cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1327
Views
0
Helpful
8
Replies

NAT Problem

MrPrince1979
Level 1
Level 1

Hi,

I’m trying to ssh to a router through a ASA 5505 and have the router I’m reaching return the traffic on tcp port 22. I’ve attached a small network diagram which explains how it’s all connected.

The pertinent configuration on Router 2 is:

ip nat inside source list Permit-NAT interface FastEthernet4 overload
!
ip access-list extended Permit-NAT
permit ip any any
exit
!
interface FastEthernet4
description Connected to RT1

ip address 172.17.0.2 255.255.255.252
ip nat outside
speed auto
duplex auto
shutdown
exit

When I view the firewall logs the packets get dropped by the Inbound ACL with:

access-list Inbound denied tcp Outside/172.17.0.2(1) -> Inside/10.1.6.1(50154)

This, I think, is due to the PAT on fa4 from router 2. How can have return traffic from Router 2 use the correct port so that the firewalls SPI filter isn’t kicking off?

Thanks.

NAT.JPG

8 Replies 8

Hi Prince,

ip nat inside source list Permit-NAT interface FastEthernet4 overload
!
ip access-list extended Permit-NAT
permit ip any any
exit
!
interface FastEthernet4
description Connected to RT1

ip address 172.17.0.2 255.255.255.252
ip nat outside
speed auto
duplex auto
shutdown --> (Try to no shut that port & then check)
exit.

Sorry, that was a typo! the port is definitely up. Well spotted thou...

Hi,

access-list Inbound denied tcp Outside/172.17.0.2(1) -> Inside/10.1.6.1(50154)

can you do a sh access-list on your ASA

your ssh client will initiate connection with a random port > 1024 to port 22 on ssh server and PAT on the router won't be involved if you connect on the interface going to r1.

Regards.

Alain

Don't forget to rate helpful posts.

Hi,


Here's the pertinent part of the ASA's Outbond ACL:

object network RT2
host 172.17.0.2
!
object network PP-WRK-1
host 10.1.6.1
!
object-group service Perimeter-MGMT-Protocols-Outbound
service-object tcp eq ssh
service-object tcp eq https
!
object-group network PP-MGMT-Workstations
network-object object PP-WRK-1
!
access-list Outbound remark Permit Perimeter Management
access-list Outbound extended permit object-group Perimeter-MGMT-Protocols-Outbound object-group PP-MGMT-Workstations object RT2

There is no specific ACE on the Inbound ACL as the return traffic should be automatically allowed via SPI. I think the problem isn't the outbound traffic, rather the return traffic as it's retuning on a random port.

Thanks for taking a look.

Hi,

Can you do a packet capture command on ASA simulating your ssh from LAN host to RTR2

access-list Inbound denied tcp Outside/172.17.0.2(1) -> Inside/10.1.6.1(50154)

it should come from port 22 it it was response traffic from ssh

Regards.

Alain.

Don't forget to rate helpful posts.

I'll try that tonight using:

http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/

and post back.

I did run the packet tracer on the packets going outbound which passed, and I can confirm the packets are arriving at the router, it's the router's returning traffic that gets stopped because of the random port it's using.

Thanks.

Here are the commands I used for the capture and the results.

access-list PktCapture extended permit ip host 10.1.6.1 host 172.17.0.2
access-list PktCapture extended permit ip host 172.17.0.2 host 10.1.6.1
!
capture captured access-list PktCapture interface Inside packet-length 1522
capture captured access-list PktCapture interface Outside packet-length 1522

Results:

3 packets captured

   1: 23:02:04.126198 802.1Q vlan#20 P0 10.1.6.1.49542 > 172.17.0.2.22: S 2641216073:2641216073(0) win 8192
   2: 23:02:07.132500 802.1Q vlan#20 P0 10.1.6.1.49542 > 172.17.0.2.22: S 2641216073:2641216073(0) win 8192
   3: 23:02:13.138649 802.1Q vlan#20 P0 10.1.6.1.49542 > 172.17.0.2.22: S 2641216073:2641216073(0) win 8192
3 packets shown

It only saw the outgoing packets. Seems the acl drops packets before the caputre sees them?

Hi,

Is your ASA pre 8.3?

access-list PktCapture extended permit ip host 172.17.0.2 host 10.1.6.1

if yes it can't work if you haven't got any static nat and your destination is public address because here it is not a reply to packet from inside to outside

In your previous post your log was mentioning this inside address, are you doing nat exemption?

Can you post config of ASA and router please.

Regards.

Alain.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card