ASA5512X NAT Problem

leeswc · ‎01-06-2013

Greetings all. Having an issue setting up a new ASA5512X, 9.0. Outside interface is a /30 to the ISP. Inside is /30 to a Cat4500 switch. Have a few web servers inside that need to be accessible from outside. Attempting to static NAT the servers to public addresses in a /28 pool but keep getting denied by firewall seeing traffic as a spoof attack. Have tried addressing a sub-interface on the outside with a pool address, also the inside. I'm missing something basic, like where does the pool get defined? Thanks in advance for the help.

Jouni Forss · ‎01-06-2013

Hi,

So you have a /30 link network to ISP and they have also provided you with a /28 public IP address range for Static NAT use?

Please dont configure subinterface atleast towards the ISP/outside.

You could try enabling the following configuration (I think through 8.4 to 9.0 there has been changes regarding using nonconnected network as NAT addresses. Might have been changed at 8.4(3) and later added a workaround which to my understanding was in 9.x)

Heres quote from Command Refence

arp non-connected-subnet

To allow population of the ARP cache for non-connected subnets, use the arp non-connected-subnet command in global configuration mode. To restore the default setting, use the no form of this command.

arp non-connected-subnet [enable]

no arp non-connected-subnet [enable]

Should also confirm that the ISP has routed the network towards your ASA outside interface IP address and not just the interface thats pointing towards your device.

Here is one document about the issue you might be running into

https://supportforums.cisco.com/docs/DOC-24549

Static NAT should be configured in the following way for example

object network STATIC

host 10.10.10.10

nat (inside,outside) static x.x.x.x

access-list OUTSIDE-IN permit tcp any object STATIC eq 80

access-group OUTSIDE-IN in interface outside

Where

STATIC = object name where you define the local IP address and the NAT configuration
OUTSIDE-IN = ACL that is attached to the "outside" interface in direction "in"

Please rate if the information was helpfull and/or ask more if needed

- Jouni

leeswc · ‎01-06-2013

ARP Non-connected subnets is enabled. The ISP is routing the traffic correctly as indicated by the requests hitting the outside interfrace of the ASA. Log indicates failure due to reverse path check. Not sure why the firewall thinks the address is being spoofed. Packet Tracer tool shows packet entering outside interface and ending up at outside interface. Odd, yes?

Jouni Forss · ‎01-06-2013

Might be some other issue regarding the firewall configurations

I would imagine that there is some NAT configuration thats causing it.

Can you post your configurations (minus any sensitive information)

- Jouni

leeswc · ‎01-06-2013

Will post config when I get CLI access; only have ASDM from here.

leeswc · ‎01-09-2013

Here goes. This should be all pertinent lines.

ASA Version 9.0(1)

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address x.x.167.242 255.255.255.252

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 172.18.1.1 255.255.255.252

boot system disk0:/asa901-smp-k8.bin

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network SSL_vCloudDirector_nat

host 10.100.1.41

object network SSL_vCloudDirector_ext

host y.y.9.195

object network NAT_Pool

subnet y.y.9.192 255.255.255.240

description NAT Pool

access-list Outside_access extended permit tcp any4 object SSL_vCloudDirector_nat eq https

access-list Outside_access extended permit tcp any4 object SSL_vCloudDirector_ext eq https

access-list DMZ_access extended permit tcp any4 object SSL_vCloudDirector_nat eq https

ip verify reverse-path interface Outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

arp timeout 14400

arp permit-nonconnected

nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.18.1.32_28 NETWORK_OBJ_172.18.1.32_28 no-proxy-arp route-lookup

nat (Outside,Outside) source dynamic any interface

!

object network SSL_vCloudDirector_nat

nat (Inside,Outside) static SSL_vCloudDirector_ext

!

nat (Inside,Outside) after-auto source dynamic any interface

access-group Outside_access in interface Outside

route Outside 0.0.0.0 0.0.0.0 209.234.167.241 1

route Inside 10.0.0.0 255.0.0.0 172.18.1.2 1

Jouni Forss · ‎01-09-2013

Hi,

You could try the packet-tracer command for the traffic attempt and see if there is anything special there. I dont see a problem on the basis of above

packet-tracer intput Outside tcp 1.2.3.4 4056 y.y.9.195 443

Unless the format has changed in the 9.x software

- Jouni

leeswc · ‎01-10-2013

I ran the Packet Tracer against it and the indication was that the traffic came in the outside interface and ended up at the outside interface. Watching the logs when attempting an actual connection yields "Deny TCP reverse path check". I think it may be time to admit defeat and open a TAC case.

Jouni Forss · ‎01-10-2013

Hi,

Can you see this NAT configuration line in the packet-tracer?

nat (Outside,Outside) source dynamic any interface

If yes could you alter this configuration in the following way

nat (Outside,Outside) after-auto source dynamic any interface

This would move the rule to the end of the NAT configurations (which shouldnt cause problems for what this NAT is used for, to my understanding atleast). I guess this configuration is meant for VPN Client Internet usage through the ASA "outside"

The above configuration to my eye would be the only configuration affecting that the source and destination interface chosen would be "outside"

To my understanding this shouldnt really affect regards to this problem either

ip verify reverse-path interface Outside

- Jouni