Weird NAT Address (or ASA NAT education)

nickhesson · ‎11-02-2012

Hello all,

The more and more I deal with NAT rules, the more and more I feel like an idiot. This question has a long story behind it, but where does 172.181.159.95 come from?!? We have a 3560 switch behind a ASA 5510 at a site that we are trying to access via telnet over the internet, we find out the switch does not have a default gateway configured. So I configure the following rule on the 5510:

object network ALLOFUS

subnet 0.0.0.0 0.0.0.0

nat (outside,inside) static 172.16.30.15

Try accessing the switch, and all is good. One of our change control steps is to identify any others are connected to the device via:

show users

This is what I got:

SITDWSS01#sh users

Line User Host(s) Idle Location

0 con 0 idle 15w2d

* 1 vty 0 PowsAdmin idle 00:00:00 172.181.159.95

Interface User Mode Idle Peer Address

I was expecting to see 172.16.30.15 as the NAT rule states. So Stupid me, I just assume this was another admin. So i try finding who 172.181.159.95 is. Come to find out, in everything i'm finding we dont have an internal or external network with that range or anything close. So i jump back on the firewall to see all connections to the switch. And I see this:

TCP outside 172.181.159.95(12.118.135.29):57169 inside 172.16.30.33:23, idle 0:00:21, bytes 908, flags UIOB

Well, come to find out this is me connecting (12.118.135.29 is my external address). How can this work? How can 172.181.159.95 be able to connect to the switch which is at 172.16.30.33 that does not have a gateway configured? Why does the ASA pick this address? How does it work?

Now if i configure the NAT rule as so:

object network JUSTME

host 12.118.135.29

nat (outside,inside) static 172.16.30.15

I see the connection and show users command return 172.16.30.15, as expected.

Please someone educate me, feeling pretty useless. Very unexpected result, that does not make any sence to me. How is it possible that address can connect to that switch.

Thanks for your time and support,

Nick

Julio Carvajal · ‎11-02-2012

Hello Nick,

So:

3560 switch behind a ASA 5510

trying to access via telnet over the internet,

Are those two commands the Only nat statements you have on your ASA at the time you saw the 172.181.159.95??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nickhesson · ‎11-03-2012

There are other rules but have nothing to do with this connection. Again if I change the object to my external address. Everything looks normal. Only when I nat 0.0.0.0 0.0.0.0 to 172.16.30.15. Then access the device, the Asa give translate my external address to this random weird address.

My questions remain the same. The biggest being how is it even possible? Even that address is outside 172.16.30.0/26 with the switch not having an default gateway.

Thanks,
Nick

Sent from Cisco Technical Support iPad Apple

Julio Carvajal · ‎11-04-2012

Hello Nick,

That does not make any sense to be honest with you, I dont think the ASA is doing that.

Do

packet-tracer input outside tcp 4.2.2.2 1025 switch_public_ip 23

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nickhesson · ‎11-05-2012

I completely agree. Does not make sense. But it is the ASA allowing the connection, and 99% sure making the translation.

If i remove the gateway address on the switch, and then recreate the NAT statment of:

object network ALLOFUS

subnet 0.0.0.0 0.0.0.0

nat (outside,inside) static 172.16.30.15

We get access to that switch from my office with the address from 172.181.159.95. If I run packet-tracer on the firewall. Everything looks normal, here is the NAT phase:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network ALLOFUS

nat (outside,inside) static 172.16.30.15

Additional Information:

Static translate 4.2.2.2/1025 to 172.18.30.15/1025

If I look at the ARP table on the switch I see the ASA's Mac address for 172.181.159.95. If i run Show conn I get the same line as above (in original post). Here is some more information that does not line up. If I remove object network ALLOFUS i lose access to the switch from my office. If i recreate the NAT rule, and try access via a different location that is not my office. I can't access the switch, and i regain access from my office.

To your original question about other nat rules, yes, i forgot the inbound NAT rule allowing telnet to the switch:

object network SPSRSWSS01

nat (inside,outside) static interface service tcp telnet 2301

Completely unexplainable on my end, and surprised it even works from my connection.

Julio Carvajal · ‎11-05-2012

Hello Nick,

Okay, Lets do a capture

capture capout interface outside match tcp host your_public_ip host interface_ip eq 2301

capture capin interface inside match tcp host 172.16.30.15 host switch_private eq 23

capture capin interface inside match tcp host 172.181.159.95 host switch_private eq 23

Then connect and share

show cap capin

show cap capout

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jennifer Halim · ‎11-02-2012

Base on NSLOOKUP, the ip address 172.181.159.95 is ACB59F5F.ipt.aol.com.

Do you or someone else happen to connect using AOL?

C:\Windows\System32>nslookup 172.181.159.95

Name: ACB59F5F.ipt.aol.com

Address: 172.181.159.95

nickhesson · ‎11-04-2012

Thanks Jennifer,

But I don't think your understanding, that address is the address the ASA is giving as an "outside local" address.

Sent from Cisco Technical Support iPad App