that command and 'route lookup' too for testing.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

andreas.dahlberg · ‎03-08-2019

But how can the Internal ASA have anything to with the 192.168.5.0/24 clients not receiving DHCP leases from the DHCP server on the same subnet?
The 172.16.0.0/29 clients is supposed to be isolated from 192.168.5.0/24.

Ilkin · ‎03-08-2019

Is it correct that when "nat (inside,outside) source static any any no-proxy-arp route-lookup" is removed" from Internal firewall, clients are able to get addresses from the DHCP server?

If yes, then in terms of DHCP workflow and at packet level what specifically is the difference when this nat exists on Internal ASA?
It can be useful to analyze packet captures on ASA outside, DHCP server and clients in the non-working scenario.

andreas.dahlberg · ‎03-09-2019

Yes, when that is removed, clients in the 192.168.5.0/24 network gets its DHCP leases again.

Would be interesting to see how that internal ASA really is connected, I don't have admin access to their LAN, just the internal ASA. But I am suspicious that it isn't connected as per the image in the original post.

Kasun Bandara · ‎03-10-2019

Hi
Try without 'no proxy arp' in nat command for testing.

Also without clear understanding of other side its difficult to say issue point exactly. Can you get how they connected each device on that side?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

andreas.dahlberg · ‎03-12-2019

Solution was to remove the NAT statement all together as it wasn't really necessary.

Exactly, did nog get a decent answer on how they all was connected, but as i understood, they where all connected to the same switch in a central location.
It should be impossible for the ASA to break anything on the 192.168.5.0/24 network, or am i missing something?