Hi Nick,Very interesting

nickhesson · ‎12-02-2014

Hello all,

I'm not understanding why my initial NAT configuration does not work. Here's the goal: we have a site with only one external IP address. At the site we have two web servers that do not have a default gateway. We access other servers at the site that do have a default gateway.

So the idea was to PAT both server's port 80 to 2 external ports 801 and 802 on the only external IP address. Then translate the source IP address of traffic going only to these two servers to a local NAT'ed IP.

Here was the initial config:

object network SITE_NAT
host 10.10.10.99
object network Server1
host 10.10.10.10
object network Server2
host 10.10.10.20

! SITE_SRVRS is a object group including both Server1 and Server2 objects

nat (outside,SITE_NET) source dynamic any SITE_NAT destination static SITE_SRVRS SITE_SRVRS
!
object network Server1
nat (SITE_NET,outside) static interface service tcp 80 801
object network Server2
nat (SITE_NET,outside) static interface service tcp 80 802
!
nat (any,outside) after-auto source dynamic any interface

!! show nat details

1 (outside) to (SITE_NET) source dynamic any SITE_NAT destination static SITE_SRVRS SITE_SRVRS
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 10.10.10.99/32
Destination - Origin: 10.10.10.10/32, 10.10.10.20/32, Translated: 10.10.10.10/32, 10.10.10.20/32

Auto NAT Policies (Section 2)
1 (SITE_NET) to (outside) source static Server1 interface service tcp 80 801
translate_hits = 0, untranslate_hits = 28
Source - Origin: 10.10.10.10/32, Translated: 12.12.12.12/24
Service - Protocol: tcp Real: 80 Mapped: 801
2 (SITE_NET) to (outside) source static Server2 interface service tcp 80 802
translate_hits = 0, untranslate_hits = 16
Source - Origin: 10.10.10.20/32, Translated: 12.12.12.12/24
Service - Protocol: tcp Real: 80 Mapped: 802

Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 12.12.12.12/24

!! Packet Tracer From outside to inside accessing server1 port 80 (I removed the Phases that are the same on both config)
packet-tracer input outside tcp 4.2.2.2 33322 12.12.12.12 801

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Server1
nat (SITE_NET,outside) static interface service tcp 80 801
Additional Information:
NAT divert to egress interface SITE_NET
Untranslate 12.12.12.12/801 to 10.10.10.10/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_ACL in interface outside
access-list Outside_ACL extended permit tcp any object-group SITE_SRVRS eq 80
object-group network SITE_SRVRS
network-object object Server1
network-object object Server2
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) after-auto source dynamic any interface
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,SITE_NET) source dynamic any SITE_NAT destination static SITE_SRVRS SITE_SRVRS
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: SITE_NET
output-status: up
output-line-status: up
Action: allow

Even though the Packet tracer is successful, the translations fail and we can not gain access. To fix the problem we remove the original NAT statement that is suppose to translate Source traffic to the local IP (10.10.10.99).

The config that works:

object network NoGateway
subnet 0.0.0.0 0.0.0.0

!! show run nat (NAT configuration)

object network Server1
nat (SITE_NET,outside) static interface service tcp 80 801
object network Server2
nat (SITE_NET,outside) static interface service tcp 80 802
object network NoGateway
nat (outside,SITE_NET) dynamic SITE_NAT
!
nat (any,outside) after-auto source dynamic any interface

!! show nat details

Auto NAT Policies (Section 2)
1 (SITE_NET) to (outside) source static Server1 interface service tcp 80 801
translate_hits = 0, untranslate_hits = 30
Source - Origin: 10.10.10.10/32, Translated: 12.12.12.12/24
Service - Protocol: tcp Real: 80 Mapped: 801
2 (SITE_NET) to (outside) source static Server2 interface service tcp 80 802
translate_hits = 0, untranslate_hits = 17
Source - Origin: 10.10.10.20/32, Translated: 12.12.12.12/24
Service - Protocol: tcp Real: 80 Mapped: 802
3 (outside) to (SITE_NET) source dynamic NoGateway SITE_NAT
translate_hits = 2, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 10.10.10.99/32

Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 12.12.12.12/24

!! Packet Tracer (Again removing phase that are the same as above)

packet-tracer input outside tcp 4.2.2.2 33322 12.12.12.12 801

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Server1
nat (SITE_NET,outside) static interface service tcp 80 801
Additional Information:
NAT divert to egress interface SITE_NET
Untranslate 12.12.12.12/801 to 10.10.10.10/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_ACL in interface outside
access-list Outside_ACL extended permit tcp any object-group STER_SCD_SRVR eq 80
object-group network STER_SCD_SRVR
network-object object Server1
network-object object Server2
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network NoGateway
nat (outside,SITE_NET) dynamic SITE_NAT
Additional Information:
Dynamic translate 4.2.2.2/33322 to 10.10.10.99/33322

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Server1
nat (SITE_NET,outside) static interface service tcp 80 801
Additional Information:

Additional Information:
New flow created with id 207, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: SITE_NET
output-status: up
output-line-status: up
Action: allow

Now the problem is all traffic inbound is being translated to the local NAT IP.

First question is, why does the first config not work? From the NAT details it look exactly what we are trying to accomplish.

Second, how can we accomplish the original goal, PAT both server's port 80 and translate the source IP address on traffic to ONLY these servers, and not all servers. I can't find the solution.

Looks like Phase 3 is the issue, but why. Also why is the rpf-check different???

Thanks for your time and support,

Nick

Murali · ‎12-03-2014

Hi Nick,

Very interesting configuration :)

I believe it didn't work in first case because of the order of NAT processing & granular manual NAT statement used in the first case. As manual NAT is processed first and according to your config below is the traffic flow and because you will always try to access your servers on external ip:801 it's not getting any hits but that is not the case in second one.

Real source : Any

Map source: 10.10.10.99

Real destination : 10.10.10.10/(20)

Map destination : 10.10.10.10/(20)

HTH

Murali

(Please mark this as a solution it it answered your query)

Marius Gunnerud · ‎12-03-2014

I think Murali is on the money here.

nat (outside,SITE_NET) source dynamic any SITE_NAT destination static SITE_SRVRS SITE_SRVRS

This statement translates any source address that is trying to reach either of the two servers regardless of which port they are trying to use. Is there any reason why you have this in your configuraiton? It is not common to use outside NAT in most setups unless there is a specific reason for it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

nickhesson · ‎12-05-2014

I really want to put a Correct Answer on this. But the correct reply is mine. :) I can't select Correct Answer on my posts.

Murali · ‎12-06-2014

That's cool :)

nickhesson · ‎12-05-2014

Hi Murali,

Your answer is very close, but not complete. I'm very familiar with the NAT Rule Order. I didn't think that was the problem. The actual problem is how Object NATs and Twice NATs are implemented. I didn't realize once a Twice NAT (manual nat) is matched no other rules are checked. Here is the information at this Link under How source and destination NAT is implemented. I was under the impression that Twice NAT were processed the same way Object NATs were.

So that was the problem, but what is the solution? That is for Cisco to allow parameters in nat statements. Otherwise we have to create 6 objects and two different nat statements in order to get this working. If they would allow parameters for port numbers, we would only use 3 object (like i have) and two nat statements. The other reason why Cisco needs to allow this, is because how ugly a "working" statement looks.

How to Port Forward to Hosts without a return route:

nat (outside,inside) source dynamic any NATTED_IP_OBJECT destination static interface SERVER1_OBJ service TCP_801_OBJ TCP_80_OBJ

Real. Translated.

Confused?!? You should be... I know what i'm trying to do is a very rare objective. That is get packets to a few hosts that do not have a return route (or default Gateway). But I personally wrote this statement just 2 days ago and it still doesn't look right, but it works. :) And works without translating all source IPs on traffic to hosts that do have a return route (aka NORMAL setup.. haha).

I hope someone finds this helpful. About 40 mins to find a working statement.

Port Forwarding to hosts without a return route. Cisco ASA NAT Configuration Explanation