Solved: Problem with order of NAT, not matching correct line. ASA 8.4

Alejandro Moran · ‎08-24-2012

Hi

We are configuring a twice-nat to send traffic for scansafe, its on a asa5505 ve 8.4(3) on a remote location for the customes. The nat redirecion is working but we also have a VPN tunnel to the corporate network. Through the tunnel we need to reach a http server.

The problem we are having is that when we add the scan-safe nat, all http traffic gets redirected to scansafe, includind the traffic to the http server on the corporate network.

10.2.1.0 ---<ASA5505> ---Internet,scansafe ---- <Corporate> --- 10.1.1.0

the http server is 10.1.1.75

the remote location network is 10.2.1.0/24

this the nat and object configuration:

object network MTY_inside2

subnet 10.2.1.0 255.255.255.0

object service www

service tcp destination eq www

object network internet

subnet 0.0.0.0 0.0.0.0

object network ScanSafe

host 69.174.87.59

object service proxy8080

service tcp destination eq 8080

object network bstl10.1.1.0

subnet 10.1.1.0 255.255.255.0

object-group network BSTL_MX

network-object 10.1.1.0 255.255.255.0

network-object 10.5.1.0 255.255.255.0

network-object 192.168.0.0 255.255.224.0

network-object 192.168.100.0 255.255.255.0

network-object 192.168.101.0 255.255.255.0

BSTL-MTY-ASA(config)# sh run nat

nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0

nat (LAN,outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX

nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static BSTL_MX BSTL_MX

nat (WLAN,outside) source static MTY_WLAN MTY_WLAN destination static BSTL_MX BSTL_MX

nat (LAN,outside) source dynamic MTY_LAN interface destination static internet ScanSafe service www proxy8080

nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080

nat (WLAN,outside) source dynamic MTY_WLAN interface destination static internet ScanSafe service www proxy8080

nat (LAN,outside) source dynamic MTY_LAN interface

nat (inside2,outside) source dynamic MTY_inside2 interface

nat (WLAN,outside) source dynamic MTY_WLAN interface

The identity nat lines are on top, over the scansafe nat lines; If Im not wrong they should match first. Here is the NAT detail:

Manual NAT Policies (Section 1)

1 (inside2) to (outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0

translate_hits = 83, untranslate_hits = 253

Source - Origin: 10.2.1.0/24, Translated: 10.2.1.0/24

Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

2 (LAN) to (outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX

translate_hits = 234, untranslate_hits = 43

Source - Origin: 192.168.40.0/24, Translated: 192.168.40.0/24

Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24

3 (inside2) to (outside) source static MTY_inside2 MTY_inside2 destination static BSTL_MX BSTL_MX

translate_hits = 124, untranslate_hits = 72

Source - Origin: 10.2.1.0/24, Translated: 10.2.1.0/24

Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24

4 (WLAN) to (outside) source static MTY_WLAN MTY_WLAN destination static BSTL_MX BSTL_MX

translate_hits = 0, untranslate_hits = 0

Source - Origin: 192.168.41.0/26, Translated: 192.168.41.0/26

Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24

5 (LAN) to (outside) source dynamic MTY_LAN interface destination static internet ScanSafe service www proxy8080

translate_hits = 10, untranslate_hits = 10

Source - Origin: 192.168.40.0/24, Translated: 200.66.94.66/29

Destination - Origin: 0.0.0.0/0, Translated: 69.174.87.59/32

Service - Origin: tcp destination eq www , Translated: tcp destination eq 8080

6 (inside2) to (outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080

translate_hits = 148, untranslate_hits = 173

Source - Origin: 10.2.1.0/24, Translated: 200.66.94.66/29

Destination - Origin: 0.0.0.0/0, Translated: 69.174.87.59/32

Service - Origin: tcp destination eq www , Translated: tcp destination eq 8080

7 (WLAN) to (outside) source dynamic MTY_WLAN interface destination static internet ScanSafe service www proxy8080

translate_hits = 0, untranslate_hits = 0

Source - Origin: 192.168.41.0/26, Translated: 200.66.94.66/29

Destination - Origin: 0.0.0.0/0, Translated: 69.174.87.59/32

Service - Origin: tcp destination eq www , Translated: tcp destination eq 8080

8 (LAN) to (outside) source dynamic MTY_LAN interface

translate_hits = 43, untranslate_hits = 18

Source - Origin: 192.168.40.0/24, Translated: 200.66.94.66/29

9 (inside2) to (outside) source dynamic MTY_inside2 interface

translate_hits = 27, untranslate_hits = 0

But every time user try to get access to 10.1.1.75, the scansafe nat is matched, here is a trace:

( I will skip steps to keep the post short)

BSTL-MTY-ASA(config)# sh cap test trace

50 packets captured

1: 21:59:39.905135 802.1Q vlan#1 P0 10.2.1.3.21867 > 10.1.1.75.80: S 2591301289:2591301289(0) win 8192 <mss 1460,nop,nop,sackOK>

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080

Additional Information:

NAT divert to egress interface outside

Untranslate 10.1.1.75/80 to 69.174.87.59/8080

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside2,outside) source dynamic MTY_inside2 interface

Additional Information:

Dynamic translate 10.2.1.3/21867 to 200.66.94.66/21867

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080

Additional Information:

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: allow

We also founf bug CSCtt11890 "ASA: Manual NAT rules inserted above others may fail to match traffic" the workaround was to clear the nat configuration, or reboot the device. We cleared the nat configuration, added back again, reboot the device, and the behavior was the same.

If we take out the scansafe nat out, we can reach the corporate server, using the corresponding NAT (I removed some steps to keep the post short..):

7: 22:11:22.543764 802.1Q vlan#1 P0 10.2.1.3.49389 > 10.1.1.75.80: S 3794798427:3794798427(0) win 8192 <mss 1460,nop,nop,sackOK>

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0

Additional Information:

Static translate 10.2.1.3/49389 to 10.2.1.3/49389

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Am I missing something?

Thanks

Alejandro Moran

Julio Carvajal · ‎08-24-2012

Hello Alejandro,

The problem is that the traffic is taking first the destination source based, after using the new nat entries did you clear the xlate table?

If not add it and give it a try

Also check bug CSCtq47028 witch I think is the one you are hitting

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-24-2012

Hello Alejando,

Please do the following:

Create a different object group for the same internal subnet .

Example

object network inside2_subnet

subnet 10.2.1.0 255.255.255.0

And then try to create a nat with that object to the remote lan

no nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static bstl10.1.1.0 bstl10.1.1.0

nat (inside2,outside) 1 source static inside2_subnet destination static bstl10.1.1.0 bstl10.1.1.0

Clear xlate

Give it a try and let me know

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alejandro Moran · ‎08-24-2012

thanks Julio

We tried that, unfortunately we got the same behavior.

BSTL-MTY-ASA(config)# sh cap test trace

20 packets captured

1: 14:57:20.734718 802.1Q vlan#1 P0 10.2.1.3.61023 > 10.1.1.75.80: S 3180640583:3180640583(0) win 8192

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080

Additional Information:

NAT divert to egress interface outside

Untranslate 10.1.1.75/80 to 69.174.87.59/8080

here is the nat we added:

object network mty10.2.1.0

subnet 10.2.1.0 255.255.255.0

nat (inside2,outside) 1 source static mty10.2.1.0 mty10.2.1.0 destination static bstl10.1.1.0 bstl10.1.1.0

Manual NAT Policies (Section 1)

1 (inside2) to (outside) source static mty10.2.1.0 mty10.2.1.0 destination static bstl10.1.1.0 bstl10.1.1.0

translate_hits = 12, untranslate_hits = 6

Source - Origin: 10.2.1.0/24, Translated: 10.2.1.0/24

Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

2 (LAN) to (outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX

translate_hits = 35703, untranslate_hits = 8878

Source - Origin: 192.168.40.0/24, Translated: 192.168.40.0/24

Destination - Origin: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24, Translated: 10.1.1.0/24, 10.5.1.0/24, 192.168.0.0/19, 192.168.100.0/24

192.168.101.0/24

regards.

Julio Carvajal · ‎08-24-2012

Hello Alejandro,

Sh run nat please

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alejandro Moran · ‎08-24-2012

Hello Julio,

sure, here is it:

BSTL-MTY-ASA(config)# sh run nat

nat (inside2,outside) source static mty10.2.1.0 mty10.2.1.0 destination static bstl10.1.1.0 bstl10.1.1.0

nat (LAN,outside) source static MTY_LAN MTY_LAN destination static BSTL_MX BSTL_MX

nat (inside2,outside) source static MTY_inside2 MTY_inside2 destination static BSTL_MX BSTL_MX

nat (WLAN,outside) source static MTY_WLAN MTY_WLAN destination static BSTL_MX BSTL_MX

nat (inside2,outside) source dynamic MTY_inside2 interface destination static internet ScanSafe service www proxy8080

nat (WLAN,outside) source dynamic MTY_WLAN interface destination static internet ScanSafe service www proxy8080

nat (LAN,outside) source dynamic MTY_LAN interface

nat (inside2,outside) source dynamic MTY_inside2 interface

nat (WLAN,outside) source dynamic MTY_WLAN interface

basically, I have the identity nats on top, then the scansafe redirection nats and finally the dynamic PAT... Since the 10.1.1.75 server is important for the customer operation, we had to remove the scansafe nats after testing.

regards

Julio Carvajal · ‎08-24-2012

Hello Alejandro,

The problem is that the traffic is taking first the destination source based, after using the new nat entries did you clear the xlate table?

If not add it and give it a try

Also check bug CSCtq47028 witch I think is the one you are hitting

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alejandro Moran · ‎08-25-2012

Hello Julio

thanks, you are right it looks its CSCtq47028, but the trick is to create 2 objects for the destination, not only on the source. I made an offline test and it seems to match the correct nat line.

I'll test it with the customer on monday.

Julio Carvajal · ‎08-25-2012

Hello Alejandro,

Yes, I was doing some research on this and found that

It seems like the bug was created for a scenario just like this ( Using the scansafe cloud)

Remember to rate all the helpful posts my friends and pleaseeeeeeee keep me updated

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alejandro Moran · ‎09-03-2012

finally we got the maintainance window, I used 2 objects for the same subnet, and it took the order as it should...

For what I see, looking at the trace captures, the 3rd step is a route lookup or a un-nat, before the NAT step, having nat from the same object at same object throws a route lookup. Using the different objects for the same network on the nat,

throws the un-nat.

thanks for your help!

Julio Carvajal · ‎09-03-2012

Hello Alejandro,

Great, Thanks for the rate and the information

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC