Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
6
Replies

ASA5505 NAT behind provider router

Go to solution
Erik Boss
Level 1
Level 1

‎01-05-2014 12:55 PM - edited ‎03-11-2019 08:25 PM

Hi there,

I have a small problem, but I can't understand why it isn't working as a I wanted to have.

The situation in short:

I have a provider router

Public IP: 87.x.x.x

Internal IP: 192.168.1.1 /24

An ASA5505 connected to vlan1

Public IP: 192.168.1.254 /24

Inside: 10.0.0.138 /24

Before the ASA I had a Cisco 1811 router and I also twice NATted and it worked perfectly. A one on one static nat like

ip nat source static tcp 10.0.0.145 3389 192.168.1.254 3389.

From external resources I want to RDP, HTTP(S) & SSH and so on to ASA and my remote server on the inside.

At the provider router I could only add virtual servers with external and internal ports with the SERVER IP address.

The ports I mentioned above are open to 192.168.1.254.

On my ASA from the Inside I have an internetconnection.

But from te internet I can't reach for example 10.0.0.138 with SSH.

When I tried to check my configuration packet tracer told me a deny ip any any was the issue.

Also trying it from another source no traffic enters my ASA.

To make things more useful I thought to make several static NAT from 192.168.1.x to 10.0.0.x. For example: 192.168.1.145 to 10.0.0.145.

So it looks like I have 255 "public" IP-adresses. But even the most simple NAT I couldn't get it be right, this won't work either.

It seems like a small issue.

The configuration:

ASA Version 9.1(2)

!

hostname ASA-BOSS-01

domain-name xxx

enable password xxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxx encrypted

names

dns-guard

!

interface Ethernet0/0

description *** naar Tele2 router ***

!

interface Ethernet0/1

switchport access vlan 20

!

interface Ethernet0/2

description *** RECEIVER ***

switchport access vlan 20

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 20

!

interface Ethernet0/5

description *** SERVER ***

switchport access vlan 20

!

interface Ethernet0/6

switchport access vlan 20

!

interface Ethernet0/7

description *** WLC ***

switchport trunk allowed vlan 10-11,20,100

switchport mode trunk

!

interface Vlan1

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

dhcprelay server 10.0.0.146

!

interface Vlan10

nameif Legacy

security-level 97

ip address 10.0.10.254 255.255.255.0

!

interface Vlan11

nameif Wifi-nieuw

security-level 98

ip address 10.0.11.254 255.255.255.0

!

interface Vlan20

nameif Inside

security-level 100

ip address 10.0.0.138 255.255.255.0

!

interface Vlan100

nameif Wifi-MGMT

security-level 99

ip address 10.0.100.254 255.255.255.0

!

boot system disk0:/asa914-k8.bin

boot system disk0:/asa912-k8.bin

boot system disk0:/asa847-3-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name boss.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_Inside

subnet 10.0.0.0 255.255.255.0

object network sbsserver

host 10.0.0.146

description DC / radius

object network obj_legacy

subnet 10.0.10.0 255.255.255.0

object network Logserver

host 10.0.0.148

object network WLC-MGMT

host 10.0.100.250

object network ASA

host 10.0.0.138

object network auth1.xs4all.nl

host 194.109.22.18

object network obj_wifi-nieuw

subnet 10.0.11.0 255.255.255.0

object network Google

host 8.8.8.8

object network obj_server

host 10.0.0.145

object network obj_asa_ssh

host 10.0.0.138

object network obj_server_outside

host 192.168.1.145

object-group service SNMP udp

port-object eq snmp

port-object eq snmptrap

access-list outside_access_in extended permit ip any any

access-list Inside_access_in extended permit tcp object ASA any eq ssh log debugging

access-list Inside_access_in extended permit tcp object obj_server any eq 3389 log debugging

access-list Inside_access_in remark NTP

access-list Inside_access_in extended permit udp object ASA object auth1.xs4all.nl eq ntp inactive

access-list Inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any

access-list Inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

access-list Inside_access_in extended deny ip any any

access-list global_access extended permit tcp any object ASA eq ssh log debugging inactive

access-list Legacy_access_in extended permit tcp 10.0.10.0 255.255.255.0 object Google eq www

access-list Legacy_access_in extended permit ip 10.0.10.0 255.255.255.0 any

access-list Legacy_access_in extended permit icmp 10.0.10.0 255.255.255.0 any

access-list Legacy_access_in extended deny ip any any

access-list Wifi-nieuw_access_in extended permit ip any any

access-list Wifi-nieuw_access_in extended permit icmp 10.0.11.0 255.255.255.0 any

access-list Wifi-nieuw_access_in extended deny ip any any

access-list Wifi-MGMT_access_in extended permit udp object WLC-MGMT object Logserver object-group SNMP

access-list Wifi-MGMT_access_in extended permit ip any any

access-list Wifi-MGMT_access_in extended deny ip any any

access-list outside_access_in_1 extended permit tcp any object ASA eq ssh log debugging

access-list outside_access_in_1 extended permit tcp any object obj_server eq 3389 log debugging

access-list outside_access_in_1 extended permit ip any interface outside inactive

access-list outside_access_in_1 extended permit ip any any

access-list outside_access_in_1 remark Implicit rule

access-list outside_access_in_1 extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging console warnings

logging buffered notifications

logging asdm debugging

mtu outside 1500

mtu Legacy 1500

mtu Wifi-nieuw 1500

mtu Inside 1500

mtu Wifi-MGMT 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any Legacy

icmp permit any Wifi-nieuw

icmp permit any Inside

icmp permit any Wifi-MGMT

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,outside) source dynamic obj_Inside interface

nat (Legacy,outside) source dynamic obj_legacy interface

nat (Wifi-nieuw,outside) source dynamic obj_wifi-nieuw interface

!

object network obj_asa_ssh

nat (Inside,outside) static 192.168.1.138

access-group outside_access_in_1 in interface outside

access-group Legacy_access_in in interface Legacy

access-group Wifi-nieuw_access_in in interface Wifi-nieuw

access-group Inside_access_in in interface Inside

access-group Wifi-MGMT_access_in in interface Wifi-MGMT

access-group global_access global

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Radius protocol radius

aaa-server Radius (Inside) host 10.0.0.146

key *****

authentication-port 1812

accounting-port 1813

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 Inside

snmp-server host Inside 10.0.0.148 community ***** version 2c udp-port 161

snmp-server location Huiskamer

snmp-server contact Erik

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps connection-limit-reached

sysopt noproxyarp outside

sysopt noproxyarp Legacy

sysopt noproxyarp Wifi-nieuw

sysopt noproxyarp Inside

sysopt noproxyarp Wifi-MGMT

auth-prompt prompt Hier kende oe eiges aanmelde

auth-prompt accept Ge kent noar binnuh!

auth-prompt reject Typ toch gvd t goeie in man!

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto ca trustpool policy

crypto ca certificate map DefaultCertificateMap 10

subject-name attr cn eq bla

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.0.0.0 255.255.255.0 Inside

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 10

vpn-addr-assign local reuse-delay 10

vpn-sessiondb max-other-vpn-limit 25

dhcprelay server 10.0.0.146 outside

dhcprelay enable Legacy

dhcprelay enable Wifi-nieuw

dhcprelay enable Inside

dhcprelay enable Wifi-MGMT

dhcprelay setroute Legacy

dhcprelay setroute Wifi-nieuw

dhcprelay setroute Inside

dhcprelay setroute Wifi-MGMT

dhcprelay timeout 60

dhcprelay information trust-all

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 194.109.22.18 source outside prefer

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect snmp

  inspect dns

  inspect http

  inspect icmp

  inspect icmp error

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:4655a1c79b2965bad861199cf29b21d0

: end

ASA-BOSS-01# 

Tnx.

Regards,

Erik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-05-2014 01:25 PM

Hi,

So do you have Static PAT (Port Forward) configured on the provider router that all point to the ASA external IP address?

On the ASA you seem to have only 3 Dynamic PAT configurations and a single Static NAT

I am not sure what your exact aim is here. It seems that you have done the Static NAT for your ASAs "inside" interface IP address 10.0.0.138? To my understanding this will never work. You wont be able to connect to an interface from behind another ASA interface unless the connection is coming through a VPN connection an you have an additional configuration command also present.

So now we would need to clarify what is the actual host to which you want to connect since naturally the ASA doesnt provide any service for port TCP/3389

I would also suggest changing your Dynamic PAT configuration. It will override the current Static NAT configuration atleast because the Dynamic PAT have been configured with Manual NAT (Section 1) and the Static NAT with Auto NAT (Section 2)

You could do these changes

object-group network PAT-SOURCE

network-object 10.0.10.0 255.255.255.0

network-object 10.0.11.0 255.255.255.0

network-object 10.0.0.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

Then remove the old ones

no nat (Inside,outside) source dynamic obj_Inside interface

no nat (Legacy,outside) source dynamic obj_legacy interface

no nat (Wifi-nieuw,outside) source dynamic obj_wifi-nieuw interface

Then if you for example wish to connect with SSH to the ASA then you would point the Static PAT for SSH on the provider router to the IP address of the ASA itself and simply connect to the ASA with the public IP address that your provider router provides.

If you have not used SSH before to this ASA then you would have to remember this command also

crypto key generate rsa modulus 1024

You also seem to have this command enabled

sysopt noproxyarp outside

This essentially means that the ASA wont reply to any ARP request other than for the "outside" interfaces IP address. So any additional Static NAT you might configure using some other IP address from the network between the ASA and the provider router would not work since ASA would not reply to the ARP.

You would have to negate the above command with

no sysopt noproxyarp outside

If you want to connect with HTTPS and RDP to an internal host then you would need these configurations for both of the ports

object network

  host

  nat (inside,outside) static interface service tcp

And make the necesary rules to allow the traffic

Or alternatively if you have a single internal host you need to connect to then you could configure Static NAT for that host using some IP address from the link network between ASA and the provider router.

object network

host

nat (inside,outside) static 192.168.1.x

I presume the HTTPS and RDP are meant to be forwarded to some internal hosts and SSH for the ASA management. This is because you have not enabled SSL VPN or ASDM  (HTTPS for both) from behind the "outside" interface and since RDP is not something that could be used with ASA.

Can you clarify the situation if I have understood something wrong

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-05-2014 01:25 PM

Hi,

So do you have Static PAT (Port Forward) configured on the provider router that all point to the ASA external IP address?

On the ASA you seem to have only 3 Dynamic PAT configurations and a single Static NAT

I am not sure what your exact aim is here. It seems that you have done the Static NAT for your ASAs "inside" interface IP address 10.0.0.138? To my understanding this will never work. You wont be able to connect to an interface from behind another ASA interface unless the connection is coming through a VPN connection an you have an additional configuration command also present.

So now we would need to clarify what is the actual host to which you want to connect since naturally the ASA doesnt provide any service for port TCP/3389

I would also suggest changing your Dynamic PAT configuration. It will override the current Static NAT configuration atleast because the Dynamic PAT have been configured with Manual NAT (Section 1) and the Static NAT with Auto NAT (Section 2)

You could do these changes

object-group network PAT-SOURCE

network-object 10.0.10.0 255.255.255.0

network-object 10.0.11.0 255.255.255.0

network-object 10.0.0.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

Then remove the old ones

no nat (Inside,outside) source dynamic obj_Inside interface

no nat (Legacy,outside) source dynamic obj_legacy interface

no nat (Wifi-nieuw,outside) source dynamic obj_wifi-nieuw interface

Then if you for example wish to connect with SSH to the ASA then you would point the Static PAT for SSH on the provider router to the IP address of the ASA itself and simply connect to the ASA with the public IP address that your provider router provides.

If you have not used SSH before to this ASA then you would have to remember this command also

crypto key generate rsa modulus 1024

You also seem to have this command enabled

sysopt noproxyarp outside

This essentially means that the ASA wont reply to any ARP request other than for the "outside" interfaces IP address. So any additional Static NAT you might configure using some other IP address from the network between the ASA and the provider router would not work since ASA would not reply to the ARP.

You would have to negate the above command with

no sysopt noproxyarp outside

If you want to connect with HTTPS and RDP to an internal host then you would need these configurations for both of the ports

object network

  host

  nat (inside,outside) static interface service tcp

And make the necesary rules to allow the traffic

Or alternatively if you have a single internal host you need to connect to then you could configure Static NAT for that host using some IP address from the link network between ASA and the provider router.

object network

host

nat (inside,outside) static 192.168.1.x

I presume the HTTPS and RDP are meant to be forwarded to some internal hosts and SSH for the ASA management. This is because you have not enabled SSL VPN or ASDM  (HTTPS for both) from behind the "outside" interface and since RDP is not something that could be used with ASA.

Can you clarify the situation if I have understood something wrong

- Jouni

0 Helpful

Go to solution
Erik Boss
Level 1
Level 1
In response to Jouni Forss

‎01-05-2014 02:19 PM

Hi Jouni,

thanks for your reply. Your understanding was right. I want to RDP to my server and SSH / HTTPS to my ASA

Internally I can do all.

I added the new lines to mentioned and deleted the old ones.

A packet trace entry leads to this ouput:

ASA-BOSS-01# packet-tracer input outside tcp 4.2.2.2 1065 192.168.1.138 22

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network ASA

nat (Inside,outside) static 192.168.1.138

Additional Information:

NAT divert to egress interface Inside

Untranslate 192.168.1.138/22 to 10.0.0.138/22

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in_1 in interface outside

access-list outside_access_in_1 extended permit tcp any object ASA eq ssh log debugging

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network ASA

nat (Inside,outside) static 192.168.1.138

Additional Information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Having the same rules for my server 10.0.0.138 natted to 192.168.1.138 no packet dropped by an access-list

I also deleted my NAT entry in my provider router.

After this I added one by one. It doesn't work.

0 Helpful

Go to solution
Erik Boss
Level 1
Level 1
In response to Erik Boss

‎01-05-2014 02:30 PM

Maybe the issue is on the server side... reason 516 error.

But before using the ASA, I had a Cisco 1811 router, almost same configuration, same IP-addresses connection from everywhere.

Maybe adding a service policy entry.

Now going to capture traffic from inside and outside.

Tnx in advance.

Erik

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Erik Boss

‎01-05-2014 02:36 PM

Hi,

As I said, the ASA wont allow you to connect from "outside" to the "inside" IP address.

Just make sure that you have the SSH forward from the ISP Router public to the ASA External 192.168.1.254. No NAT configurations for SSH are needed on the ASA as you need your connection to go to the "outside" interface and not the "inside" interface.

Naturally you could post the HTTPS and RDP "packet-tracer" unless they are working from the ASAs perspective already?

Notice that the ASA and the Cisco Routers are 2 completely different kind of devices. The ASA has many differences to the way it behaves compared to conventional router.

- Jouni

0 Helpful

Go to solution
Erik Boss
Level 1
Level 1
In response to Jouni Forss

‎01-05-2014 02:46 PM

Great SSH works, also HTTPS

RDP should be the same way?

Tnx Erik

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Erik Boss

‎01-05-2014 02:50 PM

Hi,

If HTTPS and RDP are to the same server then I would say the ASA should probably be fine provided that the ASA "packet-tracer" doesnt show anything wrong.

Naturally confirm that the RDP connection attempt are showing up on the ASA.

Please do remember to mark a reply as the correct answer if it answered your question.

Naturally we can have a look at the RDP issue still but provided that the IP addresses, ACLs and ports in the ISP and ASA are fine then its likely to be problem with the actual host.

- Jounui

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card