Re: ASK THE EXPERTS : Configuring and Troubleshooting NAT and Fa - Page 3

ciscomoderator · ‎06-20-2011

with

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn expert tips on how to configure and troubleshoot Network Address Translation (NAT) and Failover on Cisco ASA Firewalls with Cisco Expert Amitashwa Agarwal. Amitashwa is a senior customer support engineer and technical lead at the Cisco Technical Assistance Center in Bangalore, India. He works with the Security Firewall team, where his areas of expertise include configuring and troubleshooting issues related to firewall, VPN, and AAA technology. He holds a bachelor's degree in computer science from the University of Pune, India, and holds CCSP and CCIE certifications in Security (#22164).

Remember to use the rating system to let Amitashwa know if you have received an adequate response.

Amitashwa might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through July 1st, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

joseluis.pedrosa · ‎06-25-2011

Hi!

We have having trouble with nat on 8.4.

Packets are not matching nat rules (and we think it should) at least source add and destination addr are correct.

we've opened a new post here:

https://supportforums.cisco.com/message/3385463#3385463

We really need help.

Thanks

amitaaga · ‎06-27-2011

Hi Jose,

I have gone through the previous post and would like you to provide me the following information to help you further:

1] Object defination of the following objects:

POLCIA-remote-net-1

POLCIA-remote-net-2

EXT_CORP-remote-nets-group

EXT_CORP-Local-networks-group

2] With the following configuration on the ASA:

nat (any,PublicBT) source static EXTERNAL_COMPANY_NAME-Local-networks-group EXTERNAL_COMPANY_NAME-Local-networks-group destination static EXTERNAL_COMPANY_NAME-remote-nets-group EXTERNAL_COMPANY_NAME-remote-nets-group

nat (any,PublicTESA) source dynamic any interface description Nat to internet On PublicTESA interface

If you sent a packet from Interface users using 172.16.30.41 to 172.21.250.206, it got sent to PubicTESA doing NAT with PUBLIC_IP1. However, after adding the following command everything started to work as expected:

nat (PublicBT,any) source static EXT_CORP-remote-nets-group EXT_CORP-remote-nets-group destination static EXT_CORP-Local-networks-group EXT_CORP-Local-networks-group inactive

So, it seems that this nat rule was already configured on the firewall and you disabled it? Is this understanding correct?

3] Output of packet tracer command from the CLI in case of working and non working scenario:

packet-tracer input Users tcp 172.16.30.41 2020 172.21.250.206 80 det

Regards,

Amit

Carlos Bergia · ‎06-27-2011

Hi Amitashwa,

I have the following rule on my ASA (5520 - 8.2(2))

static (inside,outside) tcp 190.1.1.1 192.168.1.1 netmask 255.255.255.255

and I want to change inside IP, so I execute the following commands:

no static (inside,outside) tcp 190.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside,outside) tcp 190.1.1.1 192.168.1.2 netmask 255.255.255.255

clear xlate

clear local-host

But after doing that, I still see that the firewall keeps trying sending traffic to 192.168.1.1

Am I forgetting any other clear command?

Thanks a lot!

Carlos

amitaaga · ‎06-27-2011

Hi Carlos,

In order to remove static xlates from the firewall, we must remove the "static" command from the configuration. The "clear xlate" command does not remove the static translation rule. If we remove a static command from the configuration, then preexisting connections that use the static rule can still forward traffic. In order to deactivate these connections we need to use the "clear local-host" command.

So, you are not missing out on any clear command here. Run "clear local-host 192.168.1.1" command a few times after putting in the new static and then try to access it again, see if that helps. In case if the issue persists please send me the following outputs from the firewall:

sh run static | in 192.168.1

sh conn | in 192.168.1

sh xlate | in 192.168.1

packet-tracer input outside tcp 4.2.2.2 4020 190.1.1.1 80 det

Regards,

Amit

Carlos Bergia · ‎06-27-2011

Amit, the complete scenario is this:

I have 2 static nat rules:

static (inside,outside) 190.1.1.1 192.168.1.1 netmask 255.255.255.255

static (inside,outside) 190.1.1.2 192.168.1.2 netmask 255.255.255.255

what I want to do is change that nat to have this (192.168.1.2 <--> 190.1.1.1):

so I execute the following commands:

NO static (inside,outside) 190.1.1.1 192.168.1.1 netmask 255.255.255.255 (remove old line)

NO static (inside,outside) 190.1.1.2 192.168.1.2 netmask 255.255.255.255 (remove old line)

static (inside,outside) 190.1.1.1 192.168.1.2 netmask 255.255.255.255 (add new line)

clear xlate

clear local-host 192.168.1.1

clear local-host 192.168.1.2

The output for the show commands are:

show xlate

Global 190.1.1.1 Local 192.168.1.2

show conn | inc 192.168.1.1

show local-host 192.168.1.1

show run static | inc 192.168.1.1

If I verify with packet trace (in ASDM) all seem to be configured correctly.

BUT, if I capture traffic with wireshark outside the network, internal IP 192.168.1.2 goes out with 190.1.1.2. And that is very weird, because I don´t have any static nat rule for that, but wireshark doesn´t lie hehe.

I don´t know if I was clear

Thanks, Carlos

PD:

Packet tracer output (filtered)

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) 190.1.1.1 192.168.1.2 netmask 255.255.255.255

nat-control

match ip inside host 192.168.1.2 outside any

static translation to 190.1.1.1

translate_hits = 6, untranslate_hits = 210

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 190.1.1.1 192.168.1.2 netmask 255.255.255.255

nat-control

match ip inside host 192.168.1.2 outside any

static translation to 190.1.1.1

translate_hits = 6, untranslate_hits = 210

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

amitaaga · ‎06-28-2011

Hi Carlos,

Thanks for the detailed explanation.

Everything looks good on the firewall and as per the packet tracer output it seems to be translating host 192.168.1.2 to 190.1.1.1 correctly while it is going out via its outside interface.

However, to further confirm it apply a capture on the outside interface of the ASA as follows:

access-list capout permit ip host 190.1.1.1 host 4.2.2.2

capture capo access-list capout interface outside

Generate a ping from host 192.168.1.2 for 4.2.2.2

Check the capture on the outside interface of the ASA "show cap capo"

If the capture on the firewall shows that the source is getting translated to 190.1.1.1 (which I think it will) then you need to see where exactly are you capturing this traffic on the outside. May be there is another device outside the firewall (like a router) which is further translating the source to 190.1.1.2.

Regards,

Amit

MSAD_ADMIN · ‎06-27-2011

Hi Amitashwa,

In failover configuration, can I configure a unique IP to be to the virtual IP other than the physical devices IPs, ex. if ASA1 mgmt0/0 IP: 10.10.10.1, ASA2 mgmt0/0 IP: 10.10.10.2, can the failover IP be : 10.10.10.3 ?

amitaaga · ‎06-28-2011

Hi Mohamed,

When we configure failover on ASA we do not assign ip addresses seperately to the interfaces and then configure a virtual ip for the interfaces. It is not like HSRP configuration on routers. When we setup failover on ASA we just assign active and standby ip addresses on all the interfaces.

For Example: In case of Active/Standby failover when the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

Please refer to the link given below to check a configuration example on failover:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

Hope this helps.

Regards,

Amit

panjala_p · ‎06-27-2011

Hi Amit,

We have issue with our ASA Firewall 5510 in H0 and 5505 in BO we are facing the problem on both the end in phase 2 .. Head office end..

#pkts encaps: 1113, #pkts encrypt: 1113, #pkts digest: 1113
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Branch office end..

#pkts encaps: 0, #pkts encrypt: 1113, #pkts digest: 0
#pkts decaps: 1113, #pkts decrypt: 0, #pkts verify: 1113

So far i have check the ACL Policy no issue found,I check the routes no issues found..need ur suggestion to dig further to close the issue..

Best Regards
PRASAD

amitaaga · ‎06-28-2011

Hi Shiva,

Looks like the problem is at the branch office end. Please make sure that you have a NAT exempt rule configured at the branch office side to exempt the VPN traffic from getting NATTED on the branch office firewall. In case, if NAT EXEMPT rule is in place then apply a capture on the inside interface of this firewall to capture decrypted traffic and see if it is able to leave the firewall and is able to make its way back to it.

Eg: inside

A ----- ASA-HO -----Internet ------------ASA-BR -------B

ASA-BR:

access-list capin permit ip host A1 host B1

access-list capin permit ip host B1 host A1

capture capi access-li capin interface inside

show cap capi

Regards,

Amit

AliAhmad12 · ‎06-28-2011

Hi Amitashwa ,

I have two ASA 5550 ASAs operating in Active/Standy mode. I want to remotely manage both of these ASAs (i.e telnet, ssh and ASDM) but at present I am only able to manage the active one. Please, specify what can be done to manage the secondary ASA. I need your response on urgent basis.

It will be highly appreciated if you answer this reservation with some configuration/scenario.

Thanks

Ali Ahmad

amitaaga · ‎06-29-2011

Hi Ali,

If you have assigned active and standby ip addresses to all the interfaces of the firewall's in failover then you should be able to manage the standby firewall using the standby ip's.

For Eg:

------------Switch2--------------

| |

ASA 1 --------------------------- ASA 2

|10.1.1.1 | 10.1.1.2

| |

-----------Switch1--------------

|

PC (10.1.1.10)

ASA 1 and ASA 2 are in Active/Standby failover. ASA 1 is the primary-active unit and ASA2 is the secondary-standby unit. So, the primary active unit has 10.1.1.1 assigned to its inside interface and the secondary stanby unit has 10.1.1.2 assigned to its inside interface.

Now, in order to manage both the firewalls using telnet/ssh/https from a PC on the internal network I will need the following commands on the active unit (since the firewalls are in failover these commands will get replicated over to the standby unit):

telnet 10.1.1.0 255.255.255.0 inside

ssh 10.1.1.0 255.255.255.0 inside

http server enable

http 10.1.1.0 255.255.255.0 inside

From the PC if I telnet to 10.1.1.1 then I should be able to telnet into the primary-active firewall. Similarly, from this PC if I telnet to 10.1.1.2 then I should be able to telnet into the secondary-standby unit.

Regards,

Amit

johnny.loh · ‎06-29-2011

Hi Amitashwa,

I have newly installed an ASA5505 (ver8.2) in my branch office, but i having problem when using Cisco VPN client on my PC and trying accessing remote host located in my HQ.

Branch PC with Cisco VPN CIlent (192.168.1.x) -> ASA5505 -> Internet -> HQ VPN (Public IP) -> Host (10.10.1.x)

The VPN connection is established but i can't access any webserver or shared folder in HQ. This woudn't happen with earlier D-Link cheap router.

I believe i must be missing something and appreciate if you could assist me to provide some guideline on it. I'm new in Cisco.

Regards,

Johnny

amitaaga · ‎06-30-2011

Hi Johnny,

It seems that the PC with the VPN client installed on it is getting PATTED on the ASA 5505 before it connects to the VPN headend device. Therefore, please enable the following command on the headend device to allow it to negotiate NAT-T (nat traversal) with the client which will in turn allow ESP packets to pass through the PATTING device:

crypto isakmp nat-t

Here is more information about this command:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1052476

If you dont have access to the headend device then another workaround to the issue could be to use a static 1-1 mapping for the PC on the ASA 5505.

Regards,

Amit

pemasirid · ‎06-29-2011

Hi Amitashwa,

We have the scenario attached in this post, where we have the same subnet (172.21.0.0/16) behind our DMZ and our management interfaces on our Cisco ASA.

Supposing we can’t modify our subnets, and we want to use source routing on the ASA as below:

1) All traffic arriving from outside with source IP address 10.1.163.0/24 and destination 172.21.0.0/16 be routed to DMZ (10.46.254.19)

2) Any other traffic with destination IP address 172.21.0.0/16 be routed to management (172.21.3.65).

We know that this scenario is possible on a router if we you use route maps to route based on the source IP address.

However, we have noticed that route maps can’t be associated to route statements on ASA.

Can you please propose a solution to this problem on ASA (any workaround, any possible alternative configuration)

Thanks

ASK THE EXPERTS : Configuring and Troubleshooting NAT and Failover on ASA Firewall