01-05-2016 01:09 PM - edited 03-08-2019 03:18 AM
I am trying to configure my ASA firewall to allow connections between its interfaces on different security levels using NAT exemption. I am familiar how to accomplish this via pre-8.3 code but I am confused trying to get a new firewall working using Twice NAT. Here are the configured interfaces on the firewall:
cnFWHS01(config)# sh nameif
Interface Name Security
GigabitEthernet0/6 data-prod-ext 0
Management0/0 management 100
Port-channel15.2 nyc-admin-infra 100
Port-channel15.38 data-prod-sci 66
Port-channel15.42 seo-project-prod 65
Port-channel25.36 data-qa-sci 50
Port-channel25.40 data-dev-sci 51
Port-channel25.41 seo-project-beta 52
Port-channel35.425 cn-svi-HS 45
I would like to be able to exempt NAT translations between these interfaces except going to the external VLAN interface cn-svi-HS. I was able to get the external translations working by configuring specific object-groups for dynamic NAT and then configuring NAT as such?
object network obj-207.241.145.58
host 207.241.145.58
object network obj-data-dev-sci
nat (data-dev-sci,data-prod-ext) dynamic obj-207.241.145.58
Now the problem comes when I want to disable NAT between the interfaces. So for example I would like to be able to connect 10.12.40.230 [data-dev-sci] to 10.12.38.230 [data-prod-sci] via SSH I keep getting this message on the firewall:
cnFWHS01(config)# Jan 05 2016 20:35:24: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:25: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:27: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
Jan 05 2016 20:35:31: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
I tried using this NAT configuration:
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network ID-data-prod-sci
subnet 10.12.38.0 255.255.254.0
cnFWHS01(config)# sh run nat
nat (data-prod-sci,data-dev-sci) source static any any destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
nat (data-prod-sci,data-dev-sci) source static ID-data-prod-sci2 ID-data-prod-sci2 destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
cnFWHS01(config)# sh nat
Manual NAT Policies (Section 1)
1 (data-prod-sci) to (data-dev-sci) source static any any destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
translate_hits = 0, untranslate_hits = 586
2 (data-prod-sci) to (data-dev-sci) source static ID-data-prod-sci2 ID-data-prod-sci2 destination static ID-obj-10.0.0.0 ID-obj-10.0.0.0 unidirectional
translate_hits = 0, untranslate_hits = 0
Please point me in the right direction thank you.
01-05-2016 01:30 PM
I have a similar setup where I route between interfaces and do not need NAT nor NAT0 (exemption) configured. Obviously can configure if needed i.e object NAT etc.
You are trying to parse traffic from a lower security level to a higher one.
Port-channel15.38 data-prod-sci 66
Port-channel25.40 data-dev-sci 51
If an ACL is not applied to permit traffic the default behaviour is to deny traffic from lower to higher security level interface.
Jan 05 2016 20:35:25: %ASA-2-106001: Inbound TCP connection denied from 10.12.40.230/42121 to 10.12.38.230/22 flags SYN on interface data-dev-sci
A useful tool is packet-tracer.
Joel.
01-05-2016 01:40 PM
Thanks for the quick response. I have ACLs that permit all tcp, udp, icmp traffic as follows:
cnFWHS01(config)# sh access-list 105
access-list 105; 5 elements; name hash: 0x37b7a201
access-list 105 line 1 extended permit icmp any any (hitcnt=217) 0xb03102d6
access-list 105 line 2 extended permit tcp any any (hitcnt=1657) 0xb3968379
access-list 105 line 3 extended permit udp any any (hitcnt=1198) 0xb2a1581f
access-list 105 line 4 extended permit gre any any (hitcnt=0) 0x551c4eb1
access-list 105 line 5 extended permit esp any any (hitcnt=0) 0x2dfe4840
cnFWHS01(config)# sh run | in access-group
cnFWHS01(config)# sh run | in access-group
access-group 105 in interface data-prod-sci
access-group 105 in interface data-prod-ext
Unfortunately I still cannot connect via SSH. I do not think I need to be more specific with the ACL.
01-05-2016 01:50 PM
Thanks for the packet-trace tip. The results say that the acl-drop is the reason saying the flow is denied by configured rule. Unfortunately I cannot figure out which rule is dropping it since the logs do not state that the cause is a ACL drop. Here is the packet-trace results:
cnFWHS01(config)# packet-tracer input data-dev-sci tcp 10.12.38.230 ssh 10.12.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Jan 05 2016 21:51:21: %ASA-2-106001: Inbound TCP connection denied from 10.12.38.230/22 to 10.12.40.230/22 flags SYN on interface data-dev-sci
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f1cd490, priority=1, domain=permit, deny=false
hits=23106, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=data-dev-sci, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.12.40.0 255.255.255.0 data-dev-sci
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f893ce0, priority=111, domain=permit, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=data-dev-sci, output_ifc=data-dev-sci
Result:
input-interface: data-dev-sci
input-status: up
input-line-status: up
output-interface: data-dev-sci
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-05-2016 01:58 PM
Hi,
Access-group 105 is applied to two interfaces.
access-group 105 in interface data-prod-sci
access-group 105 in interface data-prod-ext
But I believe you wish to route from data-dev-sci " I would like to be able to connect 10.12.40.230 [data-dev-sci] to 10.12.38.230 [data-prod-sci] " What's applied to data-dev-sci? If not the default behaviour of denying traffic from lower to higher secuirty level will take effect.
Port-channel15.38 data-prod-sci 66
Port-channel25.40 data-dev-sci 51
Joel
01-05-2016 02:05 PM
Crap you are correct! Thanks a lot I knew it had to be something simple I was overlooking. I appreciate the second pair of eyes. Happy New Year!
01-05-2016 02:24 PM
Happy New Year to you as well!
09-07-2021 09:26 PM
I do agree with your concept. As I working with jewelry photo retouching services.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: