cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2438
Views
0
Helpful
7
Replies

disabling NAT between internal interfaces on ASA 9.2

ajamua
Level 1
Level 1

I am trying to configure my ASA firewall to allow connections between its interfaces on different security levels using NAT exemption. I am familiar how to accomplish this via pre-8.3 code but I am confused trying to get a new firewall working using Twice NAT. Here are the configured interfaces on the firewall:

cnFWHS01(config)# sh nameif

Interface                Name                     Security

GigabitEthernet0/6       data-prod-ext              0
Management0/0            management               100
Port-channel15.2         nyc-admin-infra          100
Port-channel15.38        data-prod-sci             66
Port-channel15.42        seo-project-prod          65
Port-channel25.36        data-qa-sci               50
Port-channel25.40        data-dev-sci              51
Port-channel25.41        seo-project-beta          52
Port-channel35.425       cn-svi-HS                 45

I would like to be able to exempt NAT translations between these interfaces except going to the external VLAN interface cn-svi-HS. I was able to get the external translations working by configuring specific object-groups for dynamic NAT and then configuring NAT as such?

object network obj-207.241.145.58
host 207.241.145.58

object network obj-data-dev-sci
nat (data-dev-sci,data-prod-ext) dynamic obj-207.241.145.58

Now the problem comes when I want to disable NAT between the interfaces. So for example I would like to be able to connect 10.12.40.230 [data-dev-sci] to 10.12.38.230 [data-prod-sci] via SSH I keep getting this message on the firewall:

cnFWHS01(config)# Jan 05 2016 20:35:24: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:25: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:27: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:31: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci

I tried using this NAT configuration:

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0

object network ID-data-prod-sci
subnet 10.12.38.0 255.255.254.0

cnFWHS01(config)# sh run nat
nat (data-prod-sci,data-dev-sci) source static any any destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
nat (data-prod-sci,data-dev-sci) source static ID-data-prod-sci2 ID-data-prod-sci2 destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional

cnFWHS01(config)# sh nat
Manual NAT Policies (Section 1)
1 (data-prod-sci) to (data-dev-sci) source static any any destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
translate_hits = 0, untranslate_hits = 586
2 (data-prod-sci) to (data-dev-sci) source static ID-data-prod-sci2 ID-data-prod-sci2 destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
translate_hits = 0, untranslate_hits = 0

Please point me in the right direction thank you.

7 Replies 7

Joel
Level 1
Level 1

I have a similar setup where I route between interfaces and do not need NAT nor NAT0 (exemption) configured. Obviously can configure if needed i.e object NAT etc.

You are trying to parse traffic from a lower security level to a higher one.
Port-channel15.38        data-prod-sci             66


Port-channel25.40        data-dev-sci              51

If an ACL is not applied to permit traffic the default behaviour is to deny traffic from lower to higher security level interface.

Jan 05 2016 20:35:25: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci

A useful tool is packet-tracer.

Joel.

Thanks for the quick response. I have ACLs that permit all tcp, udp, icmp traffic as follows:

cnFWHS01(config)# sh access-list 105
access-list 105; 5 elements; name hash: 0x37b7a201
access-list 105 line 1 extended permit icmp any any (hitcnt=217) 0xb03102d6
access-list 105 line 2 extended permit tcp any any (hitcnt=1657) 0xb3968379
access-list 105 line 3 extended permit udp any any (hitcnt=1198) 0xb2a1581f
access-list 105 line 4 extended permit gre any any (hitcnt=0) 0x551c4eb1
access-list 105 line 5 extended permit esp any any (hitcnt=0) 0x2dfe4840
cnFWHS01(config)# sh run | in access-group
cnFWHS01(config)# sh run | in access-group
access-group 105 in interface data-prod-sci
access-group 105 in interface data-prod-ext

Unfortunately I still cannot connect via SSH. I do not think I need to be more specific with the ACL. 

Thanks for the packet-trace tip. The results say that the acl-drop is the reason saying the flow is denied by configured rule. Unfortunately I cannot figure out which rule is dropping it since the logs do not state that the cause is a ACL drop. Here is the packet-trace results:

cnFWHS01(config)# packet-tracer input data-dev-sci tcp 10.12.38.230 ssh 10.12.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Jan 05 2016 21:51:21: %ASA-2-106001: Inbound TCP connection denied from 10.12.38.230/22 to 10.12.40.230/22 flags SYN on interface data-dev-sci
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f1cd490, priority=1, domain=permit, deny=false
hits=23106, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=data-dev-sci, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.12.40.0 255.255.255.0 data-dev-sci

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f893ce0, priority=111, domain=permit, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=data-dev-sci, output_ifc=data-dev-sci

Result:
input-interface: data-dev-sci
input-status: up
input-line-status: up
output-interface: data-dev-sci
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Access-group 105 is applied to two interfaces.

access-group 105 in interface data-prod-sci
access-group 105 in interface data-prod-ext

But I believe you wish to route from data-dev-sci " I would like to be able to connect 10.12.40.230 [data-dev-sci] to 10.12.38.230 [data-prod-sci] " What's applied to data-dev-sci? If not the default behaviour of denying traffic from lower to higher secuirty level will take effect.

Port-channel15.38        data-prod-sci             66


Port-channel25.40        data-dev-sci              51

Joel

Crap you are correct! Thanks a lot I knew it had to be something simple I was overlooking. I appreciate the second pair of eyes. Happy New Year!

Happy New Year to you as well!

niamul21
Level 1
Level 1

I do agree with your concept. As I working with jewelry photo retouching services.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco