Solved: Packets got dropped due to NAT rules

c.tabassum · ‎05-23-2011

Hi,

I need help to resolve this issue. I am trying to ping from 172.16.0.196 (coming via "acc-network" interface) address to 10.10.40.20. My packets are getting dropped because of that Global NAT rules.

What should I do to resolve the issue. I need the Global NAT rule to reach 155.10.10.0/24 network via 60.160.160.28 from both "acc-network" and "production" interfaces too.

Here is my config and show details.

asa-01#sh run

name 10.10.40.20 pro-pre-server

name 60.160.160.1 pro-pre-server-nat

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 60.160.160.2 255.255.255.0

!

interface Ethernet0/1

nameif acc-network

security-level 95

ip address 10.10.95.253 255.255.255.0

!

interface Ethernet0/2

nameif production

ip address 10.10.40.2 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.99.22 255.255.255.0

management-only

!

boot system disk0:/asa725-k8.bin

no ftp mode passive

dns server-group DefaultDNS

domain-name tmi-cms.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list production_access_in extended permit icmp any any traceroute

access-list production_access_in extended permit tcp any any eq https

access-list production_access_in extended permit icmp any any

access-list production_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit icmp any any traceroute

access-list outside_access_in extended permit tcp any any eq www

access-list acc-network_access_in extended permit icmp any any traceroute

access-list acc-network_access_in extended permit tcp any any eq https

access-list acc-network_access_in extended permit icmp any any

access-list acc-network_access_in extended permit tcp any any eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu production 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-525.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (acc-network) 1 0.0.0.0 0.0.0.0

nat (production) 1 0.0.0.0 0.0.0.0

no threat-detection statistics tcp-intercept

access-group outside_access_in in interface outside

access-group acc-network_access_in in interface acc-network

access-group production_access_in in interface production

route outside 0.0.0.0 0.0.0.0 60.160.160.28 1

route acc-network 172.16.0.0 255.255.255.0 10.10.95.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

http server enable

http 10.10.99.100 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.10.99.0 255.255.255.0 management

ssh timeout 30

ssh version 2

console timeout 30

management-access management

tftp-server management 10.10.99.100 tftp://10.10.99.100/

username manager password w8DyJk5xISyQAabZ encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:024140360614187f8ad66a344cd2704b

: end

asa-01# packet-tracer input acc-network icmp 172.16.0.196 8 0 10.10.40.20

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.40.0 255.255.255.0 production

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acc-network_access_in in interface acc-network

access-list acc-network_access_in extended permit icmp any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

nat (acc-network) 1 0.0.0.0 0.0.0.0

match ip acc-network any production any

dynamic translation to pool 1 (No matching global)

translate_hits = 176, untranslate_hits = 0

asa-01# sh nat

NAT policies on Interface acc-network:

match ip acc-network any outside any

dynamic translation to pool 1 (60.160.160.2 [Interface PAT])

translate_hits = 51, untranslate_hits = 0

match ip acc-network any acc-network any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip acc-network any production any

dynamic translation to pool 1 (No matching global)

translate_hits = 131, untranslate_hits = 0

NAT policies on Interface production:

match ip production any outside any

dynamic translation to pool 1 (60.160.160.2 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip production any acc-network any

dynamic translation to pool 1 (No matching global)

translate_hits = 8, untranslate_hits = 0

match ip production any production any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Anu M Chacko · ‎05-25-2011

Hi,

Add the following:

static(production, acc-network) 10.10.40.20 10.10.40.20

Let me know.

Regards,

Anu

View solution in original post

Anu M Chacko · ‎05-23-2011

Hi Chamon,

You have to first assign a security level to the "production" interface. Depending on the security level you assign, you can configure the NAT rule.

For the second question, where you want to reach 155.10.10.0/24 network via 60.160.160.28 from acc-network, you have the needed nat in place. Please configure inspect icmp under the global policy map to allow the replies through.

policy-map global_policy

class inspection_default

inspect icmp

Let me know.

Regards,

Anu

c.tabassum · ‎05-24-2011

Hi Anu,

It does have correct sec-level. I missed to copy the config file properly.

interface Ethernet0/2

nameif production

security-level 95

ip address 10.10.40.2 255.255.255.0

I can reach the 155.10.10.0/24 network via 60.160.160.28 from acc-network using the existing Global NAT without any issues.

My concern is I can not connect anything which coming from the acc-network interface and trying to reach the production network. My https request is also dropping here.

I have setup only one NAT rule to go outside, but I believe I don't have any NAT rule to allow internal traffic. I need to know what I am missing here.

I also set the "acc-network" and "production" network on the same sec-level., should I do that or I can give "production" interface a lower sec-level of 80 since I have setup access list to allow traffic from "acc-network" to "production" interface?

asa-01# packet-tracer input acc-network tcp 172.16.0.196 https 10.10.40.20 https

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.40.0 255.255.255.0 production

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acc-network_access_in in interface acc-network

access-list acc-network_access_in extended permit tcp any any eq https

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: DROP

Config:

nat (pri-network) 1 0.0.0.0 0.0.0.0

match ip acc-network any production any

dynamic translation to pool 1 (No matching global)

translate_hits = 501, untranslate_hits = 0

Additional Information:

Result:

input-interface: pri-network

input-status: up

input-line-status: up

output-interface: production

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

c.tabassum · ‎05-24-2011

Hi,

I think I found a technique. I need to keep out off NATing the traffic coming from the "acc-network" interface to "production" interface OR should I use a static NAT for it?

Can someone post me the command to do either of those?

Thanks.

Anu M Chacko · ‎05-25-2011

Hi,

Add the following:

static(production, acc-network) 10.10.40.20 10.10.40.20

Let me know.

Regards,

Anu

c.tabassum · ‎05-26-2011

Hi Anu,

It could not fix the problem. Because the both "acc-network" and "production" interface is NATED to "outside" interface of 60.160.160.2 address.

So when the traffic is coming from "acc-network" to "production" it might see as NATED to "outside" interface of 60.160.160.2 address.

We need to source NAT the "acc-network" to some address. The whole "acc-network" interface is behind of 172.16.0.0/24 network.

asa-01# packet-tracer input acc-network tcp 172.16.0.196 https 10.10.40.20 https

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (production,acc-network) pro-pre-server pro-pre-server netmask 255.255.255.255

match ip production host pro-pre-server acc-network any

static translation to pro-pre-server

translate_hits = 0, untranslate_hits = 13

Additional Information:

NAT divert to egress interface production

Untranslate pro-pre-server/0 to pro-pre-server/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Config:

access-group acc-network_access_in in interface acc-network

access-list acc-network_access_in extended permit tcp any any eq https

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: DROP

Config:

nat (acc-network) 1 0.0.0.0 0.0.0.0

match ip acc-network any production any

dynamic translation to pool 1 (No matching global)

translate_hits = 19, untranslate_hits = 0

Additional Information:

Result:

input-interface: acc-network

input-status: up

input-line-status: up

output-interface: production

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Anu M Chacko · ‎05-27-2011

Hi Chamon,

Can you lower the security-level of the production interface and then apply that static? Or add:

nat (acc-net) 5 0 0

global (production) 5 interface

Regards,

Anu

c.tabassum · ‎05-27-2011

Hi Anu,

I made it today.

I lowered the sec-level of acc-network to 90 and put the static route. Many thanks for your continuos support.

static (prodcution,acc-network) 10.10.40.20 10.10.40.20

I do appreciate it.

Thanks.