11-20-2012 01:01 PM - edited 03-11-2019 05:25 PM
I have a customer that sits behind an ASA on Int g0/1.143 (sec-level set to 100).
I have another customer that sits behind the same firewall on Int g0/1.156 (sec level = 100 as well).
The default gateway for each customer is the ip address on the above interfaces, 192.168.143.254 and 192.168.156.254 respectively.
The customer on 1.156 has a web server that's up and alive on the internet, natted to a public address of 72.46.x.x.
Customers on 192.168.143.0/24 cannot get to the website. When i tracert from 192.168.143.10 i can see the router that sits on the outside interface of the ASA then it fails, so it's being sent out the default gateway of the ASA.
What am i missing here?
Thanks as always....
Solved! Go to Solution.
11-21-2012 01:28 PM
Hi,
If you can make the DNS change on the local LAN DNS server to point to the private IP address of the server instead of the public this should be almost enough.
Ofcourse you need to allow the traffic on the access-list in the source interface (unless you have some wider rule already allowing that)
The NAT setup between the interfaces depends on your ASA software. In a 8.3 and newer software you wouldnt need any NAT configurations for this traffic as you wont be doing any NAT and the traffic will be using the client/server actual IP address.
In software 8.2 and below there is a thing called "nat-control" which determines if a NAT is always required or never required. The default setting, if I remember right, is that the "nat-control" is not enabled. (Its not visible in the configuration in this case). Then again if "nat-control" is enabled it will show in the configuration just above the "global" configuration lines. I havent had to deal with this in ages so I might have gotten it completely the wrong way (which setting was default that is)
If you want to capture traffic for a connection you are testing you can do it either at the test computer itself, on the server, in the switches you might have or on the ASA (which I have used alot in recent months to get familiar with using it for troubleshooting)
Now if we presume that you want to capture only HTTP connections towards the server using (and return traffic) the ASA, you could do following configurations. I also presume you are connecting using the local IP of the server (even though it should work if access rules are OK and there is not some other NAT configuration in the way)
access-list WEB-SERVER-CAPTURE permit tcp host
access-list WEB-SERVER-CAPTURE permit tcp host
capture WEB-SERVER-CAPTURE type raw-data packet-length 1522 access-list WEB-SERVER-CAPTURE interface Amherst buffer 33500000 circular-buffer
You can check the amount of data captured by the above configuration by using command "show capture". The capture wont show in the "show run" output of ASA. Only with "show capture" command. If the ASA happens to boot the capture will be removed also.
"buffer" parameter sets the amount of memory used for storing data. I'm using almost the maximum amount ASA allows per capture.
"circular-buffer" tells the ASA to overwrite the old data if the memory amount set with "buffer" is exceeded. Otherwise the capture will stop when buffer is full. Access-list and Capture name dont have to match but I usually do it that way.
You can show the capture data with "show capture
Though I would suggest using Wireshark software for opening the capture file. For this you need to copy the file from ASA to your computer with TFTP
copy /pcap capture:WEB-SERVER-CAPTURE tftp://x.x.x.x/filename.pcap
You can also use Wireshark for capturing traffic on the computer you install it on ofcourse (I guess you might be familiar with this already, personally I havent used it for a long time even if it is a very basic tool for networking)
To remove the capture use the command "no capture
If you dont want to go quite so deep you can simple watch the ASA logs through ASDM, ASA CLI or better yet Syslog server. Logging level on ASA would need to be atleast "informational" so that you can see the messages related to connection forming and closing.
- Jouni
11-21-2012 02:49 PM
I was thinking wireshark and packet captures would be a last resort, maybe i'm at that point then as nothing seems to be working. But i just got a little hope...by the way i'm running asa804-k8.bin
I've made no dns changes locally yet but when i'm on a server on the Amherst lan, 192.168.143.10, and i try to ping the web server on the Franklin lan, 192.168.156.10, the requests time out.
i added, based on your above
Static NAT to outside
static (lan1,outside) 1.2.3.4 10.10.10.10 netmask 255.255.255.255 dns
static (Franklin,outside) 74.11.x.x 192.168.156.10 netmask 255.255.255.255 dns
Static NAT between LANs
static (lan1,lan2) 1.2.3.4 10.10.10.10 netmask 255.255.255.255
static (Franklin,amherst) 74.11.x.x 192.168.156.10 netmask 255.255.255.255
I have 2 constant pings running now and i see log file entries:
For the local addressing:
Nov 21 2012 17:30:18: %ASA-3-305006: portmap translation creation failed for icmp src amherst:192.168.143.10 dst Franklin:192.168.156.10 (type 8, code 0)
Likewise the ping to the Public url yields:
Nov 21 2012 17:31:34: %ASA-3-305006: portmap translation creation failed for icmp src amherst:192.168.143.10 dst Franklin:74.11.x.x (type 8, code 0)
I'm wondering if your lan1 and lan2 are matching up with my amherst and Franklin lans, respectively. Or do i have things backwards?
11-21-2012 10:32 PM
Hi,
Seems to be some problem with NAT configurations then.
We still havent seen your configurations though so I can't say anything for sure.
What I would suggest would be to leave the server to outside Static NAT with the DNS parameter added and remove the Static NAT server to other lan to return to a normal situation.
I would first try the DNS changes before trying anything else. At the least use a test computer in the LAN where you need to connect from and use a public DNS server and see if you can connect then to the server by using DNS name.
You can also post the ASA configurations and remove the sensitive information if there is some.
Cisco explanation for your log message ID
Error Message %ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]
Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.
The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.
The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.
For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.
When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255 static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.
Recommended Action None required.
- Jouni
11-23-2012 07:43 AM
Ok, posting my config is going to take some work, it's 1900 lines long and there's a lot of stuff i can't post publicly, but I'm afraid to make changes sense i may change something relevant. However i will work on that today.
But i had an interesting thing i just noticed. I got back on that server, having not changed anything since i left it Wednesday, and went to ping that website, it's coming back as the local private address. I can still get to the website externally so the web site is still up...meaning it's still using the public address elsewhere.
So something in this translation is working? The server is point to 4.2.2.2 for dns. And I have to say it's very odd to see a windows server responding back from a public DNS server with a private address.
11-23-2012 08:41 AM
Ok actually that wasn't so bad to go through. I removed all of my other customers subinterfaces and access lists, as well as the crypto and I think it's ok. Any questions on anything i changed just let me know. Also note, i left the real vlan and private subnet for Amherst and Franklin this time, so this is the actual config. I'm trying to get hosts on 192.168.133.0 to the webserver at 192.168.146.10. The webservers public address is network-object host x.x.122.45
Thanks again for all the help.
11-26-2012 06:06 AM
WStoffel1,
Can you run the following packet-tracer.
packet-tracer input Amherst tcp 192.168.133.20 25354 192.168.146.10 80 detailed
and post the output.
thanks,
Nick
11-26-2012 06:14 AM
Ahh yes, I should have posted that already:
packet-tracer input Amherst tcp 192.168.133.20 25354 192.168.146.10 80 $
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb047cf70, priority=12, domain=capture, deny=false
hits=5947967, user_data=0xb1fda948, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac3d8348, priority=1, domain=permit, deny=false
hits=16069432, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.146.0 255.255.255.0 Franklin
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad5b5650, priority=2, domain=permit, deny=false
hits=103456, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad4fd1e0, priority=0, domain=permit-ip-option, deny=true
hits=391153, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac3d7df0, priority=21, domain=lu, deny=true
hits=127965, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Amherst,dmz) 192.168.133.0 192.168.133.0 netmask 255.255.255.0
match ip Amherst 192.168.133.0 255.255.255.0 dmz any
static translation to 192.168.133.0
translate_hits = 465, untranslate_hits = 3637
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac962570, priority=5, domain=host, deny=false
hits=475673, user_data=0xac453d20, cs_id=0x0, reverse, flags=0x0, protoc ol=0
src ip=192.168.133.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype:
Result: DROP
Config:
nat (Amherst) 1 192.168.133.0 255.255.255.0
match ip Amherst 192.168.133.0 255.255.255.0 Franklin any
dynamic translation to pool 1 (No matching global)
translate_hits = 4, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac798bc0, priority=1, domain=nat, deny=false
hits=3, user_data=0xb0bbfe80, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.133.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Amherst
input-status: up
input-line-status: up
output-interface: Franklin
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
FYI, this is the current NATs i have based on the above:
static (Franklin,outside) 74.11.x.x 192.168.146.10 netmask 255.255.255.255 dns
static (Franklin,Amherst) 74.11.x.x 192.168.146.10 netmask 255.255.255.255
11-28-2012 12:58 PM
Just to follow up, what I ended up doing to fix this issue was a combination of DNS server and ASA configs.
Increased the security level on the source interface relative to the destination where the web server resided.
Added static nat:
Static (amherst,Franklin) 192.168.133.0 192.168.133.0 netmask 255.255.255.255
This enabled me to ping across the interfaces, and logically all the traffic will be initiated outbound so I think it's set.
Then on the local source (Amherst) network I added a new zone for the domain of the website, ABCDE.com and added a single A record for WWW.
Problem solved....Thanks everyone for all the help!!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide