Re: Problem with public server nat ASA Cisco

Echedey99 · ‎07-13-2018

Good morning,

I'm trying to configure an ASA cisco in my network.

I have a Juniper SRX100 router, configured as a bridge, then, directly connected I have the Cisco ASA and connected to the inside interface my switch Catalyst.

Connected to the catalyst I have three different servers and one laptop.

I have configured a dynamic NAT (PAT) to allow the traffic from 10.10.0.0/24 and it is working right.

My problem is with my two public servers sigma, delta, theta and with beta (with is my switch and I want to allow the ssh with the public IP 37.209.210.71).

I have configured in ASDM four public servers which are created an access-list and an automatic nat.

I am not sure what it is not working but I have tried a lot of things and I can't discover what is the problem...

This is the code:

object network obj-beta-private

host 10.10.0.10

object network obj-beta-public

host 37.209.210.71

object network obj-delta-private

host 10.10.0.220

object network obj-delta-public

host 37.209.210.70

object network obj-sigma-private

host 10.10.0.250

object network obj-sigma-public

host 37.209.210.68

object network obj-theta-private

host 10.10.0.210

object network obj-theta-public

host 37.209.210.69

object network obj-range-private

subnet 10.10.0.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp any object obj-theta-private

access-list outside_access_in extended permit tcp any object obj-sigma-private

access-list outside_access_in extended permit tcp any object obj-delta-private

access-list outside_access_in extended permit tcp any object obj-beta-private

access-list outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

nat (any,outside) source dynamic obj-range-private interface

!

object network obj-beta-private

nat (inside,outside) static obj-beta-public

object network obj-delta-private

nat (inside,outside) static obj-delta-public

object network obj-sigma-private

nat (inside,outside) static obj-sigma-public

object network obj-theta-private

nat (inside,outside) static obj-theta-public

access-group outside_access_in in interface outside

F1S-Mu# show nat detail

Manual NAT Policies (Section 1)

1 (any) to (outside) source dynamic obj-range-private interface translate_hits = 33, untranslate_hits = 9 Source - Origin: 10.10.0.0/24, Translated: 37.209.210.75/28

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static obj-beta-private obj-beta-public

translate_hits = 2, untranslate_hits = 3

Source - Origin: 10.10.0.10/32, Translated: 37.209.210.71/32

2 (inside) to (outside) source static obj-theta-private obj-theta-public

translate_hits = 271, untranslate_hits = 7

Source - Origin: 10.10.0.210/32, Translated: 37.209.210.69/32

3 (inside) to (outside) source static obj-delta-private obj-delta-public

translate_hits = 293, untranslate_hits = 0

Source - Origin: 10.10.0.220/32, Translated: 37.209.210.70/32

4 (inside) to (outside) source static obj-sigma-private obj-sigma-public

translate_hits = 0, untranslate_hits = 3

Source - Origin: 10.10.0.250/32, Translated: 37.209.210.68/32

Thanks for your help!!

Eche

Georg Pauwen · ‎07-13-2018

Hello,

if your public servers have public IP addresses, you don't have to NAT. Where are the servers located, in a DMZ ? Post a schematic drawing of your setup...

Echedey99 · ‎07-13-2018

Hi Georg,

I don't have DMZ, I am just trying to configure a NAT to translate the servers public IPs to the private IPs in my LAN.

I attach a drawing of my topology.

Thanks!

Georg Pauwen · ‎07-13-2018

Hello,

sorry for the confusion: your Juniper is in bridge mode, in your drawing it looks like it is getting a public IP address ?

The servers are on the inside and have private IP addresses, but also public IP addresses ? What is the purpose of giving them public IP addresses when you have to go through the inside (private) and then through the outside (public) again ?

Wouldn't it be easier to just create static NAT entries on the ASA for each server, allowing SSH ?

Echedey99 · ‎07-13-2018

Hi,

It is because I must be able to access to them from different locations (I have a NAS, a Remote Control server...) so it is very important to have a specific public IP in order to be able to connect to each server.

Thanks,

Georg Pauwen · ‎07-13-2018

Hello,

I set this up in GNS3, and the below works. Do you actually have the inside to outside access list configured ?

For the sake of simplicity, I have configured the access lists to allow any/any.

Also, in order to test ICMP, make sure you add it to the inspection_default class

object network obj-beta-private
host 10.10.0.10
nat (inside,outside) static 37.209.210.71
!
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any

!
access-group outside_access_in in interface outside

access-group inside_access_out out interface inside
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

Echedey99 · ‎07-17-2018

Good morning Georg,

Thanks for your answer, I have the access rules configured and I think the problem is in the nat because if I do:

F1S-Mu# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-beta obj-beta-ext
translate_hits = 6, untranslate_hits = 4
2 (inside) to (outside) source static obj-theta obj-theta-ext
translate_hits = 233, untranslate_hits = 11
3 (inside) to (outside) source static obj-delta obj-delta-ext
translate_hits = 417, untranslate_hits = 0
4 (inside) to (outside) source static obj-sigma obj-sigma-ext
translate_hits = 0, untranslate_hits = 1
5 (inside) to (outside) source dynamic obj-10.10.0.0 interface
translate_hits = 4, untranslate_hits = 5

You can see that there are a lot of translates inside ---> outside but only a few outside ----> inside (with is the direction that I use in order to access to this servers).

I am not sure if I need to configure a new manual nat outside --> inside or with my actual NATs is enought...

Thanks!

Georg Pauwen · ‎07-17-2018

Hello,

can you post the full config of your ASA ? I want to compare it to what I have configured...

Echedey99 · ‎07-17-2018

Hi Georg,

I have attached the config, the device is a Cisco ASA 5515.

It is pretty simple but I think that something is failing...

Thanks!

Georg Pauwen · ‎07-17-2018

Hello,

thanks, I'll have a look...

Georg Pauwen · ‎07-18-2018

Hello,

try to configure the NAT as in my example. Manual NAT is preferred...

object network obj-beta-private
host 10.10.0.10
nat (inside,outside) static 37.209.210.71

Echedey99 · ‎07-18-2018

Good afternoon Georg,

I have tried with that but still is not working.

If I do "show nat" I can see that there are only translates in one direction (inside ---> outside):

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-beta-private 37.209.210.71
translate_hits = 2, untranslate_hits = 2
2 (inside) to (outside) source static obj-theta-private 37.209.210.69
translate_hits = 176, untranslate_hits = 2
3 (inside) to (outside) source static obj-delta-private 37.209.210.70
translate_hits = 217, untranslate_hits = 2
4 (inside) to (outside) source static obj-sigma-private 37.209.210.68
translate_hits = 1, untranslate_hits = 1
5 (inside) to (outside) source dynamic obj-10.10.0.0 interface
translate_hits = 4, untranslate_hits = 6

I attach my new configuration.

Thanks,