?
Solved

Cisco ASA 5510 NAT HELP

Posted on 2007-10-03
11
Medium Priority
?
1,162 Views
Last Modified: 2008-01-09
HELP PLEASE...
I've just replaced my old pix with an ASA, and my inside translations & access rules are not working as expected. Everything else works okay (access to the Internet, internal access to all pc's servers, etc...) EXCEPT for my internal NAT.  Here is the key part of the denial log: (Numbers have been painstakingly chanaged; please be kind if I've missed some, it's getting late :-).

2007|18:56:16|106023|155.212.28.58|200.190.237.204|Deny tcp src OUTSIDE:155.212.28.58/24127 dst INSIDE:200.190.237.204/1494 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02 2007|18:56:12|106023|155.212.28.58|200.190.237.204|Deny tcp src OUTSIDE:155.212.28.58/24129 dst INSIDE:200.190.237.204/1494 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02 2007|18:56:10|106023|155.212.28.58|200.190.237.204|Deny tcp src OUTSIDE:155.212.28.58/24127 dst INSIDE:200.190.237.204/1494 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02 2007|18:52:58|106023|155.212.28.58|200.190.237.204|Deny tcp src OUTSIDE:155.212.28.58/24066 dst INSIDE:200.190.237.204/1494 by access-group "OUTSIDE_access_in" [0x0, 0x0] 6|Oct 02 2007|18:52:57|302021|200.190.237.1|WTS3|Teardown ICMP connection for faddr 200.190.237.1/0 gaddr 200.190.237.253/0 laddr WTS3/1025 6|Oct 02  

So, it would appear that acces-group "OUTSIDE_access_in" is denying all translation traffic; but I have no idea why.  Here is my sho run...

Result of the command: "sho run"

: Saved
:
ASA Version 8.0(2)
!
hostname ASA
domain-name xxxx.com
enable password xxxx encrypted
names
name 192.168.178.13 CSG1 description
name 192.168.178.2 SVR2 description
name 192.168.178.3 SVR3 description
name 192.168.178.11 CITRIX1 description
name 192.168.178.12 CITRIX2 description
name 192.168.178.211 CITRIX3 description
name 192.168.178.208 CITRIX4 description
name 192.168.178.202 CITRIX5 description
name 192.168.178.210 CITRIX6 description
name 192.168.178.217 CITRIX7 description
name 192.168.178.218 CITRIX8 description
name 192.168.178.10 SVR10 description
name 192.168.178.4 SVR4 description
name 192.168.178.5 SVR5 description
name 192.168.178.7 SVR7 description
name 192.168.178.8 SVR8 description
name 192.168.178.9 SVR9 description
name 192.168.178.203 WTS3 description
name 192.168.178.204 WTS4 description
name 192.168.178.206 WTS6 description
name 192.168.178.205 SVR1 description xxxx
name 192.168.178.249 WS0 description xxxx
dns-guard
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 200.190.237.254 255.255.255.0
!
interface Ethernet0/1
 nameif INSIDE
 security-level 100
 ip address 192.168.178.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name myname.com
same-security-traffic permit inter-interface
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq https
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 5910
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq https
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq www
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq imap4
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq smtp
access-list OUTSIDE_access_in extended permit tcp any host xxxxeq pop3
access-list OUTSIDE_access_in extended permit icmp any any unreachable
access-list OUTSIDE_access_in extended permit icmp any any time-exceeded
access-list OUTSIDE_access_in extended permit icmp any any echo
access-list OUTSIDE_access_in extended permit icmp any any echo-reply
access-list INSIDE_access_out extended permit ip any any
access-list OUTSIDE_access_in_1 extended permit ip any host CSG1
access-list OUTSIDE_1_cryptomap remark xxxx
access-list OUTSIDE_1_cryptomap remark xxxx
access-list OUTSIDE_2_cryptomap remark xxxx
access-list OUTSIDE_2_cryptomap remark xxxx
access-list OUTSIDE_3_cryptomap remark xxxx
access-list OUTSIDE_3_cryptomap remark xxxx
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
ip audit name ATTACK attack action alarm
ip audit name INFO info action alarm
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 200.190.237.253 netmask 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp 200.190.237.100 https server1 https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.100 www server1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.9 3389 SVR9 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.8 3389 SVR8 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.7 3389 SVR7 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.3 citrix-ica CITRIX3 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.3 1604 CITRIX3 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.206 citrix-ica WTS6 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.206 1604 WTS6 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.203 citrix-ica WTS3 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.203 1604 WTS3 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.203 3389 WTS3 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.204 citrix-ica WTS4 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.204 1604 WTS4 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 https SVR4 https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 www SVR4 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 imap4 SVR4 imap4 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 smtp SVR4 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 pop3 SVR4 pop3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.249 5910 WS0 5910 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.251 3389 WS0 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 200.190.237.218 CITRIX8 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 200.190.237.252 CSG1 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.190.237.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.178.0 255.255.255.0 INSIDE
http 192.168.178.0 255.255.255.0 management
snmp-server host INSIDE SVR3 community xxxSNMP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
!
username xxx password zQ3oTmmtz5UsZ531 encrypted privilege 15
prompt hostname context
Cryptochecksum:90071a8448dc760ec67cbda7cc36bc06
: end
0
Comment
Question by:PMGIT
  • 6
  • 4
11 Comments
 
LVL 9

Expert Comment

by:QBRad
ID: 20011709
I have NO experience working on ASA but i do on a PIX, not sure if this is different but its worth a try i guess.

I would start with just one server to see if you can get that working.  What i see are some strange things in your setup of the services your advertising and this is how i would do it as a test anyway for 1 server as follows:

name 192.168.178.211 CITRIX3  <-- drop the description part if you can - NOT SURE IF THAT WAS ADDED BY YOU OR THE ASA.

access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica  <-- LOOKS OK
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604 <-- LOOKS OK

static (INSIDE,OUTSIDE) tcp 200.190.237.3 citrix-ica CITRIX3 citrix-ica netmask 255.255.255.255  <-- remove the part citrix-ica - WHY IS THE SERVICE LISTED IN THE TRANSLATION YOU LISTED IT IN THE ACCESS-LIST.  Again this could be an ASA thing but for testing i would remove it.  


0
 

Author Comment

by:PMGIT
ID: 20013325
Hey QB,
Regarding the services being listed in both the NAT & the ACL; I was under the impression that this was just another way to ensure security.  This is how my PIX is setup, and it works... :-)
I set this up with the wizard, thru the gui initially (I know, I know), so a lot of the funky stuff you see is due to that (in particular the "CITRIX3" you referred to is the "description field").
Anyway, if you look at the CSG1 entry, there is no service listed in that translation, and it is denying traffic too with the same exact denial
(2007|18:56:16|106023|155.212.28.58|200.190.237.204|Deny tcp src OUTSIDE:155.212.28.58/24127 dst INSIDE:200.190.237.204/1494 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02)
and I cannot figure out why the "Outside_access_in" is denying traffic (It must be the implicit deny at the end right???).
I'm at a loss here, and I've tried to strip everything like you mention with the same results.  I've even taken all the VPN crypto stuff out (and all the relevant NAT's & ACL's) with the same result.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20013488
>access-group INSIDE_access_out out interface INSIDE
Remove this to start with....

>Deny tcp src OUTSIDE:155.212.28.58/24127 dst INSIDE:200.190.237.204/1494
The destination is port 1494
Does this match up with your access-list where xxxx = 200.190.237.204??
 >access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
Which matches this:
 >static (INSIDE,OUTSIDE) tcp 200.190.237.204 citrix-ica WTS4 citrix-ica netmask 255.255.255.255
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:PMGIT
ID: 20017065
lrmoore: I added the >access-group INSIDE_access_out out interface INSIDE< (thru the gui) to allow internal traffic out as there didn't appear to be an "outgoing" rule to allow Internet traffic. I know that in theory it SHOULD allow traffic from high to low (more specifically; from 100 to 0), but this wasn't working (although, I did also have an "ospf cost 10" associated with both interfaces which may have been the cause as well; I ultimately did a "no ospf cost 10" on all interfaces at the same time I added the "INSIDE_access_out" command, so maybe it was coincidence, and in fact not needed.  I cannot test it again for another 5 hours (production) so I won't know until then.
Regarding the question of the matching "xxx ="; are you asking if the "xxxx" actually says "WTS4"?  If so, yes it does (I'm not sure why I commented these out, and left the others, like I said it was getting late).
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 20017169
> as there didn't appear to be an "outgoing" rule to allow Internet traffic
There is an implicit allow all traffic out from a higher security interface to lower security  interface. You do not need to specify an acl on the inside interface unless you want to restrict traffic going out.

I don't see any OSPF commands in the posted config, but routing issues would surely prevent correct working...

>access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
This should not say WTS4, it should be:
 access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica
0
 

Author Comment

by:PMGIT
ID: 20017992
1. That's what I thought (implicit allow), so it must have been the ospf cost 10 line preventing access out
2. You are correct, I took those references out by doing a "no ospf cost 10"
3. access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica actually reads...
"access-list OUTSIDE_access_in extended permit tcp any host WTS4 eq citrix-ica"
Are you saying that this is incorrect, and that I shouldn't be specifying the host specifically here?
4. Do you think that the "access-group INSIDE_access_out out interface INSIDE" would prevent the NAT and ACL's from working correctly?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20018092
3. All I'm saying is that the access-list must reference the EXTernal IP address, and WTS4 references the INTernal IP address per  your names list
4. It shouldn't, but want to rule it out. Permit ip any any is default, and explicitly saying permit ip any any is redundant and the ASA doesn't like it.

0
 

Author Comment

by:PMGIT
ID: 20018192
wait, I'm confused; I thought the NAT specified the outside address, and the ACL specified the internal address only???
0
 

Author Comment

by:PMGIT
ID: 20018344
nevermind; that was stupid, sorry...

access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica - gotcha
Now; you're saying let the translation be the "map" from the outside to the inside, and this is how the ASA knows that 200.190.237.204 actually = WTS4 (or 192.168.178.x) correct? and that would be someting like the following?
static (inside,outside) tcp 200.190.237.204 citrix-ica 192.168.178.204 citrix-ica netmask 255.255.255.255 0 0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20019400
Now you're getting the hang of it.
0
 

Author Comment

by:PMGIT
ID: 20019424
I think I just may be... :-)  The light bulb came on thanks again to you!
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question