Re: NAT Hairpinning on ASA 5505 [9.1(2)]

bill · ‎12-06-2013

I can't seem to get nat hairpinning to work... Most instructions on the internet indicate how to do this with commands available prior to 8.3.

I've tried the following:

same-security-traffic permit intra-interface

asa-box(config-network-object)# object network my-inside-address-obj
asa-box(config-network-object)# nat (inside,inside) static my-outside-address-obj

which didn't work.

Then I added:

access-list hairpin_allow extended permit tcp object Internal_NAT_Range object External_NAT_Range

with

access-group hairpin_allow in interface inside

which also didn't work (trying to show due dilligence here...).

Then I tried:

nat (inside,inside) source static Internal_NAT_Range Internal_NAT_Range destination static External_NAT_Range External_NAT_Range

Still a no go.

Finally, I added:

"9. To avoid packet-drops due to the asymmetric nature of routing that's occuring internally, we need the ASA to bypass stateful inspection for this particular traffic. For this, we need to configure the following:

ASA(config)#access-list tcp_bypass extended permit tcp object Internal_NAT_Range object External_NAT_Range

!--- Configure the access list to specify the TCP traffic

!--- that needs to by-pass inspection to improve the performance.

!--- Configure the class map and specify the match parameter for the

!--- class map to match the interesting traffic.

ASA(config)#class-map tcp_bypass

ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"

ASA(config-cmap)#match access-list tcp_bypass

!--- Configure the policy map and specify the class map

!--- inside this policy map for the class map.

ASA(config-cmap)#policy-map tcp_bypass_policy

ASA(config-pmap)#class tcp_bypass

!--- Use the set connection advanced-options tcp-state-bypass

!--- command in order to enable TCP state bypass feature.

ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass

!--- Use the service-policy policymap_name [ global | interface intf ]

!--- command in global configuration mode in order to activate a policy map

!--- globally on all interfaces or on a targeted interface.

ASA(config-pmap-c)#service-policy tcp_bypass_policy inside"

Again, nothing...

My config (clean/before any of the above) is as follows...

...

object network External_NAT_Range

range x.x.56.3 x.x.59.255

object network Internal_NAT_Range

range 172.17.56.3 172.17.59.255

object network InternalIPs

subnet 172.17.56.0 255.255.248.0

object network VpnIPs

subnet 172.17.63.0 255.255.255.0

object network InternalIPs_OutOnly

range 172.17.60.1 172.17.62.254

...

nat (inside,outside) source static InternalIPs InternalIPs destination static VpnIPs VpnIPs no-proxy-arp route-lookup description Un-Nats VPN IPs

nat (inside,outside) source dynamic InternalIPs_OutOnly interface description Allows remaining interior network to access the Internet

!

object network Internal_NAT_Range

nat (inside,outside) static External_NAT_Range net-to-net

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.56.1 1

...

---------------------------------

I just want to be able to access an external resource, say, http://x.x.56.5 from an internal IP, say, 172.17.56.8

I tried to use DNS doctoring. The configuration was much simpler, and worked, but when PTR requests came in from the internet, DNS Doctoring seemed to also translate the outbound responses to reflect my internal IP's which was obviously quite wrong...

Any help from you Cisco pros would be appreciated!

Thanks!

Julio Carvajal · ‎12-06-2013

Hello,

So on 8.3 NAT you must do it on one line

You should take into consideration both source and destination.

So you want the internal users to access a website located on the inside network by it's Private IP address???

object network internal

subnet 192.168.1.0 255.255.255.0

objet network Public_server

host 4.2.2.2

object network Private_Server 192.168.1.10

host 192.168.1.10

nat (inside,inside) 1 source dynamic internal interface destination static Public_Server Private_Server

and ofcourse the same-security

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bill · ‎12-06-2013

"So you want the internal users to access a website located on the inside network by it's Private IP address???"

Eh, I want internal users to access a website located on the inside network by its Public IP address...

(more specifically, I have internal processes which need to access external facing websites from their public IP address. Does your solution do the same thing? (It's a live firewall, so I can't do too much fiddling around.)

Thanks!

Carlomd · ‎12-06-2013

Hi guys, sorry for the hijack, I got the same issue where my inside users need to access an outside OWA address, and seems like there's no current articles that pertains to v9 onwards. Let me know if you find a succesful way of doing this in ASA 9.1

Jouni Forss · ‎12-06-2013

Hi,

If you want to NAT a Internal server to a public IP address for the Internal users you would be configuring Dynamic PAT for the source address and Static NAT for the destination address.

Something along these lines

object network LAN

subnet 192.168.1.0 255.255.255.0

object network PUBLIC

host 1.1.1.1

object network LOCAL

host 192.168.1.10

nat (inside,inside) source dynamic LAN interface destination static PUBLIC LOCAL

There are variations of this command if you want to enable this only for certain services.

- Jouni

bill · ‎12-06-2013

I have existing nat's, net-to-net, so I'm wondering if dynamic pat will work for me (still haven't had time to try it yet). Can you do dynamic pat WITH static nat?

Also, your solution doesn't have access lists, I don't care about access lists, I just want any traffic from an internal source IP:

object network Internal_NAT_Range

range 172.17.56.3 172.17.59.255

to an external destination IP:

object network External_NAT_Range

range x.x.56.3 x.x.59.255

(they are statically net-to-net natted, with what I believe is called a "network object" nat?):

object network Internal_NAT_Range
nat (inside,outside) static External_NAT_Range net-to-net

You seem to be indicating a global nat, in position 1, is what's needed. Also, do I need to worry about policies because of the asymmetric routing and "tcp-state-bypas" (as indicated in another post)

Thanks!

Julio Carvajal · ‎12-06-2013

Hello,

NO need for tcp bypass if the hosts are on the same subnet as traffic will always flow through the firewall.

Now, regarding the nat.. It will not make it.. You need a twice NAT for this kind of setup.

Ours is the one u need

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bill · ‎12-06-2013

ok, no tcp bypass... I'm getting a little confused though with all the posts and "Ours is the one u need"... which example should I use for twice natting?

Julio Carvajal · ‎12-06-2013

My example and Jouniss do the same so any of those hehe just remember to use your IP addresses

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bill · ‎12-09-2013

Both of your examples refer to a single IP as in the following:

Julio, you have:

object network Private_Server 192.168.1.10

host 192.168.1.10

And Jouni, you have:

object network LOCAL

host 192.168.1.10

But I need any of my internal IP's to be able to access any of my other (or even same) internal IP's by their external IP's...

i.e.

1.) Internet IP x.x.56.7 is static net-to-net nat'd to 172.17.56.7 (an internal IP)

... for the whole range x.x.56.3 x.x.59.255

2.) My workstation has IP 172.17.56.18. (or any IP in the range 172.17.56.3-172.17.59.254)

3.) I want to browse to http://x.x.56.7 (or x.x.56.8, or x.x.56.9...) and I want it to act AS-IF I were browsing to http://172.17.56.7

(or 172.17.56.8, or 172.17.56.9...)

4.) I want it to work this way for my whole range of internal IP's 1:1 nat'd to my whole range of external IP's.

Is this not possible? Or must I setup a nat (inside,inside) for all IP's in my range? Or is there a simpler solution?

It should seem to act almost identical to DNS doctoring.

Thanks.

Julio Carvajal · ‎12-06-2013

Hello,

I am sorry, yeah I mean public

It should do it buddy.

Test with the config shown and let us know

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Carlomd · ‎12-06-2013

Thanks for the replies Jouni and Julio, I tried it, same thing it just hangs and times out with page can't be displayed, here's the seperate code lines

object network mb1.cirexx.com

host 12.x.x.35

object network cirexxintldc

host 208.x.x.12

object network LAN

subnet 208.x.x.0 255.255.255.0

nat (inside,inside) source dynamic LAN interface destination static mb1.cirexx.com cirexxintldc

but I have this other nat statement for my lan I setup early on to get internet access to internal users, could this be causing it to not work

object network obj-LAN

nat (inside,outside) dynamic interface

Julio Carvajal · ‎12-06-2013

Hello,

The second nat it's a object nat which takes the second position on the priority order.

The first one would takes place at the order (twice nat).

The NAT is fine, what about the same-security do you have it?

do packet-tracer input inside tcp 208.1.1.15 1025 12.1.135 80

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎12-06-2013

Hi,

You can always confirm with the "packet-tracer" that you dont have any other NAT rule that might be messing with this configuration

packet-tracer input tcp 12345

- Jouni

Carlomd · ‎12-06-2013

here's the results -

crxasa# packet-tracer input inside tcp 208.x.x.12 smtp 12.x.x.35 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source dynamic LAN interface destination static mb1.cirexx.com cirexxintldc
Additional Information:
NAT divert to egress interface inside
Untranslate 12.x.x.35/80 to 208.x.x.12/80

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,inside) source dynamic LAN interface destination static mb1.cirexx.com cirexxintldc
Additional Information:
Dynamic translate 208.x.x.12/25 to 208.x.x.1/25

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside) source dynamic LAN interface destination static mb1.cirexx.com cirexxintldc
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1944870, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow