NAT strange Issue

Dmitri Popkov · ‎08-22-2013

Good day.

Today, i've noticed strange issue, while configuring nat in ASA 8.4

I've local router (ip - 10.0.102.2) - which is connected to ASA (locainside - 10.0.102.1). Asa is connected to ISP (outside - 172.16.1.2)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/7

switchport access vlan 10

interface Vlan2

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.248

!

interface Vlan10

nameif inside_local

security-level 100

ip address 10.0.102.1 255.255.255.252

ospf cost 100

ospf priority 100

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

!

access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any

object network obj_any

nat (inside_local,outside) dynamic interface

access-group ALLOW_LAN in interface outside

But translation didnt work

here some sh commands

Auto NAT Policies (Section 2)

1 (inside_local) to (outside) source dynamic obj_any interface

translate_hits = 3, untranslate_hits = 15

Source - Origin: 0.0.0.0/0, Translated:172.16.1.2/29

show xlate

1 in use, 207 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

e - extended

ICMP PAT from inside_local:10.0.102.2/17 to outside:172.16.1.2/17 flags ri idle 0:00:00 timeout 0:00:30

On my local router i dont receive none of icmp packets

Why is this happen? Can you tell please?

Dmitri Popkov · ‎08-22-2013

Here is some debug nat

nat: translation - inside_local:10.0.102.2/19 to outside:172.16.1.2/19

nat: untranslation - outside:172.16.1.2/19 to inside_local:10.0.102.2/19

vishaw jasrotia · ‎08-22-2013

Hey Dmitri

Try this

first remove the accesslist

no access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any

then replace it with

access-list ALLOW_LAN extended permit ip any 10.0.0.0 255.0.0.0

thanks

vishaw

Jouni Forss · ‎08-22-2013

Hi,

The LAN interface ACL seems to be correct so no need to change it. You have a subnets of 10.0.0.0/8 behind the "inside_local" interface I presume.

Please issue the following command

packet-tracer input inside_local tcp 10.0.102.2 12345 8.8.8.8 80

And copy/paste the complete output here.

As we can see your whole configuration we can't tell if there is perhaps some routing related problems or other configurations causing problem.

The above output should tell us more though.

If you are testing with ICMP add the following

fixup protocol icmp

fixup protocol icmp error

Or in another way if you have a pretty default config

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

Dmitri Popkov · ‎08-22-2013

here is packet tracert

packet-tracer input inside_local tcp 10.0.102.2 12345 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ALLOW_LAN in interface inside_local

access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network inside_lan

nat (inside_local,outside) dynamic interface

Additional Information:

Dynamic translate 10.0.102.2/12345 to 37.203.241.10/12345

Phase: 5

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5131, packet dispatched to next module

Result:

input-interface: inside_local

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

It's seem that nat is ok...but i still cant send icmp from local router through ASA (and i dont even have). Also i've done this

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

But it didnt help...

Jouni Forss · ‎08-22-2013

Hi,

Can you share the complete configuration (while removing any sensitive information)

The above output tells us that the simulated packet would pass the ASA. That would indicate possibly problem with some other devices or perhaps some problems with regards to return routing.

Though if you have generated traffic from the directly connected network behind the ASA (the link network) then there should not be a problem

- Jouni

Dmitri Popkov · ‎08-22-2013

Here is my full config

ASA Version 8.4(4)1

!

hostname GWD-FW-MAIN-2

domain-name GWD-FW-MAIN-2

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 100

shutdown

!

interface Ethernet0/2

switchport access vlan 100

shutdown

!

interface Ethernet0/3

switchport access vlan 100

shutdown

!

interface Ethernet0/4

switchport access vlan 1000

!

interface Ethernet0/5

switchport access vlan 100

shutdown

!

interface Ethernet0/6

switchport access vlan 100

shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan2

nameif outside

security-level 0

ip address172.16.1.2 255.255.255.248

!

interface Vlan10

nameif inside_local

security-level 100

ip address 10.0.102.1 255.255.255.252

ospf cost 100

ospf priority 100

!

interface Vlan100

shutdown

no nameif

no security-level

no ip address

!

interface Vlan1000

nameif TRUNK_TO_ASA

security-level 100

ip address 10.10.10.1 255.255.255.252

ospf cost 1000

!

ftp mode passive

dns server-group DefaultDNS

domain-name GWD-FW-MAIN-1

object network inside_lan

subnet 10.0.0.0 255.0.0.0

access-list ALLOW_LAN extended permit icmp 192.168.0.0 255.255.0.0 any

access-list ALLOW_LAN extended permit icmp 10.0.0.0 255.0.0.0 any

access-list ALLOW_LAN extended permit icmp 172.16.0.0 255.255.0.0 any

access-list ALLOW_LAN extended permit ip 192.168.0.0 255.255.0.0 any

access-list ALLOW_LAN extended permit ip 172.16.0.0 255.255.255.0 any

access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any

pager lines 24

logging enable

logging asdm informational

logging mail emergencies

logging recipient-address popkov@gwd.ru level errors

mtu outside 1500

mtu inside_local 1500

mtu TRUNK_TO_ASA 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm.bin

no asdm history enable

arp timeout 14400

!

object network inside_lan

nat (inside_local,outside) dynamic interface

access-group ALLOW_LAN in interface outside

!

router ospf 1

router-id 172.30.0.2

network 10.0.102.0 255.255.255.252 area 2.2.2.2

log-adj-changes

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside_local

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside_local

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.1.245 prefer

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1

webvpn

anyconnect-essentials

username DarK_ password CofDAesx0m/lvYOZ encrypted privilege 15

!

class-map inspection_default

!

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

policy-map global-policy

class class-default

user-statistics accounting

!

service-policy global-policy global

smtp-server 192.168.1.224

prompt hostname context

no call-home reporting anonymous

Jouni Forss · ‎08-22-2013

Hi,

What does the output of

show route

Show for the ASA?

- Jouni

turbo_engine26 · ‎08-22-2013

Hi,

Why are you pinging from local router to ASA's outside interface? ... The packet tracer shows that your router can reach outside hosts successfully. If you want to ping the ASA itself whether from inside or outside, you have to use the icmp command.

icmp permit 10.0.102.2 255.255.255.252 outside

But this command assumes that you are an outside host tries to ping the outside interface directly.

My question is, What exactly you want to achieve here? Is it an internet access problem? .. If want to test address translations, the most obvious way is to surf the internet. Also, i can see translation hits, this means that NAT is working and it is an access control issue. Try to ping from local router to a known outside host instead.

Regards,

AM