Solved

Why is my NAT not working?

Posted on 2007-12-06
9
1,348 Views
Last Modified: 2008-06-27
I have configured NAT on a CISCO ASA 5540 firewall and it does not work for one public address.  In the code below, the '77' and the '78' public addresses are working fine, but '75' does not work.  The intention is to direct all traffic for the '75' address and to the '6' address in the DMZ.

static (DMZ,External01) AAA.XX.YYY.77 X.X.X.2 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.78 X.X.X.4 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.75 X.X.X.6 netmask 255.255.255.255

I have opened the ports on the firewall for the https / http/ etc. traffic, but such or any other traffic does not seem to reach the firewall. The firewall is the problem because when I connect machine '75' directly behind a router, traffic to this public address thus reach the machine. Again, the '77' address works perfectly by '75' doesn't, although the configuration is exactly the same.  I cannot even see any logs to '75' or '6' in the SYSLOG logs (informational mode).

How do I tell the Firewall about the '75' address beyond the Nat'ing that I have done? Why does it not see any traffic to this address?

Please assist.

MY FIREWALL CONFIGURATION STANDS THUS (addresses scribbled):

Result of the command: "show running-config"

: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fXBaKv0kM.YTrfs encrypted
names
name BB.CCC.0.0 ServerFarm
dns-guard
!
interface GigabitEthernet0/0
 nameif External01
 security-level 0
 ip address AAA.XX.YYY.74 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 10
 ip address X.X.X.1 255.255.255.0
!
interface GigabitEthernet0/3
 nameif FW-FW
 security-level 100
 ip address 5.5.5.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup External01
dns domain-lookup DMZ
dns domain-lookup FW-FW
dns name-server AAA.XX.YYY.69
dns name-server AAA.PPP.QQQ.10
dns name-server AAA.PPP.QQQ.20
dns name-server BB.CCC.0.31
dns name-server X.X.X.6
object-group service DMZCommon tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq domain
object-group service Common tcp
 description Common
 group-object DMZCommon
 port-object eq ldap
 port-object eq netbios-ssn
 port-object eq pop3
 port-object eq aol
 port-object eq gopher
 port-object eq https
 port-object eq nntp
 port-object eq telnet
 port-object eq uucp
 port-object eq hostname
 port-object eq ident
 port-object eq ftp
 port-object eq smtp
 port-object eq login
 port-object eq ssh
 port-object eq imap4
 port-object eq sqlnet
 port-object eq rsh
 port-object eq www
 port-object eq kerberos
 port-object eq echo
 port-object eq ldaps
 port-object eq daytime
 port-object eq domain
object-group service CommonTCPUDP tcp-udp
 port-object eq echo
 port-object eq kerberos
 port-object eq www
 port-object eq discard
 port-object eq domain
 port-object eq cifs
object-group service Exchsrvr tcp-udp
 port-object range 443 443
 port-object eq www
object-group service wwws tcp
 port-object eq www
 port-object eq https
access-list Test_access_in extended permit tcp any any
access-list FW-FW_nat0_outbound extended permit ip any any
access-list FW-FW_access_in extended permit ip any any
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list FW-FW_access_in extended permit udp host BB.CCC.0.34 any
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.31 host X.X.X.6
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 eq smtp
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 eq smtp
access-list External01_access_out extended permit udp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host BB.CCC.0.34 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit ip host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.78 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.78 any
access-list DMZ_access_in extended permit udp host X.X.X.2 any
access-list DMZ_access_in extended permit ip host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit udp any any
access-list DMZ_access_in extended permit tcp host X.X.X.4 any
access-list DMZ_access_in extended permit udp host X.X.X.4 any
access-list DMZ_access_in extended permit tcp host X.X.X.2 any
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_in extended permit tcp host X.X.X.6 any
access-list DMZ_access_in extended permit udp host X.X.X.6 any
access-list FW-FW_access_out extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list FW-FW_access_out extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list FW-FW_access_out extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list DMZ_access_out extended permit tcp host BB.CCC.0.31 host X.X.X.6
pager lines 24
logging enable
logging asdm informational
logging facility 23
mtu External01 1500
mtu DMZ 1500
mtu FW-FW 1500
mtu management 1500
no failover
monitor-interface External01
monitor-interface DMZ
monitor-interface FW-FW
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (External01) 246 interface
nat (FW-FW) 0 access-list FW-FW_nat0_outbound
nat (FW-FW) 246 BB.CCC.0.31 255.255.255.255
nat (FW-FW) 246 BB.CCC.0.34 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.77 X.X.X.2 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.78 X.X.X.4 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.75 X.X.X.6 netmask 255.255.255.255
access-group External01_access_in in interface External01
access-group External01_access_out out interface External01
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group FW-FW_access_in in interface FW-FW
access-group FW-FW_access_out out interface FW-FW
route External01 0.0.0.0 0.0.0.0 AAA.XX.YYY.73 1
route FW-FW 10.1.0.0 255.255.248.0 5.5.5.2 1
route FW-FW ServerFarm 255.255.255.0 5.5.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
ssl encryption des-sha1 rc4-md5
Cryptochecksum:a735be911e901ef4ba5633f3e9fa7f29
: end



0
Comment
Question by:sefika
  • 4
  • 3
9 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20419501
If you issue the "show xlate" command, do you see the translation entry for the .75 address?

I'm betting that the translation is there, but your access rules are blocking the traffic that you are really wanting to allow.  If I may ask, why do you have access lists applied in both in and out directions on all interfaces?  This over complicates your traffic flow rules and is unnecessary in most environments.  On a firewall, the only time I can think of when it's been necessary to have both in and out rules on an interface is in an ISP environment and those are typically complicated.
0
 

Author Comment

by:sefika
ID: 20419765
Dear Batry boy,
Can you please indicate what you mean by "access lists applied in both in and out directions"? I thought for each interface I have to specify what's allowed to go in and what allowed to go out, for all interfaces. Please illustrate which traffic flow rule is unnecessary from my rule set. We are certainly not an ISP and require the simplest config that is secure and will work.

In the meantime, I will run the "show xlate" command and let you know the result.

Thanks
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20420052
For your issue here, where the DMZ and External01 interfaces are involved, here are your access rules:

access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 eq smtp
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 eq smtp
access-list External01_access_out extended permit udp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host BB.CCC.0.34 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit ip host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.78 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.78 any
access-list DMZ_access_in extended permit udp host X.X.X.2 any
access-list DMZ_access_in extended permit ip host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit udp any any
access-list DMZ_access_in extended permit tcp host X.X.X.4 any
access-list DMZ_access_in extended permit udp host X.X.X.4 any
access-list DMZ_access_in extended permit tcp host X.X.X.2 any
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_in extended permit tcp host X.X.X.6 any
access-list DMZ_access_in extended permit udp host X.X.X.6 any
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list DMZ_access_out extended permit tcp host BB.CCC.0.31 host X.X.X.6

You then have them applied to the interfaces in this manner:

access-group External01_access_in in interface External01
access-group External01_access_out out interface External01
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ

You'll see that you have two separate access lists for each interface, one which is applied inbound to that interface using the keyword "in" right after the name of the access list, and one which is applied outbound to the interface using the keyword "out" right after the name of the access list.  To understand what this is doing, you have to place your perspective at the center of the firewall.  Visualize yourself standing right in the center of the firewall when thinking about the inbound and outbound directions that are referenced in your "access-group" statements above.  

For example, let's say that a packet is trying to enter the External01 interface from the outside (the Internet) and it's trying to get to a host on the DMZ.  The access list called "External01_access_in" will be checked because it is applied in the inbound direction on that interface and all of those ACL statements in that list will be checked in order from top to bottom to see if that packet matches any of those statements criteria for either being "permitted" or "denied" access into that interface.  If it fails all of the statement checks, it will be implicitly denied.

So, let's say that it matches a "permit" entry in that ACL and is allowed inbound on the External01 interface.  The next thing it's going to do (as far as checking ACL's is concerned) is to figure out where the packet is destined to go and then see if there is another ACL that needs to be checked before allowing that packet to continue on its way.  In the case of your current configuration, the firewall will see that the DMZ interface has an access list applied to it in an outbound direction, which means that the firewall has to check the access list named "DMZ_access_out" to see if it should let that packet "out" of the firewall so it can get to the DMZ host.  If it matches a "permit" statement, then the packet is allowed to exit the firewall and reach the DMZ host.  If it doesn't match a "permit" or if it matches an explicit "deny" in the ACL, then the packet is dropped.

Because you have access lists applied in the same "inbound to the DMZ interface" and "outbound to the External01 interface", this process will take place again for packets trying to go from the DMZ network back to the External01 network (the Internet).  As you can see, this creates a lot of room for error when constructing your ACL's...you have to really be thinking about traffic flows at a very granular level for this setup to work the way you want it to.

In most cases, you only need to apply access lists in an inbound fashion on interfaces.  The outbound direction is nice to have in certain situations, but is mostly unnecessary for most scenarios.

Now, having said that, let's examine the ACL statement order.  For the ACL named "DMZ_access_in", you'll see that the third statement allows all IP traffic from any source to any destination:

access-list DMZ_access_in extended permit ip any any

This means that all of the statements that occur after that one will never be inspected to see if the traffic matches them because ALL traffic will match a "permit ip any any"...that's everything!  So, I don't know if you were troubleshooting this issue or what, but just know that all of the statements in that ACL that occur after the "permit ip any any" will never be queried to see if traffic matches them.  This same scenario goes for the "DMZ_access_out" since the "permit ip any any" is the first statement.

So, here are my recommendations/questions:

1.  Unless you know that you have a specific need to have the outbound ACL's applied, take them out.  You can just "unapply" them from the interface without deleting the ACL's themselves with the following commands:

no access-group DMZ_access_out out interface DMZ
no access-group External01_access_out out interface External01

2. Have you used the "Real Time Log Viewer" in the ASDM GUI to see if the traffic destined for the 75 address is showing up?  The log viewer is a really nice feature which I use for this type of troubleshooting.  Do you see the traffic show up in that viewer?

3. Have you used the packet tracer feature to see if your current firewall configuration will allow the inbound traffic the way you want it to?  You can find more info on this tool here:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/tools.html#wp1536158

4. I would upgrade your ASA code to either the latest 7.x version (which is 7.2(3)) or to the 8.x code.  The version you are using is really old (I think you may be using the original code that came with the ASA when it was originally released).  Cisco has fixed numerous issues since that release and I would upgrade as soon as possible.

I know this was a long post, so please post back with any questions or to provide more info on what you've already tried troubleshooting wise.
0
 

Author Comment

by:sefika
ID: 20420322
Yes, there is a correct translation rule for '75'.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:sefika
ID: 20420495
Dear Batry_boy,

Please allow me time to analyze your solution proposal, test it, and give you feedback. This is really useful information.

Thanks for going out all the way to try and assist me.

0
 

Author Comment

by:sefika
ID: 20465466
Dear Batry_boy,

I am happy to inform you that I followed your troubleshooting tips (outbound traffic rules, real time log viewer & packet tracer) and my problem is completely solved. I was able to narrow down issues until I came on top.

Thanks ever so much!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20465537
Glad to assist...
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20794053
Forced accept.

Computer101
EE Admin
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now