Thank you for the response!
The reason for NAT was just a security decision, and the choice of ip4-vs-ip6 is really of little difference in reference to the proxy-port problem I suppose.
Understanding that I am trying to get server engineers to think like network engineers and they just are not getting my multiple ways of solving this issue (i.e. multiple IP's on a WIC) and then proxy routing users to internally/externally distributed servers providing 'service-ABC'.
In this case, the service I'm referring to is office-365/Onprem-Exch, which....yes, in a single-IP location, would easily overwhelm ports attaching that many users, but there is no way there should be that many users at a single-ip based site (imho). Even still, just VIP or multi-IP the WIC routes and reverse proxy the users to different servers.
I'm just curious if anyone has hit this port-limit issue even AFTER doing as I suggest?
... View more
PROBLEM: Proxy port exhaustion occurs when having high number of users using multiple devices and using cloud services.
There are some limitations when using office 365...~the number of ports allocated by the average user which is about 4 or 5 depending on device accesses. If the organization has 5000 users, and each take 5 ports, we have a problem.
So, I have been looking at alternative ways to solve this problem, and one such idea that came to mind was the ability to assign multiple addresses on an interface using IPv6.
The idea is to "NAT by vlan and then proxy out the WAN" based on multi-IPv6 assignments limiting the number of nodes NAT'd per-IP gateway, thus freeing up the port exhaustion limitation. Make sense?
QUESTION(s): Has anyone done this? What were your results? How well did it perform? Which platforms did you test this on? Were there any LAN side (Eth-port, trunking) challenges that came up?
NOTE: I'd gladly try to do an IPv4 reverse-VIP style solution if someone has that suggestion to!
... View more
Sandy, I have ASA with ip 172.16.0.1/24 on DMZ vlan...so Ubuntu IP config is as follows: -------------- /etc/network/interfaces auto eth0 iface eth0 inet static address 172.16.0.101 netmask 255.255.255.0 network 172.16.0.0 broadcast 172.16.0.255 gateway 172.16.0.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 18.104.22.168 -------------- Cisco arp is as follows: sh arp inside 10.0.1.2 0014.c11d.dc33 18 outside X.X.X.X nnnn.nnnn.nnnn 0 <public wan info intentionally omitted> DMZ 172.16.0.3 0024.81c0.0ff7 94 DMZ 172.16.0.2 0016.e6d3.97fd 224 DMZ 172.16.0.101 0013.20bd.1462 6145 -------------- Output monitoring: 6 Jun 23 2014 14:53:39 172.16.0.101 44807 22.214.171.124 53 Built outbound UDP connection 30895 for outside:126.96.36.199/53 (188.8.131.52/53) to DMZ:172.16.0.101/44807 (172.16.0.101/44807) 6 Jun 23 2014 14:53:50 184.108.40.206 53 10.0.1.2 3072 Teardown UDP connection 32268 for outside:220.127.116.11/53 to inside:10.0.1.2/3072 duration 0:00:00 bytes 190 --------------ALL OTHER DMZ servers ping out fine.
... View more
Hi, I have three interfaces: Inside, DMZ, Outside. Inside has a wireless router (using 10.0.0.2) to connect to ASA (10.0.0.1) -using vlan 1. DMZ (vlan12) is setup with 172.16.0.1/24 ~ I have 3 servers (.2 -.3 -and .101....the 101 is an ubuntu (12.04) server (fresh install static ip) setup on the DMZ, and when I ping out to 18.104.22.168 the return packets are being sent to my inside interface (the wireless router on vlan 1). I have verified that the ASA interface that this Ubuntu machine is plugged in to is in the correct vlan. (0 is outside, 1-6 is DMZ, and 7 is inside). I cannot figure out WHY the icmp returns are going to the inside interface instead of returning to the source from which its NAT'ed in the DMZ (just like the other servers properly do)...? I have two other servers on the DMZ and they are pinging out/back fine. Those are windows servers. I cannot figure out why this simple ping is being re-directed back to my inside wireless-routers
... View more
Marvin, Thank you for getting back to me on this - you were 100% correct!! I added the following "nat exemption" rules, totally resolved my issues!... nat (DMZ,outside) source static DMZ_Net DMZ_Net destination static vpnhosts vpnhosts nat (inside,outside) source static insidenetwork insidenetwork destination static vpnhosts vpnhosts oh, and as you also noted, I re-ran the packet tracer using "inside" instead of "outside" (from original posting) and verified also the "DROP" before I applied the fix noted here above, you were correct that that was what misguided me in the first place. It works (ALLOWED) after the fix (of course). [...small reminder for other reading this, if you have a base license you cannot attach to both VLAN's (inside and DMZ)...you have to choose which network you intend to attach resources to, or buy a license..so don't be confused if you apply these fixes and can't reach one of them (i.e. INSIDE)...] THANK YOU Marvin !!!!
... View more
I have an ASA5505 (base license, ASDM 7.1(3), ASA 9.(2), and am confused about the "denied due to NAT reverse path failure". My IP schema is as follows: INSIDE = 10.0.1.0/24 DMZ =172.16.0.0/24 VPN_Pool = 172.16.20.0/24 PROBLEM: Vpn users can connect to ASA but cannot reach anything on DMZ or LAN. TRIAGE: I have ran the packet tracer with the following output: ALB-ASA# packet-tracer input inside tcp 172.16.20.2 1234 172.16.0.2 80 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 172.16.0.0 255.255.255.0 DMZ Phase: 2 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 6415, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: allow ---------------------QUESTION ? The error received is "...Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:172.16.20.1/52036(LOCAL\user) dst DMZ:172.16.0.2/3389 denied due to NAT reverse path failure." What NAT rule(s) must I apply to allow users to access resources on LAN/DMZ? Current NAT is as follows: 1 (DMZ) to (outside) source dynamic DMZ_NET interface translate_hits = 1623, untranslate_hits = 34 Source - Origin: 172.16.0.0/27, Translated: (MY-real-IP-DELETED)/21 2 (inside) to (outside) source dynamic obj_any interface translate_hits = 2851, untranslate_hits = 121 Source - Origin: 0.0.0.0/0, Translated: (MY-real-IP-DELETED)/21 THANKS IN ADVANCE FOR HELP!!!
... View more
Jouni, Wow! That was FAST and TOTALLY CORRECT!! - OUTSTANDING!!! I did also change my ASDM port just to be sure of that issue you noted. I can't say "Thank You!" enough! Jason (aka) Robert, axetone, et al.
... View more
SETUP ASA 5505 ASA Version 9.1(2) ASDM Version 7.1(3) I have basic license, using only three vlans (outside, inside, DMZ). QUESTION: I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ? I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125). So far, every setup option I have tried does not make it past the implicit deny acl's (on the outside interface) to the web-server (DMZ). I understand that the VLAN1 (inside) had to be disabled. I understand that objects now replace some of the older NAT'd components. CONFIG: object network webserver-external-ip host <X.X.X.X> ! I had set this to match my ISP DHCP address object network webserver host 172.16.0.2 nat (DMZ,outside) static webserver-external-ip service tcp www www nat (DMZ,outside) static webserver-external-ip service tcp 443 443 nat (DMZ,outside) static webserver-external-ip service tcp 4125 4125 access-list outside_acl extended permit tcp any object webserver eq www access-list outside_acl_https extended permit tcp any object webserver eq 443 access-list outside_acl_rww extended permit tcp any object webserver eq 4125 access-group outside_acl in interface outside access-group outside_acl_https in interface outside access-group outside_acl_rww in interface outside ! added the dns statements below because the cisco doc (below) says it's required or dmz traffic can't get out despite default rule allowing it to do so. ! (ctrl-F) ... "all traffic would be blocked from the dmz to hosts on the internet" ! http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml object network dns-server host 22.214.171.124 exit access-list dmz_acl extended permit udp any object dns-server eq domain access-list dmz_acl extended permit ip any any access-group dmz_acl in interface DMZ SUMMARY: I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125). I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ? Other: As an interim alternative, I have been able to setup & connect to the ASA using clientless vpn (web-ssl), and from there getting over to my WHS2011 server...-but the problem is, I have no way of knowing, or updating my DDNS once that IP changes since the ASA keeps blocking the return traffic to theh outside interface. My only assumption is that becasue I am using a single dynamic IP (outside interface) that it has nothing to re-direct the traffic to....??? Thank You for any help you can provide!! k/r
... View more