Solved: The only downside is that you - Page 3

shell_uk_ · ‎03-19-2015

Hi all

I can't quit hit the nail on the head with this one. Any help would be very much appreciated please :)

Cisco ASA 5505
Running 8.4(1)

Example of what I am trying to do (I've basically ran out of public IPs and need to direct access to certain hosts and services inside but for complicated reasons I won't go in to as it won't help here/just complicate it more for no reason, they can't be on the 'general usage' IP so I need to share some of these other public IPs).

Public IP range: 12.34.56.1 - 12.34.56.5

Internal IP range: 192.168.1.1 - 192.168.1.254

12.34.56.5:
'General usage' IP. So by default everything goes in and out on this IP.

12.34.56.1:
Port 443 goes to 192.168.1.2
Port 80 goes to 192.168.1.3
Traffic from 192.168.1.2 and 192.168.1.3 to the internet comes from 12.34.56.1

12.34.56.2/.3/.4:
These are all dedicated to certain servers and work fine.

Bits of the config I think are relevant (please say if I've missed something):

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

object network LAN
 subnet 192.168.1.0 255.255.255.0
object network NAT-IP-1
 host 12.34.56.1
object network server-2
 host 192.168.1.2
object network server-3
 host 192.168.1.3
object-group network SOURCE-ADDRESSES-2
 network-object host 192.168.1.2
 network-object host 192.168.1.3

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www

nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

object network LAN
 nat (inside,outside) dynamic interface
object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https

Traffic for server-2 and server-3 goes out on 12.34.56.1 instead of 12.34.56.5, that's fine. The port forwarding isn't happening though.

This results in this in the log:

4 Mar 19 2015 15:00:45 106023 5.6.7.8 53966 12.34.56.1 443 Deny tcp src outside:5.6.7.8/53966 dst outside:5.6.7.8/443 by access-group "outside_access" [0x0, 0x0]

If I do a packet trace it's just not showing the NAT entries expected (and the log above doesn't show the destination as the LAN IP either as expected):

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   12.34.56.1    255.255.255.248 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

What am I messing up with the NATing/port forwarding please?

Thank you!

Edit: Sorry John. Typo - corrected!

shell_uk_ · ‎03-20-2015

Hi Jon

No I don't understand why it works. I've even gone as far as visiting a site like ipchicken.com from that machine and it definitely shows 12.34.56.1. Hmm. Reading the docs you link to atm.

Thanks

Jon Marshall · ‎03-20-2015

Sorry, I made a real hash of explaining in the last post.

nat (inside,outside) source static SOURCE-ADDRESSES-2 NAT-IP-1

what is happening is that server-2 works because it is mapped to the public IP in the above. So it works but it isn't using your section 2 static statement.

But server-3 doesn't work because inbound traffic is to port 80 to the public IP but the above statement also catches that traffic so again it doesn't get to your section 2 statement.

What your above statement does is map all ports for server-2 to that public IP.

When you connect from outside you are connecting to that public IP on a specific port and the ASA simply matches it to server-2 ie. it has no way of knowing it is for server-3

Remember nothing is getting to section 2.

Jon

Jon Marshall · ‎03-20-2015

You need to use one of the solutions I provided earlier.

Jon

Jon Marshall · ‎03-20-2015

The recommendation in that doc I linked to is to have static PAT statements in section 2 and general dynamic NAT in section 3.

So as per solution I mentioned -

1) go back to your dynamic NAT for the two servers and put it in section 2

2) leave your static PAT statements in section 2.

static takes precedence over dynamic so it should work.

3) move your dynamic NAT statement for the whole LAN to section 3 otherwise it would take precedence over the dynamic NAT for your two servers.

See previous post for more details.

Jon

shell_uk_ · ‎03-20-2015

Thanks again Jon :-)

In between your posts (so before seeing this one) I've done this and it appears to work. I've basically stuck it all in section one at the end of it... Am I missing something that will have broken here? I've done various checks and can't find something.

nat (inside,outside) source static server-2 NAT-IP-1 service HTTPS HTTPS
nat (inside,outside) source static server-3 NAT-IP-1 service HTTP HTTP
nat (inside,outside) source static server-2 NAT-IP-1
nat (inside,outside) source static server-3 NAT-IP-1

So if it's for those ports it matches it, if it isn't for any port specifically it still catches it at the next rules and does it's thing for out bound NAT too. If it isn't for server-2/server-3 it doesn't match any way and moves on to section 2 with the host specific public IP NAT rules, then finally at the end of section, the 'catch all'.

Jon Marshall · ‎03-20-2015

Am I missing something that will have broken here?

As long as your specific port translations are higher up in the order you should be okay.

The only thing I would say, and it is just a suggestion, is that with your static statements for the whole IPs ie. the last two you are in effect opening up every port to server-2 (but not server-3 because of what I explained earlier).

Obviously you have an acl to control access but you could if you wanted remove the last two statements and replace it with your original dynamic NAT statement.

As long as it still came after the more specific static port translations in the same section then it should work fine.

That way you are not opening up any ports that may accidentally be allowed in your acl.

So it would basically be the first option I suggested in a previous post.

But it is entirely up to you.

Jon

shell_uk_ · ‎03-20-2015

Hi Jon

Change made. Makes sense to be doubley safe.

Is there any downsides of this over what you then said about basically doing this in section 2 (because static wins over dynamic there, with no ordering) but moving the general LAN NAT to section 3 (to make sure it's last?)?

Thank you!

Jon Marshall · ‎03-20-2015

The only downside is that you may further down the line face issues again because of your NAT ordering.

The Cisco docs recommend doing most NAT in section 2 and then using sections 1 and 3 for the exceptions.

The doc I linked to by Jouni (which is one of the best docs I have seen on this site) recommends doing all the general NAT in section 3 because it is checked last and so all your more specific rules are matched first.

To me that makes a lot of sense because it then gives you more flexibility in what you can put in other sections without having to fit it all into one section.

And Jouni spends most of his time working with these firewalls for an ISP supporting customer environments so he has a lot of experience with them.

So that doc is well worth a couple of reads and I still refer to it all the time.

But it is really up to you as to how you want to do it in the end.

Glad to hear you got it working.

Jon

shell_uk_ · ‎03-20-2015

All making a lot more sense now. That article is very good.

I think I'm going to have to leave this in section one though because SOURCE-ADDRESSES-2 is an object-group so I can't apply NAT to it (can't put it in section 2). I can't make it with a range/subnet under an object either as the actual 2 LAN IP addresses I'm dealing with aren't next to each other like in the example (sorry - should have the made IPs more in line with what I actually have here).

For some reason when I put it in section 3 though then follow it with the general NAT at the end, it gets ignored and just general NAT applied.

shell_uk_ · ‎03-20-2015

Right, that ignoring thing was a bug. I found it on this (looks handy to go through too in full). http://www.slideshare.net/CiscoRu/understanding-andtroubleshootingasanat11finalapproved

Slides 38/39. So there's a bug in my version so they don't get applied in that order (confirmed with the show asp .... command). Removed both and re-added. All good :-)

jeevak mukadam · ‎03-19-2015

but he also wants any other traffic from those servers ie. not for those ports, to be translated to a different IP.

Jon u r right but this what he need

Public IP.. LAN IP..

12.34.56.1 192.168.1.2 (port 443) and 192.168.1.3 (port 80)

12.34.56.2 192.168.1.4 (various ports)

12.34.56.3 192.168.1.10 (various ports)

12.34.56.4 192.168.1.50 (various ports)

12.34.56.5 Any 192.168.1.* IP not mentioned above - Interface ip

Jon Marshall · ‎03-19-2015

Jeevak

I think that's where the confusion has come in.

The requirements he gave you are different from the ones he has talked about in other responses.

So yes your configuration meets those requirements but if you read the original post the whole reason the NAT isn't working is because he has a dynamic NAT statement for server-2 and server-3 which is being matched before the static PAT statements.

Jon

jeevak mukadam · ‎03-19-2015

Exactly Jon where i am also having some confusion so i first take confirmation from him before any suggesion.

shell_uk_ · ‎03-19-2015

# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24_DIALINVPN NETWORK_OBJ_10.10.10.0_24_DIALINVPN
    translate_hits = 16375, untranslate_hits = 1081417
2 (inside) to (outside) source static LAN LAN destination static RemoteLANVPN RemoteLANVPN
    translate_hits = 90500794, untranslate_hits = 123604551
3 (inside) to (outside) source static internalhost1 interface service INTERNAL_PORT1 EXTERNAL_PORT1    this happens on the general use ip
    translate_hits = 4145, untranslate_hits = 27308
4 (inside) to (outside) source static internalhost2 interface service INTERNAL_PORT1 EXTERNAL_PORT2    this happens on the general use ip
    translate_hits = 0, untranslate_hits = 657
5 (outside) to (inside) source static any any destination static interface internalhost7 service 8080 8080    this happens on the general use ip
    translate_hits = 7724, untranslate_hits = 14632
6 (inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
    translate_hits = 16449, untranslate_hits = 14853

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static server-4 12.34.56.2
    translate_hits = 11406622, untranslate_hits = 576964
2 (inside) to (outside) source static server-2 NAT-IP-1 service tcp https https
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static server-3 NAT-IP-1 service tcp http http
    translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static server-5 12.34.56.3
    translate_hits = 97036, untranslate_hits = 1149482
5 (inside) to (outside) source static server-6 12.34.56.4
    translate_hits = 65, untranslate_hits = 174
6 (inside) to (outside) source dynamic NETWORK_OBJ_10.10.10.0_24_DIALINVPN interface
    translate_hits = 0, untranslate_hits = 0
7 (inside) to (outside) source dynamic LAN interface
    translate_hits = 63479715, untranslate_hits = 53493227

Number 5 on the "manual NAT" section is odd. It works but it's basically doing the same as 3 and 4 so I'm not sure why it is that way round (outside inside vs inside outside).

Jon Marshall · ‎03-19-2015

Okay, it's the problem I described before ie. you are not getting to your static statements because the earlier NAT rule is matching.

So you have two choices -

1) you could move your section 2 static statement for those servers to section 1 and make sure they appear before the dynamic statements. You can choose the order in sections 1 and 3

2) or you can move the section 1 dynamic statement for those servers to section 2 where static takes precedence over static.

The only problem here is you cannot order the rules and from what I understand if you have multiple dynamic rules the larger number of IPs takes precedence and you have -

(inside) to (outside) source dynamic LAN interface

which would override your dynamic translation for just the two servers.

So you would need to move the above rule to section 3 eg.

nat (inside,outside) after-auto dynamic LAN interface

Whichever you choose you are going to have to move some NAT rules around I'm afraid.

Jon

NAT with multiple external IPs and multiple internal IPs sharing public specific IPs