ASA Proxy arp another IP subnet

codflanglers · ‎02-19-2015

Morning

I've another subnet from my ISP and I need to get my ASA to respond to these new IPs.

Basically, I'm relying on the ASA doing proxy arp.

I've added in a few static NAT as below (assuming 10.16.11.184/29 is the new range I've been given and 192.168.20.0/24 is my DMZ).

static (DMZ,outside) 10.16.11.186 192.168.20.247 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.187 192.168.20.248 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.188 192.168.20.249 netmask 255.255.255.255

I've not done much on the ASA devices. Is that all I have to do?

Presumably I would need to include the new IP subnet in any ACLs, etc?

Jon Marshall · ‎02-19-2015

Yes you do need to include them in your acls and with version 8.2 or lower you use the NAT IP address not the real IP.

If this is a new block and your outside interface is in another subnet as a I understand it this is not proxy arp because the ISP will simply route that block to your ASA.

It does depend on how the ISP has got their router configured though.

Where it definitely would be proxy arp is if the static NAT statements were using IPs from the same subnet as the IP on the outside interface of the ASA because the ISP router thinks all those IPs are on the local subnet.

Jon

codflanglers · ‎02-19-2015

Yes, the outside interface is on a separate IP subnet from the new IP range.

Basically, all I need is for the firewall to nat the addresses in my DMZ as the new IP range and to respond to requests on those new IPs.

Been trying to test in GNS3 but getting nowhere as I was using ping to test (not ideal on a firewall).

Jon Marshall · ‎02-19-2015

The static statements and allowing the traffic in your outside acl should be all you need to get it working.

If you use ping and are initiating the connection from the outside then as long as you allow that in the acl it should work.

If you are pinging from a server to the outside you either need to allow the return packets back in your acl or enable ICMP inspection.

Jon

codflanglers · ‎02-19-2015

routes are set up either side and I have an ACL applied to both the outside and DMZ interfaces in both directions (overkill but just trying to get it working) to allow icmp and nothing

access-list inbound extended permit icmp any 192.168.20.0 255.255.255.0

access-group inbound in interface outside
access-group inbound out interface outside
access-group inbound in interface DMZ
access-group inbound out interface DMZ

If it helps I configured a loopback on my upstream router as 8.8.8.8 and the ASA can ping outbound to that OK.

The ASA can't ping 192.168.20.248 which is connected to the DMZ interface 192.168.20.254 (/24). The downstream router (192.168.20.248) can't ping the ASA 192.168.20.254.

Jon Marshall · ‎02-19-2015

From your NAT statements I'm assuming your software version is 8.2 or lower.

If so your acls are wrong and you can't use the same acl for both interfaces.

Your outside acl needs to reference the 10.16.11.x IPs not the real IPs..

And the acl applied to the DMZ interface won't work because the source is 192.168.20.x not the destination.

As long as the DMZ interface is a higher security level than the outside interface traffic will be allowed so just remove the acl there.

You still need the outside acl.

Jon

codflanglers · ‎02-19-2015

Jon

Thanks for your patience. You're right I'm using 8.0(2). Here's the full config. I've made the changes and still nothing. My DMZ host (actually a router in GNS3) still can't ping it's default GW or 8.8.8.8 and I'm getting nothing back in response from 10.6.11.187.

!
hostname SITE-A-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.9.100.253 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit intra-interface
access-list VPN-INTERESTING-TRAFFIC extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list PING_INBOUND extended permit icmp any 10.6.11.184 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT-TRAFFIC
static (DMZ,outside) 10.16.11.186 192.168.20.247 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.187 192.168.20.248 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.188 192.168.20.249 netmask 255.255.255.255
access-group PING_INBOUND in interface outside
access-group PING_INBOUND out interface outside
route outside 0.0.0.0 0.0.0.0 10.9.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.9.200.253 10.9.100.253
crypto map outside_map 1 set transform-set ESP-DES-SHA ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
tunnel-group 10.9.200.253 type ipsec-l2l
tunnel-group 10.9.200.253 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:e48689449ebb9d177dc19becec6cee0e
: end

Jon Marshall · ‎02-19-2015

Remove this from your config ie.

no access-group PING_INBOUND out interface outside

you won't be able to ping the DMZ interface from your client unless you add something to your config but that;s not the problem.

Are you trying to ping to 10.16.11.x from an outside device ?

Jon

codflanglers · ‎02-19-2015

Jon

I'm trying to do two things.

From my DMZ host router I'm trying to ping out past the firewall ping but it can't even ping it's default gateway (although this is just to prove connectivity).

From outside the firewall, I'm trying to get the firewall to respond to a ping to 10.16.11.187 which should nat to my DMZ host router.

Problem is I'm at home with no other means to test.

Jon Marshall · ‎02-19-2015

It's the same thing ie. pinging from your host to the outside and from outside to your host.

If you want to check connectivity to the DMZ interface add this -

icmp permit any DMZ

You do not need an acl applied outbound anywhere because traffic is allowed by default from the DMZ to outside because of your security levels.

All you need are the statics and the inbound acl on your outside interface allowing ICMP to the 10.16.11.x IP.

When you ping from outside you ping that IP and the ASA will translate it to the 192.168.20.x IP.

When you ping from the DMZ your ASA will translate the 192.168.20.x IP to the 10.16.11.x IP.

So it should work providing your routing is setup correctly.

Jon

codflanglers · ‎02-19-2015

Ok, this is interesting. I just ran a packet-tracer on the ASA and it said this

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

That's a ping from 10.9.100.254 (outside router) to new IP range that nats through to my DMZ host.

Thing is when I actually do a ping, I get nothing back on the router.

Jon Marshall · ‎02-19-2015

Can you post your ASA configuration again plus a "sh ip route" from your outside router.

Jon

codflanglers · ‎02-19-2015

Jon

Here's the sh ip route (FYI, the router and the ASA are directly connected on 10.9.100.0)

Gateway of last resort is 172.16.250.101 to network 0.0.0.0

     194.168.11.0/29 is subnetted, 1 subnets
S       194.168.11.184 [1/0] via 10.9.100.253
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.250.100 is directly connected, FastEthernet0/0
     8.0.0.0/32 is subnetted, 1 subnets
C       8.8.8.8 is directly connected, Loopback88
     10.0.0.0/24 is subnetted, 1 subnets
C       10.9.100.0 is directly connected, FastEthernet1/0
S    192.168.100.0/24 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 172.16.250.101

And here's the config of the ASA

!
hostname SITE-A-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.9.100.253 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit intra-interface
access-list VPN-INTERESTING-TRAFFIC extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list PING_INBOUND extended permit icmp any 10.16.11.184 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT-TRAFFIC
static (DMZ,outside) 10.16.11.186 192.168.20.247 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.187 192.168.20.248 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.188 192.168.20.249 netmask 255.255.255.255
access-group PING_INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.9.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.9.200.253 10.9.100.253
crypto map outside_map 1 set transform-set ESP-DES-SHA ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
!
service-policy global_policy global
tunnel-group 10.9.200.253 type ipsec-l2l
tunnel-group 10.9.200.253 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:e48689449ebb9d177dc19becec6cee0e
: end

Jon Marshall · ‎02-19-2015

Your router does not know how to get to the 10.16.11.184/29 subnet.

Add this to your router -

ip route 10.16.11.184 255.255.255.248 10.9.100.253

Jon

codflanglers · ‎02-19-2015

No joy. Still the same.