Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1720
Views
5
Helpful
6
Replies

NAT rule on cisco ASA

Go to solution
23nick
Level 1
Level 1

‎03-24-2020 12:25 PM - edited ‎03-24-2020 10:56 PM

Hello Experts,

 

I am new to security, please bear with me, i am practising NAT on Cisco ASA and referring below link.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-reference.html

1) NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)

The following example configures dynamic NAT for dmz users on a private network when they access the outside. Also, when dmz users connect to an outside web server, that web server address is translated to an address that appears to be on the dmz network.

diag.JPG

 


asanat.JPG

 

 

ASA-A(config)# sh run object
object network nat-pool
range 12.0.0.50 12.0.0.60
object network dmz-subnet
subnet 172.16.10.0 255.255.255.0
object network obj-r5
host 5.5.5.5
object network obj-r2
host 12.0.0.2

 

When i tried telnet 5.5.5.5 (R5 loopback) from R4. I am getting error "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src dmz:172.16.10.4/28454 dst outside:5.5.5.5/23 denied due to NAT reverse path failure
%ASA-7-609002: Teardown local-host outside:5.5.5.5 duration 0:00:00. When packet going from R4 src172.16.10.4 is translated to any random ip from nat pool for eg 12.0.0.56 as there is nat statement configured. But when ASA receive packet from R5 src is 5.5.5.5 and dest is 12.0.0.56. So does ASA untranslates 12.0.0.56 to 172.16.10.4 or matches below nat rule first

object network obj-r5
nat (outside,dmz) static 172.16.10.50

 

When i try to telnet 172.16.10.50 from R4, i can telnet to R5

 

I am not able to understand this flow. Could someone please help here

 

Many thanks,

Nick

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to 23nick

‎03-27-2020 05:40 AM

Hi,

   

    The ASA does not allow the session from R4 to R5 (5.5.5.5) to flow, because it knows by parsing the config, that when the reply comes to the ASA, with a source of 5.5.5.5 and destination of R4, the 5.5.5.5 gets NAT'ed into 172.16.10.50, and this is a broken session from the imitator's perspective (it sends packets with source R4 and destination 5.5.5.5, the reply should be with source of 5.5.5.5 and destination of R4, which is not the case as ASA NAT's 5.5.5.5).

  As said, per you config and desired outcome, you need to initiate traffic from R4 towards the NAT'ed/mapped address of R5, not towards the real one.

 

Regards,

Cristian Matei.

View solution in original post

6 Replies 6

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-24-2020 01:35 PM

Hi,

 

   Post your full NAT and object/object group configurations.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
23nick
Level 1
Level 1
In response to Cristian Matei

‎03-24-2020 10:44 PM

Hi Cristian,

Please find below snap.

 

natconfig.JPG

object.JPG

 

Thanks

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to 23nick

‎03-25-2020 12:11 AM

Hi,

 

   Per you NAT configuration, specifically "nat (outside,dmz) source static 5.5.5.5 172.16.10.50", it means that the Loopback of R5 (5.5.5.5) is visible on the DMZ side of the ASA as 172.16.10.50. So when you initiate traffic from R4 towards the Loopback of R5, you should initiate it towards 172.16.10.50, not towards 5.5.5.5.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
23nick
Level 1
Level 1
In response to Cristian Matei

‎03-25-2020 04:24 AM

ok but if i telnet 5.5.5.5 from R4

ASA check nat (dmz,outside) dynamic nat-pool statement and for eg translated 172.16.10.4 to 12.0.0.56.

 

1)But what happen when asa receive reply from R5. src is 5.5.5.5 destination is eg 12.0.0.56. ASA translates 12.0.0.56 to 172.16.10.4

OR

2)Considers checking nat (outside,dmz) static 172.16.10.50

How the checks are performed here ? will it check connection table first or nat statement ?

 

Thanks

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to 23nick

‎03-27-2020 05:40 AM

Hi,

   

    The ASA does not allow the session from R4 to R5 (5.5.5.5) to flow, because it knows by parsing the config, that when the reply comes to the ASA, with a source of 5.5.5.5 and destination of R4, the 5.5.5.5 gets NAT'ed into 172.16.10.50, and this is a broken session from the imitator's perspective (it sends packets with source R4 and destination 5.5.5.5, the reply should be with source of 5.5.5.5 and destination of R4, which is not the case as ASA NAT's 5.5.5.5).

  As said, per you config and desired outcome, you need to initiate traffic from R4 towards the NAT'ed/mapped address of R5, not towards the real one.

 

Regards,

Cristian Matei.

Go to solution
23nick
Level 1
Level 1
In response to Cristian Matei

‎03-27-2020 07:51 AM

Thankyou very much Cristian for your valuable comment.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card