Strange NAT Issue

ccorinthos · ‎12-07-2017

We are using a Cisco ASA and the following started yesterday:

One of our users was locked out of our retirement plan admin site. When we called, we were told they blocked our access because the IP we were coming from was in Japan.

After some investigation, we found quite a few (not all) of our systems on the internal network are coming up with strange addresses (using the WHATS MY IP tools available online).

Some sites report the correct address, other sites report addresses we don't recognize. The systems in question have been checked for proxy settings, and viruses and nothing found. Everyone uses the same default gateway and the same Firewall.

Has anyone ever heard or seen this? What can we test on the firewall (if anything) to make sure the issue is not on the appliance?

Thanks.

Bogdan Nita · ‎12-08-2017

You can check your NAT config with show runn nat.

If you want to verify how a specific IP is being NATed you can use packet-tracer, the translation will show up in the Additional Information at the NAT stage.

However I think that this is not a NAT problem on the ASA, because you can only NAT to public IPs that have been routed by your service provider.

Is there any proxy or vpn client used on the computers reporting strange IPs?

ccorinthos · ‎12-08-2017

Thanks for the reply!

To answer your question: No VPN or proxy in play.

Is it possible there is a router somewhere (beyond my control), routing traffic through a proxy of some sort?

Bogdan Nita · ‎12-09-2017

It is possible, but unlikely.

You could check the mac address learned for the default gateway IP, to make sure it's not arp poisoning.

You could also check traceroute.