NAT Issues continue with ASA 5510 - Page 2

Mitchell Tuckness · ‎01-27-2014

I am still having access issues when using NAT on my ASA 5510. I think it is due to the way I have my ASA setup and the usage of PAT and NAT. I am not sure of the differences in them as of yet, but because I have routers behind my ASA, it seems to me that the issues might relate to the PAT, NAT and the Routers.

Can refer to this link to see my network diagram.

https://supportforums.cisco.com/message/4145313#4145313

The problem is, I cannot seem to access any devices behind the routers.

My initial thought when I started this learning process was to use the ASA as the one point of access to the internet as a firewall. Then behind that I would have my routers and the subnets behind them, including switches and all that stuff. But there is apparently different ways of doing this and the information I get doesn't seem to be consistent, or I should say it is consistent, but doesn't work.

For some reason, I cannot seem to forward packets from the external interface (internet) on the ASA, to resources behind the routers.

I create a network object. Assign it a host. Create the NAT statement. Create the access list. and yet the packets still get denied. The error I see on the ASDM is basically always the same.

6

Jan 27 2014

10:36:46

98.22.xxx.xxx

14979

192.168.1.2

3389

Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/14979 to Inside:192.168.1.2/3389

One thing I noticed is that no matter what I specify as the port leaving my network here at work, the ASA doesn't see it as that port. RDP, for example, is supposed to use 3389. But as you see from this caption of my ASA log, I initiated an RDP connection from my work computer and when it hit the ASA is is on port 14979 which if I read this correctly is 98.22.xxx.xxx 14979 then converted to 192.168.1.2 port 3389.

I created a Object Network Group:

object network RDP-DC1

host 192.168.1.2

Set NAT within the group:

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

Then created an Access-List:

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

But the result is the same as I get when I created the one to allow http traffic on port 8080 to hit an internal address on port 80.

I don't know where my NAT issue is, but I am beginning to think it is in the PAT. Maybe I should create only static routes from the ASA to the routers and then setup the routers to allow access as needed? Right now, I believe the routers are allowing any traffic, since I have the access-list permit any any statement. That does mean allow any traffic to any location, including from the 'Outside' source?

Is the PAT trying to bypass the routers?

Here are some outputs:

ASA5510(config)# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

ASA5510(config)# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA5510(config)# sh run object-group

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

I seem to be missing something in my config preventing nat from working as it should and the work arounds that I do seem to not work properly.

The only statements that do work are the o nes that allow me to SSH into the Routers that are on each interface of the ASA. So I can ssh into the 2811, 2821 fine, but nothing behind them.

Mitchell Tuckness · ‎01-28-2014

OK, I removed the statement under the network object for the NAT for ssh, no change.

object network ROUTER-2811

no nat (Inside,Outside) static interface service tcp ssh 222

I assume that was the NAT you were talking about?

Here is the route table as well.

ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 199.195.xxx.xxx to network 0.0.0.0

S 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, Inside

S 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, Inside

S 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, Inside

C 199.195.xxx.xxx 255.255.255.240 is directly connected, Outside

C 10.10.0.0 255.255.255.252 is directly connected, DMZ

C 10.10.1.0 255.255.255.252 is directly connected, Inside

C 10.10.2.0 255.255.255.252 is directly connected, VOIP

S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.xxx.xxx, Outside

Jon Marshall · ‎01-28-2014

Mitchell

Did you clear the xlate table for that NAT statement when you removed it ?

Can you post full config of ASA ?

Jon

Mitchell Tuckness · ‎01-28-2014

Shoot, no I didn't and I thought about it, but didn't .

ASA5510# sh running-config

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name maladomini.int

enable password liSfzvir2g encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd fzvir2g encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.xxx.xxx 255.255.255.240

!

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

!

interface Ethernet0/3

description VOIP

nameif VOIP

security-level 100

ip address 10.10.2.1 255.255.255.252

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.xxx.xxx

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

same-security-traffic permit inter-interface

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object network WEBCAM-01

host 192.168.1.5

object network DNS-SERVER

host 192.168.1.2

object network ROUTER-3745

host 10.10.2.2

object network RDP-DC1

host 192.168.1.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

mtu VOIP 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.xxx.xxx 1

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.xxx.xxx 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:95cd1440463ac3f

: end

Naisamuddin pk · ‎01-29-2014

Hi,

Can you please put "ip subnet-zero "command and then try.

Regards,

Naisam

Mitchell Tuckness · ‎01-29-2014

I am sorry, I can't seem to find that command to run.

Closest I found was:

ASA5510# sh ip address inside

System IP Address: