cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2511
Views
4
Helpful
27
Replies

NAT Outside to Internal VLAN

ztiram
Level 1
Level 1

Overview:

I'm working with a Cisco ASA firewall to allow external traffic from a public IP Y.Y.Y.Y to reach an internal Flask server at 172.16.10.250 on port 8000. My ASA has an external interface (outside) with the public IP X.X.X.X and an internal interface (vlan10) with the subnet 172.16.10.0/24. Despite setting up the necessary NAT and ACL rules, the traffic is not reaching the Flask server.

Relevant ASA Configuration:

  1. Interfaces:

    • Outside Interface (Port-channel2):
      • IP Address: X.X.X.X/27
      • Security Level: 0
    • vlan10 Interface (Port-channel1.10):
      • IP Address: 172.16.10.1/24
      • Security Level: 50
  2. NAT Rules:

    Rule 2 (vlan10 to outside):

      • Translates outgoing traffic from vlan10 to outside for traffic on port 8000.
      • translate_hits = 0, untranslate_hits = 61
      • object network obj_flask_server
        nat (vlan10,outside) static interface service tcp 8000 8000

     

  3. ACLs:

    • outside_access_in:
      • Applied to the outside interface, allowing specific IPs and services, including ICMP and TCP on port 8000.
      • Example rules:
        • access-list outside_access_in extended permit tcp any host X.X.X.X eq 8000
        • access-list outside_access_in extended permit icmp any any
    • vlan10_access_in:
      • Applied to vlan10, permitting traffic from any source to any destination, including specific rules for ICMP and TCP on port 8000.
      • Example rules:
        • access-list vlan10_access_in extended permit ip any any
        • access-list vlan10_access_in extended permit tcp host 172.16.10.250 eq 8000 host Y.Y.Y.Y
  4. Testing Connectivity:

    • Ping:
      • Attempts to ping from the outside interface to vlan10 (and vice versa) fail.
    • Curl:
      • Sending a curl request from an external IP (Y.Y.Y.Y) to https://X.X.X.X:8000 is captured by the ASA but is not translated and forwarded to 172.16.10.250.
  5. Routing:

    • DHCP relay is enabled on vlan10 and vlan20.
    • A default route is set for outside pointing to the gateway of my DC X.X.X.225.
  6. Proxy Consideration:

    • The Flask server is behind a proxy, but the proxy does not perform any specific filtering that should affect the traffic.

Main Problem:

Even though the traffic from Y.Y.Y.Y to X.X.X.X:8000 is captured on the ASA's outside interface, it is not being translated or forwarded to the Flask server on vlan10. The current NAT and ACL configurations appear to be correct, but the traffic is not reaching its destination.

Key Questions:

  1. Why is the traffic not hitting the NAT rule that translates X.X.X.X:8000 to 172.16.10.250:8000?
  2. Could the failure to ping between outside and vlan10 be related to the routing or NAT setup?
  3. Are there any additional ASA settings or security policies that might be blocking or dropping the traffic after it reaches the outside interface?

Can anyone guide me ?

Best regards.

27 Replies 27

Share NAT config and ACL

MHM

ztiram
Level 1
Level 1

object network obj_flask_server
host 172.16.10.250
nat (vlan10,outside) static interface service tcp 8000 8000

  • access-list outside_access_in extended permit tcp host Y.Y.Y.Y host X.X.X.X eq 8000 access-list outside_access_in extended permit tcp any host X.X.X.X eq 8000 access-list outside_access_in extended permit tcp host X.X.X.X eq 8000 host Y.Y.Y.Y

    access-list vlan10_access_in extended permit ip any any
    access-list vlan10_access_in extended permit tcp host 172.16.10.250 eq 8000 host Y.Y.Y.Y




 

object network obj_flask_server
host 172.16.10.250
nat (vlan10,outside) static interface service tcp 8000 8000

Instead use this 

nat (vlan10,outside) static object <objec of real server IP> interface service tcp 8000 8000

And delete old one.

MHM

ztiram
Level 1
Level 1

It would be something like this ?
object network obj_flask_server
host 172.16.10.250
nat (vlan10,outside) static object obj_flask_server interface service tcp 8000 8000

Because when i do that i get a syntax error on asa 5515X

Dont config it under any object 

Directly config NAT in config mode 

nat (vlan10,outside) static object obj_flask_server interface service tcp 8000 8000

Remember disable or remove old NAT when add new one

MHM

ztiram
Level 1
Level 1

Same result when i do it only in configuration mode

this lab for you 
I config NAT by 
A- config object network for real server IP 
B- config object service for tcp source telnet (in your case us eq 8000)
C-use 
nat (IN,OUT) source static <object of real server IP> interface service <object of tcp port><object of tcp port>

NOTE:- the NAT not work if you use different nameif than you use under the interface 

lastly I use ACL to access real server IP and apply this ACL in OUT interface with direction IN 

try same steps as above and check result 

MHM

Screenshot (672).png

ztiram
Level 1
Level 1

Hello , thanks for your answer

I've done what you wrote :
object network obj_flask_server
host 172.16.10.250
object service HTTP_8000
service tcp source eq 8000
nat (vlan10,outside) source static obj_flask_server interface service HTTP_8000 HTTP_8000

curl -X POST https://OUTSIDE_INTERFACE_IP:8000/webhook -H "Content-Type: application/json" -d '{ "test": "data"}'
from my computer on outside

and i get this : 
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (vlan10) to (outside) source static obj_flask_server interface service HTTP_8000 HTTP_8000
translate_hits = 0, untranslate_hits = 5



That good' the NAT correct and there is untranslated hits.

Now 

To see what make packet drop run 

Packet tracer input outside tcp 1.1.1.1 1234 <mapped server IP> 8000 detail 

Share output here 

MHM

jilse-iph
Level 1
Level 1

Try using "access-list outside_access_in extended permit tcp any object obj_flask_server eq 8000" instead  of  "access-list outside_access_in extended permit tcp any host X.X.X.X eq 8000". I  think, you have to use  the "real destination" in your  access-list on the outside interface. This is different from the requirement on the old "PIX" Firewalls with firmware older than 7.0. You do not need any access-list on the vlan10 interface. The implicite rule based on security levels (that is used until an "in" acl is aplied to that interface and will allow all traffic from that interface to all interfaces with lower security level) should be enough for your configuration.

 

OOPS! I think,  the  firmware change, thatt requires to use tthe "real destinattion" in acces-list when using nat in cominattion with  access-lists, was between firmware 7.x  and firmwares 8.x and newer. I thin,itt  was  changed, when the nat  configuration was changed from "gobal (interface) n " and  "nat (interface) n" to  the  current nat syntax. In  ASA firmwaare  7.x, the ip adress in an in acll on the outside interface had to  match the  destination interface of the received packet from the outside interface, since 8x firmwares, it has  to match the "real destination",  i.e. the inside ip address of the server. So  ztiram has to use either the ip address pf  the server in network 172.16.10/24 or "object obj_flask_server" in the  access-list  outside_access_in.

ztiram
Level 1
Level 1

Hello guys, thanks for your answers

So i put "access-list outside_access_in extended permit tcp any object obj_flask_server eq 8000" and it got me to phase 5, before this it was stucked at phase 2

ciscoasa(config)# packet-tracer input outside tcp 1.1.1.1 1234 172.16.10.250 8$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.10.0 255.255.255.0 vlan10

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object obj_flask_server eq 8000
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c1de430, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fff2375dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=172.16.10.250, mask=255.255.255.255, port=8000, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b7dbb0, priority=0, domain=nat-per-session, deny=false
hits=8288420, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a7e1580, priority=0, domain=inspect-ip-options, deny=true
hits=25373417, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b307560, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=8111, user_data=0x0, cs_id=0x7fff2b2fe4e0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: vlan10
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I dont really understand why it is routed to vpn traffic.
I have a proxy that doesnt filter anything that is on the other side of my vpn S2S tunnel, so maybe that's because of this. 

172.16.10.250 <<- this real IP no mapped ip 

Packet tracer input outside tcp 1.1.1.1 1234 <mapped server IP/ outside ASA interface IP> 8000 detail 

ztiram
Level 1
Level 1

ciscoasa# packet-tracer input outside tcp 1.1.1.1 1234 X.X.X.228 8000 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (vlan10,outside) source static obj_flask_server interface service HTTP_8000 HTTP_8000
Additional Information:
NAT divert to egress interface vlan10
Untranslate X.X.X.228/8000 to 172.16.10.250/8000

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object obj_flask_server eq 8000
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c1de430, priority=13, domain=permit, deny=false
hits=10, user_data=0x7fff2375dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=172.16.10.250, mask=255.255.255.255, port=8000, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (vlan10,outside) source static obj_flask_server interface service HTTP_8000 HTTP_8000
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Forward Flow based lookup yields rule:
in id=0x7fff2b74ebf0, priority=6, domain=nat, deny=false
hits=8, user_data=0x7fff2a78f570, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=45.141.173.228, mask=255.255.255.255, port=8000, tag=0, dscp=0x0
input_ifc=outside, output_ifc=vlan10

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b7dbb0, priority=0, domain=nat-per-session, deny=false
hits=8312888, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a7e1580, priority=0, domain=inspect-ip-options, deny=true
hits=25451520, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b307560, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=8125, user_data=0x0, cs_id=0x7fff2b2fe4e0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: vlan10
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Review Cisco Networking for a $25 gift card