Trying to get my IDS to talk to my server through the ASA

Thompso7540_2 · ‎08-27-2010

Can someone take a look at my asa config?

I'm trying to get my IDS box to talk to my syslog server through the asa

IDS box is off the DMZ interface with IP 10.231.30.254 - it initiates a connection to my syslog server off MPLS interface with ip 10.24.0.46

it talks udp 514 (syslog) - one way, the server doesn't talk back

i have an acl on the DMZ interface to allow it, i also have identity nat from DMZ to MPLS.

should the config work if it's initiated from DMZ to MPLS?

is that NAT correct? And would return traffic get back if it needed to, since it's a /24 static nat and not a /32?

i think the dmz acl isn't need since it's higher to lower correct? But since it's there it would still get processed correct?

i did a packet tracer and it allowed

XXX-FW1-2-254# packet-tracer input DMZ udp 10.231.30.254 3000 10.24.0.46 syslog detail

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc8952040, priority=12, domain=capture, deny=false

hits=4967, user_data=0xc9326ab8, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc8818ca8, priority=1, domain=permit, deny=false

hits=5540888, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.0.0.0 MPLS

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl_DMZ_in in interface DMZ

access-list acl_DMZ_in extended permit udp host 10.231.30.254 host 10.24.0.46 eq syslog

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc8a6f628, priority=12, domain=permit, deny=false

hits=3, user_data=0xc8a6f5e8, cs_id=0x0, flags=0x0, protocol=17

src ip=10.231.30.254, mask=255.255.255.255, port=0

dst ip=10.24.0.46, mask=255.255.255.255, port=514

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc881c100, priority=0, domain=permit-ip-option, deny=true

hits=1417, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc950fa80, priority=12, domain=capture, deny=false

hits=721, user_data=0xc9326ab8, cs_id=0xc96e75e0, reverse, flags=0x0, protocol=0

src ip=10.231.30.254, mask=255.255.255.255, port=0

dst ip=10.24.0.46, mask=255.255.255.255, port=0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

match ip DMZ 10.231.30.0 255.255.255.0 MPLS any

static translation to 10.231.30.0

translate_hits = 6, untranslate_hits = 1411

Additional Information:

Static translate 10.231.30.0/0 to 10.231.30.0/0 using netmask 255.255.255.0

Forward Flow based lookup yields rule:

in id=0xc953f918, priority=5, domain=nat, deny=false

hits=5, user_data=0xc8957670, cs_id=0x0, flags=0x0, protocol=0

src ip=10.231.30.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

match ip DMZ 10.231.30.0 255.255.255.0 MPLS any

static translation to 10.231.30.0

translate_hits = 6, untranslate_hits = 1411

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc87daad0, priority=5, domain=host, deny=false

hits=2776, user_data=0xc8957670, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.231.30.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xc87ee108, priority=0, domain=permit-ip-option, deny=true

hits=170122184, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca79d8e8, priority=12, domain=capture, deny=false

hits=0, user_data=0xc9326ab8, cs_id=0xc96e75e0, reverse, flags=0x0, protocol=0

src ip=10.24.0.46, mask=255.255.255.255, port=0

dst ip=10.231.30.254, mask=255.255.255.255, port=0

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 288342322, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 13

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.3.14 using egress ifc MPLS

adjacency Active

next-hop mac address 0017.5acc.cbcd hits 2710501

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: MPLS

output-status: up

output-line-status: up

Action: allow

Thanks!!

bryan

Thompso7540_2 · ‎08-27-2010

also i see a connection open - but it has no flags....weird

UDP out 10.24.0.46:514 in 10.231.30.254:514 idle 0:02:41 flags -

praprama · ‎08-27-2010

Hi Bryan,

You do not see flags as the connection is a UDP connection which is stateless. Also, looking at your packet tracer and the configuration, everything seems alright?

Are you not seeing logs on the syslog server? If not, please apply captures on the DMZ and MPLS interface between the IDS and the SYSLOGS server's IP address and vice versa. We can see what's going on then and if any packets are being dropped by the ASA.

Regards,

Prapanch

Thompso7540_2 · ‎08-27-2010

hey Prapanch,

Good catch on the udp. I did perform a capture on teh dmz interface and i can see the ids sending data

iPX-FW1-2-254# show capture
capture ids_test type raw-data access-list ids trace interface DMZ [Capturing - 72957 bytes]

AiPX-FW1-2-254# show access-list ids
access-list ids; 2 elements
access-list ids line 1 extended permit ip host 10.231.30.254 host 10.24.0.46 (hitcnt=344) 0xa7239793
access-list ids line 2 extended permit ip host 10.24.0.46 host 10.231.30.254 (hitcnt=0) 0xba1b07b3

i also performed the same on the MPLS interface and got some data - can you tell me what the UDP numbers at the end of the packets mean? Are they just sequence numbers?

AiPX-FW1-2-254# show capture

capture ids_test type raw-data access-list ids trace interface MPLS

AiPX-FW1-2-254# show capture ids_test decode
72 packets captured
   1: 08:43:49.028593 10.231.30.254.514 > 10.24.0.46.514: udp 180
   2: 08:45:02.592117 10.231.30.254.514 > 10.24.0.46.514: udp 35
   3: 08:45:02.592132 10.231.30.254.514 > 10.24.0.46.514: udp 56
   4: 08:45:02.593734 10.231.30.254.514 > 10.24.0.46.514: udp 55
   5: 08:45:02.600463 10.231.30.254.514 > 10.24.0.46.514: udp 79
   6: 08:45:02.602568 10.231.30.254.514 > 10.24.0.46.514: udp 70
   7: 08:45:02.612715 10.231.30.254.514 > 10.24.0.46.514: udp 81
   8: 08:45:02.617170 10.231.30.254.514 > 10.24.0.46.514: udp 72
   9: 08:49:59.341824 10.231.30.254.514 > 10.24.0.46.514: udp 180
10: 08:50:02.381968 10.231.30.254.514 > 10.24.0.46.514: udp 181
11: 08:50:02.662166 10.231.30.254.514 > 10.24.0.46.514: udp 56
12: 08:50:02.668239 10.231.30.254.514 > 10.24.0.46.514: udp 55
13: 08:50:02.669444 10.231.30.254.514 > 10.24.0.46.514: udp 51
14: 08:50:02.670741 10.231.30.254.514 > 10.24.0.46.514: udp 70
15: 08:50:02.672847 10.231.30.254.514 > 10.24.0.46.514: udp 79
16: 08:50:02.684718 10.231.30.254.514 > 10.24.0.46.514: udp 81
17: 08:50:02.686121 10.231.30.254.514 > 10.24.0.46.514: udp 72
18: 08:50:08.396723 10.231.30.254.514 > 10.24.0.46.514: udp 181
19: 08:55:01.727119 10.231.30.254.514 > 10.24.0.46.514: udp 55
20: 08:55:01.728752 10.231.30.254.514 > 10.24.0.46.514: udp 56
21: 08:55:01.737175 10.231.30.254.514 > 10.24.0.46.514: udp 70
22: 08:55:01.738044 10.231.30.254.514 > 10.24.0.46.514: udp 79
23: 08:55:01.747992 10.231.30.254.514 > 10.24.0.46.514: udp 81
24: 08:55:01.751792 10.231.30.254.514 > 10.24.0.46.514: udp 72
25: 08:59:27.413735 10.231.30.254.514 > 10.24.0.46.514: udp 180
26: 09:00:01.793141 10.231.30.254.514 > 10.24.0.46.514: udp 56
27: 09:00:01.821887 10.231.30.254.514 > 10.24.0.46.514: udp 51
28: 09:00:01.823062 10.231.30.254.514 > 10.24.0.46.514: udp 55
29: 09:00:01.824267 10.231.30.254.514 > 10.24.0.46.514: udp 70
30: 09:00:01.824862 10.231.30.254.514 > 10.24.0.46.514: udp 79
31: 09:00:01.825488 10.231.30.254.514 > 10.24.0.46.514: udp 81
32: 09:00:01.826892 10.231.30.254.514 > 10.24.0.46.514: udp 72
33: 09:01:01.829043 10.231.30.254.514 > 10.24.0.46.514: udp 58
34: 09:05:01.864869 10.231.30.254.514 > 10.24.0.46.514: udp 55

also - is teh below nat going to work for traffic to go from dmz to mpls? does it matter that it's a /24?

static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

praprama · ‎08-27-2010

Hey,

If i am not mistaken, they are actually sizes of each of the UDP packets in "bytes". Try gettting the captures from the ASA in a .pcap format and open it using wireshark to confirm the same. They can not be sequence numbers as first UDP is connectionless and second we don't see any particular sequence being followed.

Regarding the captures, it will be helpfule if you apply separate captures on the DMZ and the MPLS interfaces (each capture should have a different name). then we can see separate captures on the DMZ and the MPLS interfaces and compare those much better. But looking at the capture output attached, does not look like anything wrong that the ASA is doing.

> also - is teh below nat going to work for traffic to go from dmz to mpls? does it matter that it's a /24?

The NAT is ok. A /24 is going to translate the entire subnet, that is, 10.231.30.x to 10.231.30.x.

Regards,

Prapanch

Thompso7540_2 · ‎08-27-2010

thanks

Here is my capture - i put it on DMZ and MPLS interface - it's the same on both captures, so i guess the traffic i definitly making it out the MPLS interface

AiPX-FW1-2-254# show access-list ids_acl
access-list ids_acl; 2 elements
access-list ids_acl line 1 extended permit ip host 10.231.30.254 host 10.24.0.46 (hitcnt=30) 0x435208d5
access-list ids_acl line 2 extended permit ip host 10.24.0.46 host 10.231.30.254 (hitcnt=0) 0x081d9389
AiPX-FW1-2-254# show capture
capture ids_dmz type raw-data access-list ids_acl trace interface DMZ [Capturing - 2850 bytes]
capture ids_mpls type raw-data access-list ids_acl trace interface MPLS [Capturing - 2850 bytes]

another question - i currently see a connection is made, but i don't see it's being translated...shouldn't i see it hit my /24 identity nat when i do a show xlate? But i also did a show xlate pipe include the /24 and it shows it in there

AiPX-FW1-2-254# show conn | i 10.231.30.254
UDP out 10.24.0.46:514 in 10.231.30.254:514 idle 0:00:29 flags -
TCP out 43.98.184.136:443 in 10.231.30.254:35826 idle 0:00:58 bytes 20662198 flags UIO

AiPX-FW1-2-254# show xlate | i 10.231.30.254
PAT Global 47.148.97.62(20925) Local 10.231.30.254(35826)

AiPX-FW1-2-254# show xlate | i 10.231.30.0
Global 10.231.30.0 Local 10.231.30.0

Also another little question:

I heard somewhere at Cisco Live this year that nat statements actually are what makes the ASA choose the egress interface for a destination, rather than the route. Is that true or am i mistaken?

praprama · ‎08-27-2010

Hi,

The captures indeed seem to show that traffic is passing just fine through the ASA.

> i currently see a connection is made, but i don't see it's being translated...shouldn't i see it hit my /24 identity nat when i do a show xlate? But i also did a show xlate pipe include the /24 and it shows it in there

As attached and as seen from the packet-tracer, the traffic is indeed hitting the identity NAT. The output that you are seeing is the way it is.

> I heard somewhere at Cisco Live this year that nat statements actually are what makes the ASA choose the egress interface for a destination, rather than the route. Is that true or am i mistaken?

Well, yes. Part of it is true. The ASA first tries to decide the egress interface (or routing) using a NAT rule for the destination IP address of the packet.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095480

It looks for an existing translation entry first, then a Static translation (using the Static command) and the using the routing table. Let's take our example.

static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

How this is read (with respect to destination translation) is when a request comes in on the MPLS interface for an IP in the subnet 10.231.30.0/24, translate (better said as "untranslat" or UN-NAT) the destination IP address of the packet to 10.231.30.0/24 and send it out the DMZ interface. Of course, this is done following an access-list lookup, that is, if we do not have an access-list permitting ttraffic to 10.231.30.0/24, then the apcket will be dropped. Similar is the case in case of an existing translation, for example, the one you have attached:

AiPX-FW1-2-254# show xlate | i 10.231.30.254
PAT Global 47.148.97.62(20925) Local 10.231.30.254(35826)

So in this case, when the ASA sees a request coming on the outside interface with the destrination IP:PORT combination as 47.148.97.62:20925, it will UN-NAT the destination IP:PORT to 10.231.30.254:35826 and send it out the DMZ interface. Let me know if this is clear enough.

Regards,

Prapanch