Packet Redirection and NAT order of Operations (ASA)

zafar_118 · ‎08-17-2013

Hello,

I know that cisco ASA wont allow packet redirection on same interface i.e. lets assume that i have a web server sitting internally with ip address 192.168.1.100. There is static nat entry defined in ASA so that public ip address 172.16.15.100 gets translated to 192.168.1.100. External clients can reach the web server but internally if someone on subnet 192.168.1.x tries to go reach the webserver (by FQDN name) it will fail (because of packet redirection on same interface). I have the following cisco link explaining cisco ASA order of operations

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

My question is when packet arrive at the inside interface, what will cause it to be dropped i.e. ACL, policy routing, routing etc etc (from section NAT overview Inside-to-Outside in first link above)

Thanks

Jouni Forss · ‎08-17-2013

Hi,

A host connecting from behind an interface to an IP address that is configured on another interface (or in your case configured as a NAT IP address) is simply not allowed by the ASA.

The first document you linked seems to me have to do with Cisco Routers and doesnt apply to ASA firewalls.

Incase you are using the external DNS server then you can add a "dns" parameter to your Web servers Static NAT configuration.

Software 8.2 and below

static (inside,outside) netmask 255.255.255.255 dns

Software 8.3 and above

object network STATIC

host

nat (inside,outside) static dns

In both of the above cases the ASA uses the "dns" parameter. What the "dns" parameter does is look for DNS query and reply messages and determine if an DNS reply from a external DNS server contains some NAT IP address configured for a host behind the ASA (like above examples)

If the DNS reply shows a public IP address that matches some Static NAT configuration then the ASA will modify the DNS reply to point to the local IP address and the host will connect to that instead of the public IP address.

If you are using Internal DNS server (which means ASA wont possibly see the DNS messages) or you just want to keep connecting to the public IP address then you have to also configure NAT configurations which enables your users to connect to the public IP address from your internal network.

To give you an example would really need to know your setup better and the software level you are using.

- Jouni

Marvin Rhoads · ‎08-18-2013

Jouni,

Also recall that we must enable DNS inspect in the global (or interface) service-policy for the DNS rewrite to work.

Zafar,

In addition to heeding Jouni's good suggestion, you can always check the validity of a flow through an ASA using the packet-tracer command. It will walk you through all the logic steps and tell you if the packet will pass or, if denied, where if stops. More info is here:

https://supportforums.cisco.com/docs/DOC-5796

..and of course in the command reference.

Jouni Forss · ‎08-18-2013

Hi,

Most of the time that is enabled but can naturally be in this case that it isnt, but I was really waiting for more specific follow up information from the poster before writing more.

There are so many occasions where I might take a long time to reply someone only to find that the original poster never replies.

- Jouni

Marvin Rhoads · ‎08-18-2013

Very true, Jouni. This is quite often the case when the OP only has a small handful of posts.

I was just reminded of it since I am studying for my CCNP firewall test and that detail was in a practice question.

BR,

- Marvin