Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2479
Views
0
Helpful
7
Replies

disabling NAT between internal interfaces on ASA 9.2

ajamua
Level 1
Level 1

‎01-05-2016 01:09 PM - edited ‎03-08-2019 03:18 AM

I am trying to configure my ASA firewall to allow connections between its interfaces on different security levels using NAT exemption. I am familiar how to accomplish this via pre-8.3 code but I am confused trying to get a new firewall working using Twice NAT. Here are the configured interfaces on the firewall:

cnFWHS01(config)# sh nameif

Interface                Name                     Security

GigabitEthernet0/6       data-prod-ext              0
Management0/0            management               100
Port-channel15.2         nyc-admin-infra          100
Port-channel15.38        data-prod-sci             66
Port-channel15.42        seo-project-prod          65
Port-channel25.36        data-qa-sci               50
Port-channel25.40        data-dev-sci              51
Port-channel25.41        seo-project-beta          52
Port-channel35.425       cn-svi-HS                 45

I would like to be able to exempt NAT translations between these interfaces except going to the external VLAN interface cn-svi-HS. I was able to get the external translations working by configuring specific object-groups for dynamic NAT and then configuring NAT as such?

object network obj-207.241.145.58
host 207.241.145.58

object network obj-data-dev-sci
nat (data-dev-sci,data-prod-ext) dynamic obj-207.241.145.58

Now the problem comes when I want to disable NAT between the interfaces. So for example I would like to be able to connect 10.12.40.230 [data-dev-sci] to 10.12.38.230 [data-prod-sci] via SSH I keep getting this message on the firewall:

cnFWHS01(config)# Jan 05 2016 20:35:24: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:25: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:27: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:31: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci

I tried using this NAT configuration:

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0

object network ID-data-prod-sci
subnet 10.12.38.0 255.255.254.0

cnFWHS01(config)# sh run nat
nat (data-prod-sci,data-dev-sci) source static any any destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
nat (data-prod-sci,data-dev-sci) source static ID-data-prod-sci2 ID-data-prod-sci2 destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional

cnFWHS01(config)# sh nat
Manual NAT Policies (Section 1)
1 (data-prod-sci) to (data-dev-sci) source static any any destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
translate_hits = 0, untranslate_hits = 586
2 (data-prod-sci) to (data-dev-sci) source static ID-data-prod-sci2 ID-data-prod-sci2 destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
translate_hits = 0, untranslate_hits = 0

Please point me in the right direction thank you.

Labels:
0 Helpful
7 Replies 7

Joel
Level 1
Level 1

‎01-05-2016 01:30 PM

I have a similar setup where I route between interfaces and do not need NAT nor NAT0 (exemption) configured. Obviously can configure if needed i.e object NAT etc.

You are trying to parse traffic from a lower security level to a higher one.
Port-channel15.38        data-prod-sci             66


Port-channel25.40        data-dev-sci              51

If an ACL is not applied to permit traffic the default behaviour is to deny traffic from lower to higher security level interface.

Jan 05 2016 20:35:25: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci

A useful tool is packet-tracer.

Joel.

0 Helpful

ajamua
Level 1
Level 1
In response to Joel

‎01-05-2016 01:40 PM

Thanks for the quick response. I have ACLs that permit all tcp, udp, icmp traffic as follows:

cnFWHS01(config)# sh access-list 105
access-list 105; 5 elements; name hash: 0x37b7a201
access-list 105 line 1 extended permit icmp any any (hitcnt=217) 0xb03102d6
access-list 105 line 2 extended permit tcp any any (hitcnt=1657) 0xb3968379
access-list 105 line 3 extended permit udp any any (hitcnt=1198) 0xb2a1581f
access-list 105 line 4 extended permit gre any any (hitcnt=0) 0x551c4eb1
access-list 105 line 5 extended permit esp any any (hitcnt=0) 0x2dfe4840
cnFWHS01(config)# sh run | in access-group
cnFWHS01(config)# sh run | in access-group
access-group 105 in interface data-prod-sci
access-group 105 in interface data-prod-ext

Unfortunately I still cannot connect via SSH. I do not think I need to be more specific with the ACL. 

0 Helpful

ajamua
Level 1
Level 1
In response to ajamua

‎01-05-2016 01:50 PM

Thanks for the packet-trace tip. The results say that the acl-drop is the reason saying the flow is denied by configured rule. Unfortunately I cannot figure out which rule is dropping it since the logs do not state that the cause is a ACL drop. Here is the packet-trace results:

cnFWHS01(config)# packet-tracer input data-dev-sci tcp 10.12.38.230 ssh 10.12.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Jan 05 2016 21:51:21: %ASA-2-106001: Inbound TCP connection denied from 10.12.38.230/22 to 10.12.40.230/22 flags SYN on interface data-dev-sci
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f1cd490, priority=1, domain=permit, deny=false
hits=23106, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=data-dev-sci, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.12.40.0 255.255.255.0 data-dev-sci

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f893ce0, priority=111, domain=permit, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=data-dev-sci, output_ifc=data-dev-sci

Result:
input-interface: data-dev-sci
input-status: up
input-line-status: up
output-interface: data-dev-sci
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Joel
Level 1
Level 1
In response to ajamua

‎01-05-2016 01:58 PM

Hi,

Access-group 105 is applied to two interfaces.

access-group 105 in interface data-prod-sci
access-group 105 in interface data-prod-ext

But I believe you wish to route from data-dev-sci " I would like to be able to connect 10.12.40.230 [data-dev-sci] to 10.12.38.230 [data-prod-sci] " What's applied to data-dev-sci? If not the default behaviour of denying traffic from lower to higher secuirty level will take effect.

Port-channel15.38        data-prod-sci             66


Port-channel25.40        data-dev-sci              51

Joel

0 Helpful

ajamua
Level 1
Level 1
In response to Joel

‎01-05-2016 02:05 PM

Crap you are correct! Thanks a lot I knew it had to be something simple I was overlooking. I appreciate the second pair of eyes. Happy New Year!

0 Helpful

Joel
Level 1
Level 1
In response to ajamua

‎01-05-2016 02:24 PM

Happy New Year to you as well!

0 Helpful

niamul21
Level 1
Level 1

‎09-07-2021 09:26 PM

I do agree with your concept. As I working with jewelry photo retouching services.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card