Solved: Hello, Remove all current nat - Page 2

shell_uk_ · ‎03-19-2015

Hi all

I can't quit hit the nail on the head with this one. Any help would be very much appreciated please :)

Cisco ASA 5505
Running 8.4(1)

Example of what I am trying to do (I've basically ran out of public IPs and need to direct access to certain hosts and services inside but for complicated reasons I won't go in to as it won't help here/just complicate it more for no reason, they can't be on the 'general usage' IP so I need to share some of these other public IPs).

Public IP range: 12.34.56.1 - 12.34.56.5

Internal IP range: 192.168.1.1 - 192.168.1.254

12.34.56.5:
'General usage' IP. So by default everything goes in and out on this IP.

12.34.56.1:
Port 443 goes to 192.168.1.2
Port 80 goes to 192.168.1.3
Traffic from 192.168.1.2 and 192.168.1.3 to the internet comes from 12.34.56.1

12.34.56.2/.3/.4:
These are all dedicated to certain servers and work fine.

Bits of the config I think are relevant (please say if I've missed something):

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

object network LAN
 subnet 192.168.1.0 255.255.255.0
object network NAT-IP-1
 host 12.34.56.1
object network server-2
 host 192.168.1.2
object network server-3
 host 192.168.1.3
object-group network SOURCE-ADDRESSES-2
 network-object host 192.168.1.2
 network-object host 192.168.1.3

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www

nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

object network LAN
 nat (inside,outside) dynamic interface
object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https

Traffic for server-2 and server-3 goes out on 12.34.56.1 instead of 12.34.56.5, that's fine. The port forwarding isn't happening though.

This results in this in the log:

4 Mar 19 2015 15:00:45 106023 5.6.7.8 53966 12.34.56.1 443 Deny tcp src outside:5.6.7.8/53966 dst outside:5.6.7.8/443 by access-group "outside_access" [0x0, 0x0]

If I do a packet trace it's just not showing the NAT entries expected (and the log above doesn't show the destination as the LAN IP either as expected):

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   12.34.56.1    255.255.255.248 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

What am I messing up with the NATing/port forwarding please?

Thank you!

Edit: Sorry John. Typo - corrected!

jeevak mukadam · ‎03-19-2015

Hello,

Remove all current nat statement and try as following.

object network server-2
host 192.168.1.2
nat (inside,outside) static 12.34.56.1 service tcp 443 443

object network server-3
host 192.168.1.3
nat (inside,outside) static 12.34.56.1 service tcp 80 80

object network server-4
host 192.168.1.4
nat (inside,outside) static 12.34.56.2

object network server-10
host 192.168.1.10
nat (inside,outside) static 12.34.56.3

object network server-50
host 192.168.1.5
nat (inside,outside) static 12.34.56.4

object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 5 source dynamic any interface

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www
access-list outside_access extended permit ip any object server-4
access-list outside_access extended permit ip any object server-10
access-list outside_access extended permit ip any object server-50

access-group outside_access in inerface outside

Jeevak,

jeevak mukadam · ‎03-19-2015

John is right, your all traffic match at section-2

Jeevak,

Jon Marshall · ‎03-19-2015

Jeevak

That's not what he wants though.

He doesn't want server-2 and server-3 to use the outside interface IP when they access the internet.

So you need dynamic NAT for those two servers and this is where the problem is.

Jon

jeevak mukadam · ‎03-19-2015

as per configuration he provided the outside interface ip is 12.34.56.5, where i used 12.34.65.1

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

Jon Marshall · ‎03-19-2015

object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 5 source dynamic any interface

the above will translate server-2 and server-3 to the interface IP address when they make connections to the internet and the ports are not either http or https.

Your static statements for those two servers are only for those ports but he also wants any other traffic from those servers ie. not for those ports, to be translated to a different IP.

See the original post for details.

Jon

jeevak mukadam · ‎03-19-2015

That is why i put that in the end on section 2 with line no 5,

Jon Marshall · ‎03-19-2015

Perhaps I am misunderstanding or not explaining myself very well.

Firstly I don't think you can order lines in section 2.

But that's not the issue. It doesn't matter where you put it in section 2.

You have two rules for server-2 and server-3 for http and https.

So using your rules what IP does either of those servers get translated to if they used ssh for example to connect to a server on the internet ?

I think with your rules it would use the interface IP because there is no other rule to catch it.

But he doesn't want those servers to use the interface IP for any connections.

Jon

jeevak mukadam · ‎03-19-2015

1. Yes we can change order nos in section2.

2. for ssh - u r right it will use ip of 12.34.56.5 i configure it as per what he needs,

12.34.56.5 Any 192.168.1.* IP not mentioned above - Mention ip is ip for outside interface vlan 2

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

Jeevak,

Jon Marshall · ‎03-19-2015

Jeevak

My apologies for continually spelling your name incorrectly.

I should have been more careful.

I will edit my other replies.

Jon

Jon Marshall · ‎03-19-2015

Jeevak

1) not according to the documentation -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#pgfId-1118157

section 2 rules are automatically ordered, doesn't matter what line number you have given it.

2) he doesn't want to have to setup statics for every outgoing port from those servers that is why he used a dynamic NAT which is a perfectly reasonable thing to want to do, it's just in the wrong place.

Jon

jeevak mukadam · ‎03-19-2015

Jon,

I was wrong for section-2, yes we cant change order no st section2. Actually during config it will allow u to set line number but after config that statement exists section 2 and entered into section1,

i just tried on test lab

Thanks,

jeevak mukadam · ‎03-19-2015

Jon,

He must again confirmed his requirement before any suggestion, If what he reply to my post then i have to alter last nat statement as follows because in section -2 static nat order first and then dynamic.

object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

Please suggest,

Jon Marshall · ‎03-19-2015

Jeevak

The original problem is because of this statement in section 1 -

nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

which is where he is doing dynamic NAT for server-2 and server-3 and that meant his static PAT statements in section 2 were never getting hit.

I think we'll wait on his reply but basically you can't manually reorder section 2 and even if he moved the above statement to section 2 your dynamic NAT statement would take precedence because it has more IPs.

So I made a couple of suggestions as to how he could reorder the NAT to try and make it work which are in a previous post above.

Jon

shell_uk_ · ‎03-20-2015

Yes, I made the 'nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1' static instead (I made a reply above to my original post) as an experiment and this got it working as far as this:

Out bound IP: Correct

Inbound port mappings: It tries to send both to server-2/192.168.1.2, so port 443 works! - it ignores that the port 80 one is for server-3/192.168.1.3 for some reason though and directs port 80 to server-2/192.168.1.2 also.

nat (inside,outside) source static SOURCE-ADDRESSES-2 NAT-IP-1

object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https
object network server-3
 nat (inside,outside) static NAT-IP-1 service tcp www www

Logs..

So 443->192.168.1.2 works

Built inbound TCP connection 394317674 for outside:5.6.7.8/50162 (5.6.7.8/50162) to inside:192.168.1.2/443 (12.34.56.1/443)
Teardown TCP connection 394317674 for outside:5.6.7.8/50162 to inside:192.168.1.2/443 duration 0:00:01 bytes 4539 TCP FINs

But then port 80->192.168.1.3 is denied because it's trying to send it to 192.168.1.2 also?

Deny tcp src outside:5.6.7.8/59385 dst inside:192.168.1.2/80 by access-group "outside_access" [0x0, 0x0]

Jon Marshall · ‎03-20-2015

nat (inside,outside) source static SOURCE-ADDRESSES-2 NAT-IP-1

To be honest I didn't think you could do this because you are mapping one public IP to two private IPs so how does the ASA know which IP to send it to ?

I think what might be happening is with the above statement it is matching traffic inbound before getting to your section 2 statements.

What does "sh nat" show in terms of hits ?

Edit - sorry didn't explain the above very well so I changed it.

Jon

NAT with multiple external IPs and multiple internal IPs sharing public specific IPs