Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
5
Helpful
3
Replies

static NAT problem with ASA using policy routing

tato386
Level 6
Level 6

‎01-14-2016 03:59 PM - edited ‎03-12-2019 12:08 AM

I added a second ISP and public IP block to my ASA that is running 9.5.2.  I use a route-map and ACL to match internal private IPs that are then sent to the Internet via the second ISP.  This seems to work fine for PAT.

Since it was working well, I decided to use the second ISP for static NAT also.  Unfortunately, this is not working so well.  I can ping the public IP of static NAT internal hosts but inbound TCP based services like RDP do not work.  It doesn't seem to be an ACL issue as the packet trace utility tells me that the packets are allowed and sent to the correct interface.

On a related note, I cannot ping out or reply to pings on the ASA interface for the second ISP.  This happens even thought the IP of that interface has been added to the ACL of the route-map that sends packets out the second ISP.

So it seems like certain operations, like ping sourced from ASA interface and static NAT are not being correctly policy routed.  Below is some relevant config snips.

Any ideas?

Thanks,
Diego

ASA Version 9.5(2)

interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif inf_ISPA
 security-level 0
 ip address 1.1.1.2 255.255.255.224

interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif inf_Inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
 policy-route route-map ALT-GATEWAY

interface GigabitEthernet0/2
 speed 1000
 duplex full
 nameif inf_ISPB
 security-level 0
 ip address 2.2.2.209 255.255.255.248

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
!
object network SRV1
 host 192.168.1.9
object network SRV1_ISPB
 host 2.2.2.212
object network host1_ISPA
 host 192.168.1.15
object network host2_ISPA
 host 192.168.1.16

object network net_1
 subnet 192.168.10.0 255.255.255.0
object network net_2
 subnet 192.168.11.0 255.255.255.0

object-group network grp_remote_networks
 network-object object net_1
 network-object object net_2

object-group network grp_NoCXScan
 network-object object CX_Module
 network-object object rtr-1
 network-object object rtr-2

object-group network PAT_Networks
 network-object object net_data
 network-object object net_voice
 network-object object net_wireless

access-list inf_ISPB_access_in extended permit icmp any4 any4
access-list inf_ISPB_access_in extended permit object RDP any object SRV1

access-list acl_ISPB_Gateway extended deny ip object host1_ISPA any
access-list acl_ISPB_Gateway extended deny ip object host2_ISPA any
access-list acl_ISPB_Gateway extended permit ip object inf_ISPB any
access-list acl_ISPB_Gateway extended permit ip object SRV1 any
access-list acl_ISPB_Gateway extended permit ip any any

icmp permit any inf_ISPA
icmp permit any inf_Inside
icmp permit any inf_ISPB

arp timeout 14400
no arp permit-nonconnected

nat (inf_Inside,inf_ISPA) source static PAT_Networks PAT_Networks destination static grp_remote_networks grp_remote_networks no-proxy-arp
!
object network SRV1
 nat (inf_Inside,inf_ISPB) static SRV1_ISPB

!
nat (inf_Inside,inf_ISPA) after-auto source dynamic PAT_Networks interface
nat (inf_Inside,inf_ISPB) after-auto source dynamic PAT_Networks interface


access-group inf_ISPB_access_in in interface inf_ISPB


!
route-map ALT-GATEWAY permit 10
 match ip address acl_ISPB_Gateway
 set ip default next-hop 2.2.2.214

!
route inf_ISPA 0.0.0.0 0.0.0.0 1.1.1.1 1


sysopt noproxyarp inf_Inside

!
class-map CX_Traffic
 match access-list acl_CXTraffic
class-map tcp_bypass
 description TCP traffic that bypasses stateful firewall
 match access-list acl_TCPbypass
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map policy1
 class tcp_bypass
  set connection random-sequence-number disable
  set connection advanced-options tcp-state-bypass
policy-map global_policy
 description ASA CX Policy
 class CX_Traffic
  cxsc fail-open
  set connection random-sequence-number disable
 class class-default
  user-statistics accounting
  set connection random-sequence-number disable
!
service-policy global_policy global

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Chris Izatt
Level 1
Level 1

‎01-26-2016 01:18 PM

have you done any packet tracers? if not run some and post them up if you can. 

0 Helpful

tato386
Level 6
Level 6
In response to Chris Izatt

‎01-26-2016 09:53 PM

Hello Chris,

I opened a TAC case and we confirmed that configuration is correct so we started looking at the possibility of a bug with PBR feature.  We did find a bug logged that matches my problem but at the same time we realized we could get it working on the TAC agent's lab environment and also on a different system that I have access to.  Going further, I tested on a fourth system and was able to reproduce the bug/problem.

The interesting thing is that the two systems that have the bug/problem use the same model Comcast modem for the PBR next-hop target.  The two systems that work are a lab system and a live system that uses a Cisco router as the PBR next-hop target. 

So my gut feeling now tells me that there is something odd about the way the Comcast modem is handling the ASA packets that causes this bug/problem.  It would be interesting to find out if the previous guys who logged the bug/problem were also using Comcast or similar cable modem devices but I don't know if that is possible.

In any case I am going to work with the TAC a bit more and see what we find.  I will update the post when we are done.

Thanks

Chris Izatt
Level 1
Level 1
In response to tato386

‎01-27-2016 08:28 AM

I love code bugs.   Good Luck. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card