Solved: outside,inside NAT not working

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

I'm trying to Port Map access to several inside servers by mapping both outside IP/PORT to a inside IP/PORT. On a Cisco ASA 5520 I overloaded to get to the Internet and tried to NAT (outside,inside) to get to a web server from the outside. I'm simulating this on my local network by overloading 192.168.168.233 from 192.169.171.0/24 to the internet router at 192.168.168.1. The overload is working but the (outside,inside) is not. My first attempt is to map an outside HTTP request to 192.168.168.233:8080 that should map to inside 191.168.171.66:80 (where I have Apache running).

See the following comment for config or the attached txt file.

Rob Ingram · ‎11-16-2018

You shouldn't need to remove the object, just modify the dynamic nat rule by adding after-auto. If you then run "show nat" you will now see "Section 3" with the dynamic nat rule.

Any new object nat's you create will always be added to "Section 2", you dynamic nat rule will now (once added after-auto) be applied if no more specific nat rule is in section 1 or 2.

HTH

View solution in original post

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

PAT
!
object network HTTP_ALLAN_OBJ
host 192.168.168.233
nat (outside,inside) static 192.168.171.66 service tcp 8080 80

SH RUN
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.168.233 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.171.1 255.255.255.0
!
access-list OUTSIDE-IN extended permit ip any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any
access-list OUTSIDE-IN extended permit tcp any any eq www
access-list OUTSIDE-OUT extended permit ip any any
access-list OUTSIDE-OUT extended permit icmp any any
access-list OUTSIDE-OUT extended permit tcp any any
access-list INSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit icmp any any
access-list INSIDE-IN extended permit tcp any any
access-list INSIDE-OUT extended permit ip any any
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any
!
nat (inside,outside) source dynamic any interface
!
access-group OUTSIDE-IN in interface outside
access-group OUTSIDE-OUT out interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.168.1 5

dhcpd option 3 ip 192.168.171.1
dhcpd address 192.168.171.3-192.168.171.63 inside

object network HTTP_ALLAN_OBJ
host 192.168.168.233QQ
object network HTTP_ALLAN_OBJ
nat (outside,inside) static 192.168.171.66 service tcp 8080 www

DEBUG
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 18965, untranslate_hits = 6

Auto NAT Policies (Section 2)
1 (outside) to (inside) source static HTTP_ALLAN_OBJ 192.168.171.66 service tcp 8080 www
translate_hits = 0, untranslate_hits = 0
ciscoasa#

ciscoasa# packet-tracer input outside tcp 192.168.171.66 8080 192.168.168.233 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.168.233 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x741e62b8, priority=0, domain=nat-per-session, deny=false
hits=15379, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74830f08, priority=0, domain=permit, deny=true
hits=1798, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

Rob Ingram · ‎11-16-2018

Hi,
You are pretty there, you just need to flip everything around. See below:-

object network HTTP_ALLAN_OBJ
host 192.168.171.66
nat (inside,outside) static 192.168.168.233 service tcp 80 8080

A more specific ACL would be this, notice it references the real IP address and real port not the natted address/port.

access-list OUTSIDE-IN extended permit tcp any host 192.168.171.66 eq 80

HTH

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

RJI thanks for your help. Here is what happened... Do I have to put the IP address on the outside interface in a different way? Something like a vlan or loopback?

ciscoasa(config)# no object network HTTP_ALLAN_OBJ
ciscoasa(config)# object network HTTP_ALLAN_OBJ
ciscoasa(config-network-object)# host 192.168.171.66
ciscoasa(config-network-object)# nat (inside,outside) static 192.168.168.233 service tcp 80 8080
ERROR: Address 192.168.168.233 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Rob Ingram · ‎11-16-2018

Replace IP address with "interface"

nat (INSIDE,OUTSIDE) static interface service tcp www 8080

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

Hi RJI, I'm finding the ASA syntax to be very confusing.... The "nat (inside,outside) static interface service tcp www 8080" went in OK but I still can't get to the web server. I don't see any hits on the new NAT....

ciscoasa(config)# no object network HTTP_ALLAN_OBJ
ciscoasa(config)# object network HTTP_ALLAN_OBJ
ciscoasa(config-network-object)# host 192.168.171.66
ciscoasa(config-network-object)# nat (inside,outside) static interface service tcp www 8080
ciscoasa(config-network-object)#
ciscoasa(config-network-object)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 19595, untranslate_hits = 8
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HTTP_ALLAN_OBJ interface   service tcp www 8080
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config-network-object)#

allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
^C
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
^C
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
^C
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
telnet: Unable to connect to remote host: Connection timed out

allan@allandesk ~ $ ping 192.168.168.233
PING 192.168.168.233 (192.168.168.233) 56(84) bytes of data.
64 bytes from 192.168.168.233: icmp_seq=1 ttl=255 time=0.470 ms
64 bytes from 192.168.168.233: icmp_seq=2 ttl=255 time=0.435 ms
64 bytes from 192.168.168.233: icmp_seq=3 ttl=255 time=0.455 ms
64 bytes from 192.168.168.233: icmp_seq=4 ttl=255 time=0.420 ms
^C

ciscoasa(config-network-object)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 19602, untranslate_hits = 8

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HTTP_ALLAN_OBJ interface   service tcp www 8080
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config-network-object)#

-------------from withing in the inside network---------------------

$ ip addr | grep 192
inet 192.168.171.9/24 brd 192.168.171.255 scope global dynamic noprefixroute enp0s31f6
$ telnet 192.168.171.66 80
Trying 192.168.171.66...
Connected to 192.168.171.66.
Escape character is '^]'.
Connection closed by foreign host.
$

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

Somehow the comments got truncated??? So I'm repeating the results from changing ip address to "nat (inside,outside) static interface service tcp www 8080"

ciscoasa(config)# no object network HTTP_ALLAN_OBJ
ciscoasa(config)# object network HTTP_ALLAN_OBJ
ciscoasa(config-network-object)# host 192.168.171.66
ciscoasa(config-network-object)# nat (inside,outside) static interface service tcp www 8080
ciscoasa(config-network-object)#
ciscoasa(config-network-object)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 19595, untranslate_hits = 8

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HTTP_ALLAN_OBJ interface   service tcp www 8080
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config-network-object)#

--------------from outside network------------------------
allan@allandesk ~ $ ping 192.168.168.233
PING 192.168.168.233 (192.168.168.233) 56(84) bytes of data.
64 bytes from 192.168.168.233: icmp_seq=1 ttl=255 time=0.470 ms
64 bytes from 192.168.168.233: icmp_seq=2 ttl=255 time=0.435 ms
64 bytes from 192.168.168.233: icmp_seq=3 ttl=255 time=0.455 ms
64 bytes from 192.168.168.233: icmp_seq=4 ttl=255 time=0.420 ms

allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
^C
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
^C
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
^C
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
telnet: Unable to connect to remote host: Connection timed out

-------------------no hits in Section 2--------------------
ciscoasa(config-network-object)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 19602, untranslate_hits = 8

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HTTP_ALLAN_OBJ interface   service tcp www 8080
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config-network-object)#

----------------from within the inside network-----------------
$ ip addr | grep 192
    inet 192.168.171.9/24 brd 192.168.171.255 scope global dynamic noprefixroute enp0s31f6
$ telnet 192.168.171.66 80
Trying 192.168.171.66...
Connected to 192.168.171.66.
Escape character is '^]'.
Connection closed by foreign host.
$
--------------- if this packet tracer is right????--------------------

ciscoasa# packet-tracer input outside tcp 192.168.171.66 8080 192.168.168.233 80 detailed 
 
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.168.233 255.255.255.255 identity
 
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x741e62b8, priority=0, domain=nat-per-session, deny=false
        hits=16414, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any
 
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x74830f08, priority=0, domain=permit, deny=true
        hits=2039, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
ciscoasa#
 

Rob Ingram · ‎11-16-2018

I imagine the "Manual Policies NAT (Section 1)" is causing the issue here.

Try this:- "nat (INSIDE,OUTSIDE) after-auto source dynamic any interface" - after-auto is the keyword here, it will move this rule to "Section 3" and be processed after the "Section 2" nat rule.

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

Like this?

no object network HTTP_ALLAN_OBJ 
object network HTTP_ALLAN_OBJ
 host 192.168.171.66 
 nat (inside,outside) static interface service tcp www 8080
exit
 nat (inside,outside) after-auto source dynamic any interface 
 

Rob Ingram · ‎11-16-2018

You shouldn't need to remove the object, just modify the dynamic nat rule by adding after-auto. If you then run "show nat" you will now see "Section 3" with the dynamic nat rule.

Any new object nat's you create will always be added to "Section 2", you dynamic nat rule will now (once added after-auto) be applied if no more specific nat rule is in section 1 or 2.

HTH

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

You did it RJI, you're the best :-) Thank you.

ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 20690, untranslate_hits = 8
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HTTP_ALLAN_OBJ interface   service tcp www 8080
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config)#
 
ciscoasa(config)# sh run | i nat
nat (inside,outside) source dynamic any interface
 nat (inside,outside) static interface service tcp www 8080
ciscoasa(config)# no nat (inside,outside) source dynamic any interface
ciscoasa(config)# nat (inside,outside) after-auto source dynamic any interface
 
ciscoasa(config)# sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HTTP_ALLAN_OBJ interface   service tcp www 8080
    translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
ciscoasa(config)#
 
---------------from the outside network--------------
allan@allandesk ~ $ telnet 192.168.168.233 8080
Trying 192.168.168.233...
Connected to 192.168.168.233.
Escape character is '^]'.
^]
HTTP/1.1 400 Bad Request
Date: Fri, 16 Nov 2018 16:15:56 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
Connection closed by foreign host.
allan@allandesk ~ $

clyde.a.huffman.ctr@mail.mil · ‎11-16-2018

Thanks RJI, I don't know if my comment got to you but thanks again for taking to time to look a my problem. Your the best :-)

Rob Ingram · ‎11-16-2018

Glad to hear it's working for you