Re: Cisco RVS4000 NAT to my Cisco ASA 5505 Firewall

CyberWolves_2 · ‎03-19-2011

I’ve been using a Cisco ASA 5505 Security Plus bundle for two years now without any problems. My previous Internet Service Provider was routing the external IP I was leasing directly through to my internal network without NAT which my ASA 5505 was working well with. Thus, I had configured my 5505 to provide NAT to my inside network which includes two subnets one for my workstations and internal "private" resources and a DMZ to provide access to my webserver, email server and two domain name servers; but restrict access to my internal; resources.

I recently changed my ISP to Verizon FiOS (which is providing me with 25 Mb bandwidth at a fraction of the cost of my old T1) which is set up to provide 5 Static externally facing IP numbers for my email, webserver and name servers;. The problem is the Verizon router doesn’t support my use of the ASA Appliance (at least not the way it is currently configured. Verizon recommend I purchase a business class router and use it in place of the one they provided with my installation. With this in mind, I bought a Cisco RVS4000. I have configured it to use the primary external IP number and have internet access; however, the new router is providing NAT addressing which the ASA is in conflict with (they are both using the same NAT IP range). I'm assuming the ASA 5505 is expecting to have access to the external IP addressed (since that is what it was getting before) and NOT NAT address. I have to admit I don’t know a lot about networking and am hoping someone can tell me how to configure the new router to either provide access to the five static external “real world” IP to my Cisco ASA Firewall. However, the Cisco Router forum suggested I should reach out the ASA 5505 forum to seek assistance
here. I'm open to other options and suggestion.

I just need to get my ASA 5505 back in the loop and would prefer to do this rather than go back to the Verizon router combined with a low end firewall. So, my questions are: Does the ASA 5505 expect real world External IP numbers? Or can it work with NAT addresses being fed to it from the router? And, if so, how do I configure the access rules and other items which are currently mapping to external numbers?

Sorry if I'm a bit lost here; but I'm a small business owner and struggling with some of the router networking issues and concepts. Any suggestions or tips will be greatly appreciated.

Jennifer Halim · ‎03-19-2011

Can you advise what is the type of interface Verizon router is connected to your device at the moment?

What external IP Address does Verizon provide you? are they static external IP Address that you assign to your router? or they are either DHCP or PPPoE address assigned to your router?

If Verizon is connected to your router via ethernet, and it provides external IP Address either via static IP, or DHCP or PPPoE, you can connect Verizon router directly to the ASA. There is no requirement for another router (RVS4000).

However if Verizon is providing any other connection not state above, please kindly advise what the connection is and how they are assigning the external IP address, plus how your ASA and RVS4000 router is connected at the moment. A copy of configuration from both will help, or even just a topology diagram with the ip addressing on all the interfaces.

CyberWolves_2 · ‎03-19-2011

I just spokewith Verizon and they verified these are static IP. My problem is that I tried connecting the Ethernet cable directly to the ASA and while it could access the internet and see the primary (first IP) it didn't appear to be able to obtain traffic from any of my other IP numbers. For example, I set the firewall with a static map between one of other IP I've been assigned and my webserver; but I couldn't access the website via my smart phone or work network. I made the assumption this was because it wasn't being routed to the ASA; but perhaps there is another problem all together?

I will try to download the configuration from both the router and firewall and post them later thsi evening.

Jennifer Halim · ‎03-19-2011

Perfect, so if it's static IP, then all you need to do is to connect Verizon directly to the ASA outside interface.

Configure the static IP assigned by Verizon to the ASA ouside interface, and default route on the ASA to point to Verizon router ip address.

This extra sets of public IP address, are they Verizon assigned, or you owned those public IP Address?

Either way, if it's completely different subnet to the one that Verizon has assigned to you, then Verizon needs to route those towards your ASA outside interface address. If they are in the same subnet as the ASA outside interface, then it's just static NAT translation that you need to configure on the ASA.

Please share a copy of your current ASA configuration. I can check if there is any missing config, etc. Please also advise the public IP and its corresponding internal IP that you would like to NAT those traffic to, and what access you would like for inbound connection (pls advise the TCP/UDP port number for each application).

CyberWolves_2 · ‎03-20-2011

Jennifer,

Thank you for the offer of assistance! I have attached the current configuration for my ASA to this post. This is going to look a bit confusing since I am still in the process of transitioning off of my old public facing IP numbers (67.101.20.XXX) to my new public facing numbers (96.241.175.98 through 96.241.175.102). You will notice that I'm running 3 vlans

Inside 192.168.1.1

Outside 96.241.175.98

DMZ 192.168.2.1

The IP and ports I would like to provide access to are all in my DMZ and are as follows (I tried this with two mapping and stopped when it wasn't working)

External Access for:

96.241.175.99 Ports 80 and 443 TCP Only (these are for my Web Server)

96.241.175.100 Ports 80, 443, 143, 389, 110 and 25 TCP Only for my Mail Server

96.241.175.101 Port 53 BOTH UPD and TCP (this is for my primary DNS server)

96.241.175.102 Port 53 BOTH UPD and TCP (this is for my secondary DNS server)

192.168.2.189 to 96.241.175.99

192.168.2.160 to 96.241.175.100

192.168.2.132 to 96.241.175.101

192.168.2.139 to 96.241.175.102

Again, I really appreciate any help you can provide. Thanks!

Jennifer Halim · ‎03-20-2011

Static NAT translation and access-list applied to the outside interface are spot on (absolutely correct).

The following route statements are not required and can be removed:

route outside 96.241.175.99 255.255.255.255 96.241.175.1 1

route dmz 192.168.2.5 255.255.255.255 192.168.2.1 1
route dmz 192.168.2.189 255.255.255.255 192.168.2.1 1

route inside 192.168.1.139 255.255.255.255 192.168.1.1 1
route inside 192.168.1.132 255.255.255.255 192.168.1.1 1
route inside 192.168.1.160 255.255.255.255 192.168.1.1 1
route outside 67.101.20.139 255.255.255.255 67.101.20.129 1
route outside 67.101.20.132 255.255.255.255 67.101.20.129 1

The configuration looks absolutely correct, and I don't think it is a configuration issue at this stage. Please "clear xlate" and "clear arp" after the above changes, and also reload the Verizon router to clear its arp cache. That might resolve your issue.

CyberWolves_2 · ‎03-20-2011

I think we are getting closer. I have made all the changes you suggested including issuing the clear xlat and clear arp commands. I got really excited for a moment when I entered my website URL (http://www.cyberwolf.us) and the page came right up. So, I take this to indicate that the outside IP of 96.241.175.99 is resolving to my to my DMZ NAT address of 192.168.2.160 and the firewall is correctly remapping the DNS request accordingly so I can access the site internally. Unfortunately, when I try to use my work network or my smartphone to access the page from outside my internal network I still get nothing (eventually I get a server timed out error or a error saying "A communications faliure occured. The server may be busy. Please try again later"). I must be missing something; but I can't figure out why this is not working.

Jennifer Halim · ‎03-20-2011

OK, I've performed NSLOOK for www.cyberwolf.us, and it resolves into 2 DNS entries:

nslookup www.cyberwolf.us

Non-authoritative answer:
Name: www.cyberwolf.us
Addresses: 96.241.175.99
209.62.20.200

I tried to http to both IP Addresses, and both fails. Then I tried www.cyberwolf.us, can you please advise how the website looks like, as it gets redirected to "http://www2.searchresultsdirect.com/parking.php4?domain=cyberwolf.us&registrar=238091&keyword=VIRUS&eq=f48b77d963b6b4c21976efd59f4ff89e0931232450bdeef3687cc7abde331e110b6f9650d88ce5913260b5480038dfe0&ac300=2" when I tried that.

Also, check if you have any hitcount on the outside_access_in ACL, this will ensure whether the traffic is actually coming in towards the ASA:

show access-list outside_access_in

Try to access the URL, and check if the hitcount increases.

CyberWolves_2 · ‎03-21-2011

Thanks for the quick responses to all my posts. The redirect you page you got from www.CyberWolf.US is the standard "Parking" page Network Solutions provides whenever there is a problem resolving a request (I believe it is there version of a server timed out message). I have been temporarily using Network Solution's Advanced DSN Hosting until I can get the firewall issues resolved.

I tried what you suggested and the hit counters on ALL of my ACLs are showing ZERO hits even after repeated attempts to access the webpage via both URL and IP address from my DROID.

However, when I I attempt to ping my primary IP (96.241.175.98) my syslog on the firewall immediately shows the following:

3 Mar 21 2011
15:52:52 710003 174.252.113.82 96.241.175.98 TCP access denied by ACL from 174.252.113.82/38249 to outside: 96.241.175.98/80 (which is what I would expect). So, at least I know the firewall is "seeing" traffic to this IP number; just none of the others.

I really appreciate your trying to help with this and am standing by for any other suggestions.

Shrikant Sundaresh · ‎03-21-2011

Could you please post the output of the following command?:

packet-tracer input outside tcp 4.2.2.2 44444 96.241.175.99 80 detailed

It might help determine if and why the packets are being dropped.

CyberWolves_2 · ‎03-21-2011

Here you go....

Result of the command: "packet-tracer input outside tcp 4.2.2.2 44444 96.241.175.99 80 detailed"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz,outside) 96.241.175.99 192.168.2.189 netmask 255.255.255.255 dns
match ip dmz host 192.168.2.189 outside any
static translation to 96.241.175.99
translate_hits = 0, untranslate_hits = 8
Additional Information:
NAT divert to egress interface dmz
Untranslate 96.241.175.99/0 to 192.168.2.189/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 96.241.175.99 object-group Web
object-group service Web tcp
description: Ports Unique to wEB Servers
port-object eq ftp
port-object eq www
port-object eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3c54db0, priority=12, domain=permit, deny=false
hits=0, user_data=0x3d121f8, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=96.241.175.99, mask=255.255.255.255, port=80, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3ca4a20, priority=0, domain=permit-ip-option, deny=true
hits=49006, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (dmz,outside) 96.241.175.99 192.168.2.189 netmask 255.255.255.255 dns
match ip dmz host 192.168.2.189 outside any
static translation to 96.241.175.99
translate_hits = 0, untranslate_hits = 8
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3d1a608, priority=5, domain=nat-reverse, deny=false
hits=0, user_data=0x3cb6480, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.2.189, mask=255.255.255.255, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) 96.241.175.99 192.168.2.189 netmask 255.255.255.255 dns
match ip dmz host 192.168.2.189 outside any
static translation to 96.241.175.99
translate_hits = 0, untranslate_hits = 8
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3d1a678, priority=5, domain=host, deny=false
hits=62, user_data=0x3cb6480, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.2.189, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3cd5b40, priority=0, domain=permit-ip-option, deny=true
hits=6560, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 52686, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.189 using egress ifc dmz
adjacency Active
next-hop mac address 0011.4335.1460 hits 0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Jennifer Halim · ‎03-21-2011

Base on the status of the packet tracer, there is nothing incorrect on the ASA configuration.

And base on your advise that there is no hitcount when you try to access those public ip addresses, that means the traffic is not even hitting the ASA.

You don't have your RVS4000 connected anymore, right? If you do, then i will suggest that you disconnect that from the network, then perform "clear arp" on the ASA, and reloaded the Verizon router and test again.

If the above still fails, it is time to check with Verizon as the traffic is not even hitting the ASA outside interface since we see no hit count at all.

CyberWolves_2 · ‎03-22-2011

This is ironic as I have now come full circle with this issue and Cisco Technical Support. It was Verizon that suggested I get a "business class router" and use it to replace my Verizon provided router (that was limited to providing only NAT addresses) to route my five external IP to my internal firewall. So, I bought the Cisco RVS 4000; but found that by default it ONLY allows me to route with NAT addressing turned on for the internal network. So I posted to the Cisco Router support forum and asked how to get the router to rout my external IP so my ASA could access them. The Cisco Router people insisted I "would never want to route real world IP" and told me to instead post to this forum to "solve my issues".

Can you folks perhaps explain to the router group why I want the router to route my external IP "AS IS" and thus NOT use the RVS 4000 to provide NAT addressing? While you all on the firewall side have been incredibly helpful and I really do appreciate it, this is none the less getting a bit frustrating at this point.

Jennifer Halim · ‎03-22-2011

My bad, I didn't realise that you actually replace the Verizon router to Cisco RVS4000 router.

OK, let's start again because something does not add up with the subnet mask.

On the ASA outside interface, you have configured: 96.241.175.98 (mask: 255.255.255.0), so this is a public IP class C (/24), do you own this range? because you mention that you are only assigned 5 public ip addresses.

So this does not add up, and your default gateway is 96.241.175.1, and you mention that you only have the following:

96.241.175.99

96.241.175.100

96.241.175.101

96.241.175.102

with that, I assume they have allocated 96.241.175.96/29 for you, but your configuration seems to imply that it's 96.241.175.0/24.

I guess once we confirm the topology, the configuration part will not be so difficult.

Questions to you:

1) Are you routing a range of public ip addresses on top of the one that Verizon has provided to you? If you are, what public IP does Verizon assigned to you, and what is the extra public ip subnet that is meant to be routed via Verizon.

2) Otherwise, let us know the exact subnet that Verizon has allocated to you, and what Verizon has provided as its default gateway.

3) Is the Verizon router configured with 2 routed interfaces (both public subnet on each interface), or it's in bridge mode? If it's 2 routed interfaces, please advise the ip address and subnet on each interface, and if it's bridge mode, please advise what ip address and subnet too on the interface.

CyberWolves_2 · ‎03-23-2011

This is the setup information from the Router that Verizon installed:

Physical
Connection Type: Ethernet

Broadband Connection Type: Static

Broadband Connection
Status: Connected

Broadband IP
Address: 96.241.175.98

Subnet Mask: 255.255.255.0

Broadband MAC
Address: 00:1F:90:27:45:2F

Default
Gateway: 96.241.175.1

DNS Server: 68.237.161.12 and 71.252.0.12

I have a call into Verizon to answer the other questions (especially with regards to the ubnet mask which now that you mention it does seem pretty odd).