Solved: Asymmetric NAT issue

Thomas-Nicholson · ‎04-30-2013

Here we go,

I have been asked by my company to replace an aging firewall, to allow VPN connections to teleworkers and 
Azure. We have a small(ish) office and a handful of servers so we should only need the ASA5505. Our ISP gives
us an IP range ***.***.240.64 - ***.***.240.79. The ASA should pass certain packets coming to these certain 
IPs to different servers.

This is roughly what our network looks like:
ISP---internet router---ASA5505---switch---users and servers

I have spent a week or so reading up on it and I thought I had a grasp on how to configure one. As I'm a 
newcomer to the Cisco ASA I have been using the ASDM to configure the device, however I'm not affraid of a 
console cable. After a few tests I can have been able to establish internet connects (initiated from inside) 
and can toggle on and off ICMP in/out through ACL use. However trying to access the servers from outside the 
network is blocked by the ASA. The logs say the connection is blocked because of Asymmetric NAT entry. Having 
these servers accessible by, in one case a specific host and in the other casen any host, is a must. Once that
is configured then I can work on getting the VPN set up.

I have included my VERY sloppy conf (due to trying to rectify issues on-the-fly during testing).

Any and all help would be very much appreciated.


Thomas 

------------------------------------------

: Saved
:
ASA Version 8.4(4)1 
!
hostname ASA5505
domain-name **********
enable password ************ encrypted
passwd *********** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.251 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.69 255.255.255.0 
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name *************
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Enterprise
 host 10.10.10.4
object network odin
 host 10.10.10.105
 description Primary Domain Controller
object network gateway
 host 213.1.240.69
object service LyncAV
 service tcp source range 50000 59999 destination range 50000 59999 
object service LyncMobilePush
 service tcp source eq 5223 destination eq 5223 
object service NormalSQLServer
 service tcp source eq 1433 destination eq 1433 
object service RDESKTOP
 service tcp source eq 3389 destination eq 3389 
object service SQLEnterprise
 service tcp source eq 1440 destination eq 1440 
object service SQLServer
 service tcp source eq 1439 destination eq 1439 
object service STUN-TCP
 service tcp source eq https destination eq https 
object service STUN-UDP
 service udp source eq 3478 destination eq 3478 
object service SVN
 service tcp source eq 82 destination eq 82 
object service SourceOffsite
 service tcp source eq 8081 destination eq 8081 
object service WebServices
 service tcp source range 1 65335 destination eq 8080 
object network AVserver
 host 10.10.10.6
object network VIP1
 host ***.***.240.66
object network VIP2
 host ***.***.240.70
object service MAIL
 service tcp source eq smtp destination eq smtp 
object network Megabert
 host 10.10.10.197
object network SBS
 host 10.10.10.1
object service Http
 service tcp source eq www destination eq www 
object network Webserver
 host ***.***.36.106
object service SQL
 service tcp source eq 1433 destination eq 1433 
object-group service DM_INLINE_SERVICE_1
 service-object object LyncAV 
 service-object object LyncMobilePush 
 service-object object NormalSQLServer 
 service-object object SQLEnterprise 
 service-object object SQLServer 
 service-object object STUN-TCP 
 service-object object SVN 
 service-object object SourceOffsite 
 service-object object WebServices 
 service-object object RDESKTOP 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network MOCOGROUP-vn1
 network-object 10.11.0.0 255.255.0.0
object-group network mocogroup
 network-object 10.10.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
 network-object object VIP2
 network-object object Webserver
object-group service DM_INLINE_SERVICE_2
 service-object object Http 
 service-object object SQL 
object-group network DM_INLINE_NETWORK_2
 network-object object VIP2
 network-object object Webserver
object-group service DM_INLINE_SERVICE_3
 service-object object Http 
 service-object object SQL 
object-group service DM_INLINE_SERVICE_4
 service-object object LyncAV 
 service-object object LyncMobilePush 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object Enterprise 
access-list outside_access_in extended permit object SQLServer any object Megabert 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 interface outside any 
access-list outside_access_in extended permit object STUN-UDP interface outside any 
access-list outside_access_in extended permit icmp any any 
access-list global_access extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_2 object Enterprise 
access-list global_access extended permit ip interface outside object Megabert 
access-list global_access extended permit ip object Megabert any 
access-list global_access extended permit ip object VIP2 any 
access-list global_access extended permit object SQLServer any object Megabert 
access-list global_access extended permit ip 10.10.0.0 255.255.0.0 any 
access-list global_access extended permit icmp 10.10.0.0 255.255.0.0 any 
access-list global_access extended permit object-group DM_INLINE_SERVICE_4 any any 
access-list global_access extended permit ip any object VIP2 
access-list AZURE extended permit ip object-group mocogroup object-group MOCOGROUP-vn1 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,any) source static any any destination static VIP2 Megabert service SQLServer SQLServer
nat (any,outside) source dynamic Webserver Webserver destination static VIP2 Enterprise service Http Http
nat (any,any) source dynamic Webserver Webserver destination static VIP2 Enterprise service SQL SQL
nat (any,any) source dynamic Webserver Webserver destination static VIP2 Enterprise
nat (any,outside) source dynamic any VIP1 destination static VIP1 SBS service MAIL MAIL
nat (any,outside) source dynamic any VIP1 destination static VIP1 AVserver service RDESKTOP RDESKTOP
nat (any,outside) source dynamic any VIP2 destination static VIP2 SBS service STUN-TCP STUN-TCP
nat (any,outside) source dynamic any VIP2 destination static VIP2 Enterprise service RDESKTOP RDESKTOP
nat (any,outside) source dynamic any VIP2 destination static VIP2 Megabert service SQLServer SQLServer
nat (any,outside) source dynamic any VIP2 destination static VIP2 Megabert service SVN SVN
nat (any,outside) source dynamic any VIP2 destination static VIP2 Megabert service SourceOffsite SourceOffsite
nat (any,any) source dynamic any VIP2 destination static VIP2 Enterprise service SQLEnterprise SQLEnterprise
nat (inside,outside) source static mocogroup mocogroup destination static MOCOGROUP-vn1 MOCOGROUP-vn1
!
object network obj_any
 nat (any,outside) static interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 213.1.240.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
crypto ipsec ikev1 transform-set AZURE_IPSecTransformSet esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto map AZURE_IPSecCryptoMap 10 match address AZURE
crypto map AZURE_IPSecCryptoMap 10 set peer ***.***.195.143 
crypto map AZURE_IPSecCryptoMap 10 set ikev1 transform-set AZURE_IPSecTransformSet
crypto map AZURE_IPSecCryptoMap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password: ************* encrypted privilege 15
tunnel-group ***.***.195.143 type ipsec-l2l
tunnel-group ***.***.195.143 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:********************
: end

Jouni Forss · ‎04-30-2013

Hi,

Ok, so you are using Static PAT (Port Forward) rather than Static NAT (1:1 NAT between IP addresses)

The configuration format for that is not that different from the above.

object network

host

nat (inside,outside) static service tcp

For example

object network STATIC-TCP80

host 10.10.10.100

nat (inside,outside) static 1.1.1.2 service tcp 80 80

access-list outside_access_in permit tcp any object STATIC-TCP80 eq 80

Naturally you will have to make several "object" configuratins along with the required host/nat configurations to accomplish all that you need.

- Jouni

View solution in original post

Jouni Forss · ‎04-30-2013

Hi,

The NAT configurations do seem pretty messed up

If you are simply configuring Static NAT for different servers and a Default PAT rule then I would suggest the following configurations.

Default PAT

This will let you configure the source networks for the Default PAT under the "object-group". For example if in the future you configured VPN Client and the Internet traffic of the VPN Clients would go through the ASA, you would need to only add the VPN Pool to the "object-group". Might need some other configurations too naturally.

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.0.0 255.255.0.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Static NAT

If you have a public IP address reserver for each server then you simply configure a single Static NAT configuration for that server and open all the services/ports you need on the ACL attached to the "outside" interface.

For example to configure a Static NAT and open TCP/80 from anywhere to that server

object network STATIC

host

nat (inside,outside) static

access-list outside_access_in permit tcp any object STATIC eq 80

Where

STATIC = Is the name of the object we created. Both the source address for the NAT and the actual NAT configuration are contained under this object we create. We can also use it on the ACLs
local IP = Is the LAN IP address of the server behind the ASA
public IP = Is the public NAT IP address for the server

Check out this document I made for examples of the new configuration format

https://supportforums.cisco.com/docs/DOC-31116

Naturally ask more if needed

Hope this helps

- Jouni

Thomas-Nicholson · ‎04-30-2013

Firstly, thank you, however I'm not sure that'll do the trick.

I wish it was as simple as a public IP address reserver for each server

x.x.x.66 must send one port to one server and another port to another server (both from one known external host)

x.x.x.70 must send 4 ports to one server, 5 ports to another, and 1 to yet another.

-Thomas

Jouni Forss · ‎04-30-2013

Hi,

Ok, so you are using Static PAT (Port Forward) rather than Static NAT (1:1 NAT between IP addresses)

The configuration format for that is not that different from the above.

object network

host

nat (inside,outside) static service tcp

For example

object network STATIC-TCP80

host 10.10.10.100

nat (inside,outside) static 1.1.1.2 service tcp 80 80

access-list outside_access_in permit tcp any object STATIC-TCP80 eq 80

Naturally you will have to make several "object" configuratins along with the required host/nat configurations to accomplish all that you need.

- Jouni

Thomas-Nicholson · ‎04-30-2013

I have my device configured. I will try tomorrow and let you know how it goes.

Thomas-Nicholson · ‎05-01-2013

Works like a dream!

Thank you

Jouni Forss · ‎05-01-2013

Hi,

Glad to hear its working

- Jouni

Asymmetric NAT issue

NAT Box to Box High Availabitliy Asymmetric Routing 機能動作概要

Memory issue summary

【TAC分享】Troubleshooing E1 no calling number issue.

Asymmetric NAT rules

Asymmetric NAT issue with ASA 8.3