11-19-2008 01:57 AM - edited 03-11-2019 07:15 AM
Hello,
I'm quit new to these boards so I'll try to explain my problem as best as I can.
If something is missing or incorrect pls inform me so I can update.
I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.
Here you have the config as it is on the ASA right now.
Local server IP: 10.0.74.5
Required NAT address: 192.168.222.1
Customer range: 10.10.10.0/24
VPN Config:
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 200.200.200.200
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key "key"
access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0
static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT
I'm allowing this first before I start narrowing it down to only ftp!
access-list outside_access_in extended permit tcp any host 192.168.222.1
access-list outside_access_in extended permit ip any host 192.168.222.1
access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list outboundnat2
nat (inside) 1 0.0.0.0 0.0.0.0
Any help would be grately appreciated!
Kind regards,
Eleander
11-21-2008 03:01 AM
Jon,
Sorry for my late response but had to go to customers.
Thx a lot for this info.
Changing the config again so it becomes easier to read and understand.
I'm going to simplify and repost.
Thx a lot, really thx a lot!
11-21-2008 03:53 AM
Eleander
No problem. I will be in and out today but i'll keep checking whenever i can.
Jon
11-21-2008 04:38 AM
Jon,
I've changed the config accordingly.
Also changed the existings ACL's for the "Statoil" network so the object group is being used.
This shortened my config significantly and easier to troubleshoot.
I though keep getting out of SYN errors.
Config in attachement.
Kind regards,
Eleander
11-21-2008 04:53 AM
Eleander
Yes, looks a lot clearer now. One final change if you want but it's not critical - you have these 2 access-lists
inside_nat0_outbound
inside_nat0_outbound_1
only inside_nat0_outbound_1 is being used as far as i can see so you could remove the other one ie.
no access-list inside_nat0_outbound
Okay couple of things to check
1) The ftp server 10.0.74.5 - is this used by the other working site or not ?
If it isn't can you try ftping to that server from another address internally just to check that it is all working okay
2) If it is working okay, does this FTP server have it's default-gateway set to the ASA inside interface ?. If not what is it set to.
Jon
11-21-2008 06:21 AM
Jon,
Removed the entries.
1) Ftp can be reached from other working site.
H:\>ftp 10.0.74.5 (from my pc)
Connected to 10.0.74.5.
220-QTCP at custserver.cust.local.
220 Connection will close if idle more than 5 minutes.
User (10.0.74.5:(none)): "admin"
331 Enter password.
Password:
230 "admin"logged on.
ftp> quit
221 QUIT subcommand received.
2) server has by default at this moment an ISDN router and these are the routes active:
dftroute: 10.0.74.253
On this router following routes are active:
ip route 0.0.0.0 0.0.0.0 10.0.74.252 (ASA)
ip route 10.32.141.0 255.255.255.0 Dialer1 (remote station)
ip route 10.32.143.0 255.255.255.0 Dialer1 (remote station)
ip route 10.10.0.0 255.255.0.0 10.0.74.252 (ip range Statoil)
ip route 194.78.124.0 255.255.255.0 (our site) 10.0.74.252
-> yeah I know its's a public and I'm dying to get it out but supporting over 60 site-to-site takes a while to plan and implement working NAT! :d :)
Hope this get's you any further.
Kind regards,
Eleander
11-21-2008 06:33 AM
Eleander
Can you confirm
1) Which Statoil IP address ie. 10.10.?.? the connection to your FTP server is being made from.
2) Can you post output of a "sh running-config xlate"
3) Can you post log from ASA of latest attempt to connect
4) The FTP server does not have any access restrictions itself does it in terms of which remote IP addresses can connect ?
We may have to do a packet capture next :-)
Jon
11-21-2008 07:00 AM
Jon,
1) 10.10.10.87 (others can be done to if this server isn't active
2) asacust# sh xlate
10 in use, 142 most used
Global 192.168.222.1 Local 10.0.74.5
PAT Global 81.81.81.81(25) Local 10.0.74.1(25)
PAT Global 81.81.81.81(110) Local 10.0.74.1(110)
PAT Global 81.81.81.81(1723) Local 10.0.74.1(1723)
PAT Global 81.81.81.81(47) Local 10.0.74.1(47)
PAT Global 81.81.81.81(3206) Local 10.0.74.15(3548)
PAT Global 81.81.81.81(3205) Local 10.0.74.15(3547)
PAT Global 81.81.81.81(1084) Local 10.0.74.16(4352)
PAT Global 81.81.81.81(3155) Local 10.0.74.6(3671)
PAT Global 81.81.81.81(3152) Local 10.0.74.6(3668)
Note that I entered a random external IP! :)
3)
2008-11-21 13:09:46 Local4.Info 10.0.74.252 Nov 21 2008 13:09:25: %ASA-6-302014: Teardown TCP connection 1037 for outside:10.10.10.87/9408 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout
4) no restrictions are being made from the FTP server itself. It's an AS/400 which has full network access through default routing!
Awaiting further logs for test!
Kind regards,
Eleander
11-21-2008 07:00 AM
Eleander
Sincere apologies. I have been so wrapped up in tidying up the config i overlooked a very basic setting.
When you ftp from your site you ftp to 10.0.74.5.
When you ftp from Statoil you want them to ftp to 192.168.222.1.
But you can't do this unless of course the ftp service is on different ports for each remote client.
So either
1) You will need to ftp from your site and Statoil to 192.168.222.1
Or
2) the NAT could be done at the Statoil site before it gets to your firewall and before it goes into the VPN tunnel.
The only other option i can think of is that some servers such as apache allow multiple IP addresses to be associated with the same server and users can connect on different IP's to get an http service.
I don't know what the capabilities of the ftp server you are using but if you had a spare 10.0.74.x address from the range and it could support additional IP's this would be another way to do it.
Once again sincere apologies, i should have spotted this from the start. Sometimes you can't see the wood for the trees !
Jon
11-21-2008 07:12 AM
Jon,
When ftp is initiated it will be done from teh Statoil site using the 192.168.222.1 address. Of that I'm sure.
When I try to do this from our site I need to reconfigure router so I need to add the 192.168.222.1 address within my router and ASA.
2) incomming NAT from their site won't be done so that's not an option! (they are quit strict about ther policy which is understandable!)
I do have free IP's and I can even hang my server in other ranges without problems. (it's an AS/400 -> the green mean machine ! :d))
No problem Jon, but i've had the same thing you have seen what you've done to my config so help was needed, a big oak tree stood in the way! :)
11-21-2008 07:20 AM
Eleander
Thanks for that. I'm usually a bit better than this i promise :-)
Okay if Statoil won't NAT then either you will have to connect to that FTP server as 192.168.222.1 from your site and your config would need a bit of updating
OR
You could try and use a different IP address that is not in use and configure another NIC or use a secondary address on AS400 NIC and then run ftp service on this.
One very last thing -
access-list outside_access_in extended deny ip object-group Statoil_server any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0
You need to modify the top line from
access-list outside_access_in extended deny ip object-group Statoil_server any
to
access-list outside_access_in extended deny ip 10.10.0.0 255.255.0.0 any
because if you just include the object-group then because of the following 2 lines in that acl any clients not in the object-group would be given access to your 10.0.74.0 network.
Jon
11-21-2008 07:26 AM
From all the answers you gave me and seeing your rating I'm sure you will Jon. :)
I can add a second IP address on the ftp server. But doens't my NAT problem persist when I'm still using a 10.0.74.x IP?
Eleander
11-21-2008 07:34 AM
Eleander
I don't think it will but only if this address is never accessed from your site ie. 194.78.124.0/24.
Remember your nat exemption line is
access-list inside_nat0_outbound_1 extended permit ip 10.0.74.0 255.255.255.0 194.78.124.0 255.255.255.0
nat exemption lines with access-lists take precedence over all other forms of NAT including statics. However if your site never accesses this address via the VPN tunnel then it will never get matched against your "inside_nat0_outbound_1" access-list so it can then get matched by the static translation.
If you wanted to be ultra safe you could exclude the unused IP from the inside_nat0_outbound_1 access-list although obviously that would mean more entries for this access-list.
Alternatively depending on your internal topology you could use an altogther different subnet address and have a secondary IP address on the ISDN router. Think this is a bit more complicated than it needs to be.
Jon
11-21-2008 07:38 AM
Jon,
As I've learned more from you helping me out in this topic I'm going for the first solution.
As long as my internal users don't know the IP they won't access it.
Best is also we deny access from it.
In this way the easiest solution can be implemented and a great plus is that I can use this to clean up some other things to in other networks. So it will be an allroudn solution. :d
Eleander
11-21-2008 07:40 AM
Eleander
Good luck and let me know how it goes.
Jon
11-21-2008 07:51 AM
Jon,
Now I've this in my xlate:
asacust# sh xlate
12 in use, 170 most used
PAT Global 81.81.81.81(25) Local 10.0.74.1(25)
PAT Global 81.81.81.81(110) Local 10.0.74.1(110)
PAT Global 81.81.81.81(1723) Local 10.0.74.1(1723)
PAT Global 81.81.81.81(47) Local 10.0.74.1(47)
Global 192.168.222.1 Local 10.0.74.4
PAT Global 81.81.81.81(3891) Local 10.0.74.15(3984)
PAT Global 81.81.81.81(3890) Local 10.0.74.15(3983)
PAT Global 81.81.81.81(3889) Local 10.0.74.15(3978)
PAT Global 81.81.81.81(3892) Local 10.0.74.16(1183)
PAT Global 81.81.81.81(1) Local 10.0.74.5 ICMP id 3411
PAT Global 81.81.81.81(1667) Local 10.0.74.1(39002)
PAT Global 81.81.81.81(1666) Local 10.0.74.6(1057)
So the NAT statement will be ok.
Hope they can test soon!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide