Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2317
Views
4
Helpful
27
Replies

NAT Outside to Internal VLAN

ztiram
Level 1
Level 1

‎08-12-2024 08:30 AM

Overview:

I'm working with a Cisco ASA firewall to allow external traffic from a public IP Y.Y.Y.Y to reach an internal Flask server at 172.16.10.250 on port 8000. My ASA has an external interface (outside) with the public IP X.X.X.X and an internal interface (vlan10) with the subnet 172.16.10.0/24. Despite setting up the necessary NAT and ACL rules, the traffic is not reaching the Flask server.

Relevant ASA Configuration:

  1. Interfaces:

    • Outside Interface (Port-channel2):
      • IP Address: X.X.X.X/27
      • Security Level: 0
    • vlan10 Interface (Port-channel1.10):
      • IP Address: 172.16.10.1/24
      • Security Level: 50

  2. NAT Rules:

    Rule 2 (vlan10 to outside):

      • Translates outgoing traffic from vlan10 to outside for traffic on port 8000.
      • translate_hits = 0, untranslate_hits = 61
      • object network obj_flask_server
        nat (vlan10,outside) static interface service tcp 8000 8000

     

  3. ACLs:

    • outside_access_in:
      • Applied to the outside interface, allowing specific IPs and services, including ICMP and TCP on port 8000.
      • Example rules:
        • access-list outside_access_in extended permit tcp any host X.X.X.X eq 8000
        • access-list outside_access_in extended permit icmp any any
    • vlan10_access_in:
      • Applied to vlan10, permitting traffic from any source to any destination, including specific rules for ICMP and TCP on port 8000.
      • Example rules:
        • access-list vlan10_access_in extended permit ip any any
        • access-list vlan10_access_in extended permit tcp host 172.16.10.250 eq 8000 host Y.Y.Y.Y

  4. Testing Connectivity:

    • Ping:
      • Attempts to ping from the outside interface to vlan10 (and vice versa) fail.
    • Curl:
      • Sending a curl request from an external IP (Y.Y.Y.Y) to https://X.X.X.X:8000 is captured by the ASA but is not translated and forwarded to 172.16.10.250.

  5. Routing:

    • DHCP relay is enabled on vlan10 and vlan20.
    • A default route is set for outside pointing to the gateway of my DC X.X.X.225.

  6. Proxy Consideration:

    • The Flask server is behind a proxy, but the proxy does not perform any specific filtering that should affect the traffic.

Main Problem:

Even though the traffic from Y.Y.Y.Y to X.X.X.X:8000 is captured on the ASA's outside interface, it is not being translated or forwarded to the Flask server on vlan10. The current NAT and ACL configurations appear to be correct, but the traffic is not reaching its destination.

Key Questions:

  1. Why is the traffic not hitting the NAT rule that translates X.X.X.X:8000 to 172.16.10.250:8000?
  2. Could the failure to ping between outside and vlan10 be related to the routing or NAT setup?
  3. Are there any additional ASA settings or security policies that might be blocking or dropping the traffic after it reaches the outside interface?

Can anyone guide me ?

Best regards.

0 Helpful
27 Replies 27

MHM Cisco World
VIP
VIP
In response to ztiram

‎08-14-2024 02:49 AM

Now this correct 
the only last Q here are you using IPsec ACL and specify ANY in ACL ?
can I see ACL of IPsec policy

MHM

0 Helpful

jilse-iph
Level 1
Level 1
In response to ztiram

‎08-22-2024 09:01 AM

@ztiram wrote:

ciscoasa# packet-tracer input outside tcp 1.1.1.1 1234 X.X.X.228 8000 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (vlan10,outside) source static obj_flask_server interface service HTTP_8000 HTTP_8000
Additional Information:
NAT divert to egress interface vlan10
Untranslate X.X.X.228/8000 to 172.16.10.250/8000

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object obj_flask_server eq 8000
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c1de430, priority=13, domain=permit, deny=false
hits=10, user_data=0x7fff2375dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=172.16.10.250, mask=255.255.255.255, port=8000, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (vlan10,outside) source static obj_flask_server interface service HTTP_8000 HTTP_8000
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Forward Flow based lookup yields rule:
in id=0x7fff2b74ebf0, priority=6, domain=nat, deny=false
hits=8, user_data=0x7fff2a78f570, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=45.141.173.228, mask=255.255.255.255, port=8000, tag=0, dscp=0x0
input_ifc=outside, output_ifc=vlan10

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b7dbb0, priority=0, domain=nat-per-session, deny=false
hits=8312888, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a7e1580, priority=0, domain=inspect-ip-options, deny=true
hits=25451520, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b307560, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=8125, user_data=0x0, cs_id=0x7fff2b2fe4e0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: vlan10
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The acl used in the "match address"  statement  in the crypto map should match all outgoing traffic on the outside interface, that  shhould  be sent through  the  vpn  tunnel.  Usually that is  not "any  to  any". So there  may be  an  issue  in  our  vpn  configuration. And you may want to configure a nat exemption for your  vpn traffic (in  most  cases, vpn is used to connect  local and  remote networks without doing nat  between  those neworks).

0 Helpful

ztiram
Level 1
Level 1

‎08-14-2024 04:46 AM - edited ‎08-14-2024 04:46 AM

access-list acl-amzn line 1 extended permit ip any4 10.0.0.0 255.0.0.0 (hitcnt=21970) 0x873edccf
access-list acl-amzn line 2 extended permit ip any4 any4 (hitcnt=13984) 0xf6a0df5b
access-list acl-amzn line 3 extended permit ip 172.16.4.0 255.255.254.0 any (hitcnt=0) 0x00b65006
access-list acl-amzn line 4 extended permit ip 172.16.20.0 255.255.254.0 any (hitcnt=0) 0xeae15225
access-list acl-amzn line 5 extended permit ip 172.16.10.0 255.255.255.0 any (hitcnt=0) 0x29b9d317
access-list acl-amzn line 6 extended permit ip 172.16.99.0 255.255.255.0 any (hitcnt=0) 0xfe602352
access-list acl-amzn line 7 extended permit icmp 172.16.99.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x2c28a2a1
access-list acl-amzn line 8 extended permit ip any any (hitcnt=0) 0x836ef7df
access-list acl-amzn line 9 extended permit icmp 172.16.4.0 255.255.254.0 host 10.0.0.101 echo (hitcnt=0) 0x1c6617f2

 

access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.4.0 255.255.254.0
access-list amzn-filter extended permit ip any4 any4
access-list amzn-filter extended permit icmp any4 any4
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.99.0 255.255.255.0
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.20.0 255.255.254.0
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.150.0 255.255.255.0
access-list amzn-filter extended permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0

0 Helpful

MHM Cisco World
VIP
VIP

‎08-14-2024 04:48 AM

Thanks for sharing but which one of these ACL use for ipsec?

MHM

0 Helpful

ztiram
Level 1
Level 1

‎08-14-2024 05:32 AM

Actually my vpn configuration is this one.

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside
crypto ca trustpool policy
vpn-filter value amzn-filter

0 Helpful

MHM Cisco World
VIP
VIP
In response to ztiram

‎08-14-2024 05:37 AM

172.16.10.250 <<- this server real IP match 
access-list acl-amzn line 5 extended permit ip 172.16.10.0 255.255.255.0 any (hitcnt=0) 0x29b9d317
access-list acl-amzn line 2 extended permit ip any4 any4 (hitcnt=13984) 0xf6a0df5b
access-list acl-amzn line 8 extended permit ip any any (hitcnt=0) 0x836ef7df

so friend your ACL of IPsec is drop the access to internal server 
you must reconfig your IPsec ACL 
MHM

0 Helpful

jilse-iph
Level 1
Level 1
In response to ztiram

‎08-30-2024 12:16 AM

Your  acl acl-amzn is wrong.  it shoud match  all outgoing traffic  running  through your  ipsec tunnel  and  nothhing else. So maybe it should be somethhing llike::

access-list amzn-filter extended permit ip 172.16.4.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list amzn-filter extended permit ip 172.16.99.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list amzn-filter extended permit ip 172.16.20.0 255.255.254.0 10.0.0.0 255.0.0.0
access-list amzn-filter extended permit ip 172.16.150.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list amzn-filter extended permit ip 172.16.10.0 255.255.255.0 10.0.0.0 255.0.0.0

The line "access-list amzn-filter extended permit ip any4 any4" leads to soethhing lie "send all traffic through ipsec  tunnel and accept incoing traffic ony  if   it is ipsec  encrypted" and i think,  that was not what you want  ...

0 Helpful

ztiram
Level 1
Level 1

‎08-14-2024 06:03 AM

If i put a deny first to 172.16.10.250 will it be ok ?

0 Helpful

MHM Cisco World
VIP
VIP
In response to ztiram

‎08-14-2024 06:05 AM

This will make server not access any remote LAN over ipsec vpn

But for checking you can add it and check access to server

MHM

0 Helpful

ztiram
Level 1
Level 1

‎08-14-2024 06:11 AM

Do i have any other solution ?
In fact my flask server just need to get webhook messages from my jira cloud server on port 8000 so i think he doesnt need to get access to the remote networks.

ztiram
Level 1
Level 1

‎08-14-2024 07:11 AM

Even tho i added 
access-list acl-amzn line 1 extended deny ip host 172.16.10.250 any (hitcnt=0) 0x61ad46b6

I still get the same result with 
packet-tracer input outside tcp 1.1.1.1 1234 X.X.X.228 8000 detailed

0 Helpful

MHM Cisco World
VIP
VIP
In response to ztiram

‎08-14-2024 11:07 AM

I dont think the deny work with VPN ACL 

you need to reconfig VPN ACL 
sorry there is no other solution 

MHM

0 Helpful

ztiram
Level 1
Level 1

‎08-26-2024 03:08 AM

Thanks for your answer, so if i make a DMZ network out of the vpn policy it should work ?

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card