11-02-2012 05:03 PM - edited 03-11-2019 05:18 PM
Hello all,
The more and more I deal with NAT rules, the more and more I feel like an idiot. This question has a long story behind it, but where does 172.181.159.95 come from?!? We have a 3560 switch behind a ASA 5510 at a site that we are trying to access via telnet over the internet, we find out the switch does not have a default gateway configured. So I configure the following rule on the 5510:
object network ALLOFUS
subnet 0.0.0.0 0.0.0.0
nat (outside,inside) static 172.16.30.15
Try accessing the switch, and all is good. One of our change control steps is to identify any others are connected to the device via:
show users
This is what I got:
SITDWSS01#sh users
Line User Host(s) Idle Location
0 con 0 idle 15w2d
* 1 vty 0 PowsAdmin idle 00:00:00 172.181.159.95
Interface User Mode Idle Peer Address
I was expecting to see 172.16.30.15 as the NAT rule states. So Stupid me, I just assume this was another admin. So i try finding who 172.181.159.95 is. Come to find out, in everything i'm finding we dont have an internal or external network with that range or anything close. So i jump back on the firewall to see all connections to the switch. And I see this:
TCP outside 172.181.159.95(12.118.135.29):57169 inside 172.16.30.33:23, idle 0:00:21, bytes 908, flags UIOB
Well, come to find out this is me connecting (12.118.135.29 is my external address). How can this work? How can 172.181.159.95 be able to connect to the switch which is at 172.16.30.33 that does not have a gateway configured? Why does the ASA pick this address? How does it work?
Now if i configure the NAT rule as so:
object network JUSTME
host 12.118.135.29
nat (outside,inside) static 172.16.30.15
I see the connection and show users command return 172.16.30.15, as expected.
Please someone educate me, feeling pretty useless. Very unexpected result, that does not make any sence to me. How is it possible that address can connect to that switch.
Thanks for your time and support,
Nick
11-02-2012 05:14 PM
Hello Nick,
So:
3560 switch behind a ASA 5510
trying to access via telnet over the internet,
Are those two commands the Only nat statements you have on your ASA at the time you saw the 172.181.159.95??
Regards,
11-03-2012 11:40 PM
There are other rules but have nothing to do with this connection. Again if I change the object to my external address. Everything looks normal. Only when I nat 0.0.0.0 0.0.0.0 to 172.16.30.15. Then access the device, the Asa give translate my external address to this random weird address.
My questions remain the same. The biggest being how is it even possible? Even that address is outside 172.16.30.0/26 with the switch not having an default gateway.
Thanks,
Nick
Sent from Cisco Technical Support iPad Apple
11-04-2012 11:05 AM
Hello Nick,
That does not make any sense to be honest with you, I dont think the ASA is doing that.
Do
packet-tracer input outside tcp 4.2.2.2 1025 switch_public_ip 23
Regards
11-05-2012 03:58 PM
I completely agree. Does not make sense. But it is the ASA allowing the connection, and 99% sure making the translation.
If i remove the gateway address on the switch, and then recreate the NAT statment of:
object network ALLOFUS
subnet 0.0.0.0 0.0.0.0
nat (outside,inside) static 172.16.30.15
We get access to that switch from my office with the address from 172.181.159.95. If I run packet-tracer on the firewall. Everything looks normal, here is the NAT phase:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network ALLOFUS
nat (outside,inside) static 172.16.30.15
Additional Information:
Static translate 4.2.2.2/1025 to 172.18.30.15/1025
If I look at the ARP table on the switch I see the ASA's Mac address for 172.181.159.95. If i run Show conn I get the same line as above (in original post). Here is some more information that does not line up. If I remove object network ALLOFUS i lose access to the switch from my office. If i recreate the NAT rule, and try access via a different location that is not my office. I can't access the switch, and i regain access from my office.
To your original question about other nat rules, yes, i forgot the inbound NAT rule allowing telnet to the switch:
object network SPSRSWSS01
nat (inside,outside) static interface service tcp telnet 2301
Completely unexplainable on my end, and surprised it even works from my connection.
11-05-2012 04:42 PM
Hello Nick,
Okay, Lets do a capture
capture capout interface outside match tcp host your_public_ip host interface_ip eq 2301
capture capin interface inside match tcp host 172.16.30.15 host switch_private eq 23
capture capin interface inside match tcp host 172.181.159.95 host switch_private eq 23
Then connect and share
show cap capin
show cap capout
11-02-2012 06:02 PM
Base on NSLOOKUP, the ip address 172.181.159.95 is ACB59F5F.ipt.aol.com.
Do you or someone else happen to connect using AOL?
C:\Windows\System32>nslookup 172.181.159.95
Name: ACB59F5F.ipt.aol.com
Address: 172.181.159.95
11-04-2012 12:10 AM
Thanks Jennifer,
But I don't think your understanding, that address is the address the ASA is giving as an "outside local" address.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide