Solved

Particular NAT 0 not matching.... But it is?

Posted on 2008-10-08
17
1,221 Views
Last Modified: 2012-05-05
Hi All,

I have a Cisco ASA 5510 I am configuring and have run into a weird issue that's probably not weird to you, but I don't understand it.

I have VPN Clients configured. They have a subnet of 10.99.0.0 255.255.255.0
I have a DMZ.  It has 192.168.255.16 255.255.255.252

I have a NAT 0 rule for VPNClients -> Internal Network
VPNClients -> DMZ

Another NAT 0 rule for Internal Network -> VPN Clients
Internal Network -> DMZ

So far the Internal NAT 0 rule works fine to the DMZ and VPN clients.
The VPNClients NAT 0 rule works to the Internal Network, but not the DMZ ?

The rule looks like:
access-list outside_nat0_inbound extended permit ip VPNClients 255.255.255.0 object-group LAN_ALL_INTERNAL
access-list outside_nat0_inbound extended permit ip VPNClients 255.255.255.0 192.168.255.16 255.255.255.252
nat (outside) 0 access-list outside_nat0_inbound outside

As you can see, they are part of the same NAT 0 rule.  The first part works well, the VPN clients can get to any of our internal subnets no worries.

If I do a "show nat" command and filter through everything, I can see matches.  And if I attempt to access our webserver from the VPN a few times and do it again, the translate_hits increases like so:
match ip outside VPNClients 255.255.255.0 dmz 192.168.255.16 255.255.255.252
    NAT exempt
    translate_hits = 31, untranslate_hits = 0


match ip outside VPNClients 255.255.255.0 dmz 192.168.255.16 255.255.255.252
    NAT exempt
    translate_hits = 39, untranslate_hits = 0

 match ip outside VPNClients 255.255.255.0 dmz 192.168.255.16 255.255.255.252
    NAT exempt
    translate_hits = 42, untranslate_hits = 0

However looking at the syslog messages in ASDM I still get:
3|Oct 07 2008 21:11:40|305005: No translation group found for tcp src outside:10.99.0.11/1455 dst dmz:WEBSERVER/443

Ideas?

Thanks guys/girls.
0
Comment
Question by:NutrientMS
  • 8
  • 7
  • 2
17 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675359
Can you please post your entire config and I'll tell you exactly what's wrong?
Cheers!
0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22675441
Here it is.  It's still work in progress as in, there is still some test entries in the Access lists opening all outbound traffic instead of using restricted protocols.  Also, if you note any odities, it would be good if you could let me know.  I can't really "see" things like that by looking at the config.

Thanks.

ASA Version 7.0(7)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxxxx encrypted
names
name 10.99.0.0 VPNClients
name 10.10.1.2 BNEEXC01
name 10.10.1.10 BNEIN01
name 10.10.1.1 BNEPDC01
name 10.0.0.3 CPFBRIS-FPE
name 10.0.0.7 CPFWA-ILEND
name 203.124.180.178 Finware_Server1
name 203.206.230.75 Finware_Server2
name 10.20.1.67 Gwendy_oKeefe
name 10.10.1.58 David_Cramp
name 10.10.1.62 Lee_Cousins
name 10.10.1.110 Marley_Barrett
name 10.10.1.247 Netbox
name 10.10.1.81 Sharon_Swan
name 10.10.1.107 Tiana_Iuvale
name 10.10.1.134 Tom_Dickenson
name 192.168.255.17 WEBSERVER
name 172.16.254.1 Ironserv
name 172.16.254.2 Ironserv_Backup
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.254 255.255.0.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.18 255.255.255.248
!
interface Ethernet0/2
 shutdown
 nameif dmz
 security-level 30
 ip address 192.168.255.18 255.255.255.252
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit intra-interface
object-group network LAN_Brisbane
 network-object 10.10.0.0 255.255.0.0
object-group network LAN_Parramatta
 network-object 10.20.0.0 255.255.0.0
object-group network LAN_Melbourne
 network-object 10.30.0.0 255.255.0.0
object-group network LAN_Adelaide
 network-object 10.40.0.0 255.255.0.0
object-group network LAN_Perth
 network-object 10.50.0.0 255.255.0.0
object-group network LAN_Ipswich
 network-object 10.11.0.0 255.255.0.0
object-group network LAN_Rockhampton
 network-object 10.12.0.0 255.255.0.0
object-group network LAN_Yeppoon
 network-object 10.13.0.0 255.255.0.0
object-group network LAN_Greenslopes
 security-level 0
 ip address xxx.xxx.xxx.18 255.255.255.248
!
interface Ethernet0/2
 shutdown
 nameif dmz
 security-level 30
 ip address 192.168.255.18 255.255.255.252
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
same-security-traffic permit intra-interface
object-group network LAN_Brisbane
 network-object 10.10.0.0 255.255.0.0
object-group network LAN_Parramatta
 network-object 10.20.0.0 255.255.0.0
object-group network LAN_Melbourne
 network-object 10.30.0.0 255.255.0.0
object-group network LAN_Adelaide
 network-object 10.40.0.0 255.255.0.0
object-group network LAN_Perth
 network-object 10.50.0.0 255.255.0.0
object-group network LAN_Ipswich
 network-object 10.11.0.0 255.255.0.0
object-group network LAN_Rockhampton
 network-object 10.12.0.0 255.255.0.0
object-group network LAN_Yeppoon
 network-object 10.13.0.0 255.255.0.0
object-group network LAN_Greenslopes
 network-object 10.14.0.0 255.255.0.0
object-group network LAN_Ironserv
 network-object 172.16.254.0 255.255.255.0
object-group network LAN_Brisbane_Old
 network-object 10.0.0.0 255.255.255.0
object-group network LAN_ALL_INTERNAL
 description All internal subnets excluding VPN Clients
 group-object LAN_Brisbane
 group-object LAN_Parramatta
 group-object LAN_Melbourne
 group-object LAN_Adelaide
 group-object LAN_Perth
 group-object LAN_Ipswich
 group-object LAN_Rockhampton
 group-object LAN_Yeppoon
 group-object LAN_Greenslopes
 group-object LAN_Ironserv
 group-object LAN_Brisbane_Old
object-group service ICMP_group tcp-udp
 port-object eq echo
object-group service Restricted_Outbound_Protocols tcp
 description List of Restricted TCP Outbound Protocols for general web users.  Duplicated from ISA Server.
 port-object range 3389 3389
 port-object eq echo
 port-object eq imap4
 port-object eq ssh
 port-object eq pop3
 port-object eq www
 port-object eq ftp
 port-object eq https
 port-object eq ldap
 port-object eq nntp
object-group service ftp2 tcp
 port-object range ssh ssh
access-list outside_cryptomap_10 extended permit ip host 10.10.1.254 any
access-list inside_pnat_outbound extended permit ip object-group LAN_Brisbane any
access-list inside_access_in extended permit ip VPNClients 255.255.0.0 any
access-list inside_access_in extended permit udp VPNClients 255.255.255.0 any
access-list inside_access_in extended permit icmp object-group LAN_ALL_INTERNAL any
access-list inside_access_in extended permit icmp VPNClients 255.255.255.0 any
access-list inside_access_in extended permit ip object-group LAN_Brisbane any
access-list inside_access_in extended permit ip object-group LAN_ALL_INTERNAL any
access-list inside_access_in extended permit tcp object-group LAN_ALL_INTERNAL object-group Restricted_Outbound_Protocols any object-group Restricted_Outbound_Protocols
access-list outside_access_in extended permit icmp any host xxx.xxx.xxx.18 echo-reply
access-list outside_access_in remark Incomming SMTP emails to the Netbox
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.19 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.19 eq pop3
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.19 eq ftp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.19 eq ssh
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.20 eq https
access-list outside_nat0_inbound extended permit ip VPNClients 255.255.255.0 object-group LAN_ALL_INTERNAL
access-list outside_nat0_inbound extended permit ip VPNClients 255.255.255.0 192.168.255.16 255.255.255.252
access-list vpn_access_in extended permit ip VPNClients 255.255.255.0 any
access-list inside_nat0_outbound_V1 extended permit ip object-group LAN_ALL_INTERNAL VPNClients 255.255.255.0
access-list inside_nat0_outbound_V1 extended permit ip object-group LAN_ALL_INTERNAL 192.168.255.16 255.255.255.252
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.30.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.40.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.50.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.11.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.12.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.13.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.14.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.254.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.255.0 255.255.255.0
access-list dmz_access_in extended permit icmp 192.168.255.16 255.255.255.252 object-group LAN_ALL_INTERNAL echo-reply
access-list dmz_access_in extended permit icmp 192.168.255.16 255.255.255.252 VPNClients 255.255.255.0 echo-reply
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging asdm debugging
logging host inside David_Cramp 6/1470
logging debug-trace
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu dmz 1500
ip local pool VPNCLIENTS 10.99.0.10-10.99.0.254 mask 255.255.255.0
icmp permit any inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_V1
nat (inside) 1 access-list inside_pnat_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
static (inside,outside) tcp xxx.xxx.xxx.19 pop3 BNEEXC01 pop3 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.19 smtp Netbox smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.19 ftp Ironserv ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.19 ssh Ironserv ssh netmask 255.255.255.255
static (dmz,outside) tcp xxx.xxx.xxx.20 https WEBSERVER https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route inside 10.0.0.0 255.255.255.0 10.10.1.254 10
route inside 172.16.254.0 255.255.255.0 10.10.1.254 10
route inside 10.20.0.0 255.255.0.0 10.10.1.254 10
route inside 10.30.0.0 255.255.0.0 10.10.1.254 10
route inside 10.40.0.0 255.255.0.0 10.10.1.254 10
route inside 10.50.0.0 255.255.0.0 10.10.1.254 10
route inside 10.11.0.0 255.255.0.0 10.10.1.254 10
route inside 10.12.0.0 255.255.0.0 10.10.1.254 10
route inside 10.13.0.0 255.255.0.0 10.10.1.254 10
route inside 10.14.0.0 255.255.0.0 10.10.1.254 10
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CALRADIUS protocol radius
aaa-server CALRADIUS host 10.10.1.6
 key xxxxxxxxxxxx
 authentication-port 1812
 accounting-port 1813
 radius-common-pw xxxxxxxxxxxxxxxxx
group-policy CentrepointVPN internal
group-policy CentrepointVPN attributes
 dns-server value 10.10.1.1 10.30.1.1
 vpn-idle-timeout none
 vpn-session-timeout 480
 vpn-tunnel-protocol IPSec
 group-lock value CentrepointVPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value xxxx.local
 webvpn
username x password xxxxxxxxxxxxxxxxx encrypted privilege 15
username x password xxxxxxxxxxxxxxxxx encrypted privilege 15
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http David_Cramp 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 set connection-type answer-only
crypto map outside_map 10 set peer 10.10.1.254
crypto map outside_map 10 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group CentrepointVPN type ipsec-ra
tunnel-group CentrepointVPN general-attributes
 address-pool VPNCLIENTS
 authentication-server-group CALRADIUS
 default-group-policy CentrepointVPN
tunnel-group CentrepointVPN ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh David_Cramp 255.255.255.255 inside
ssh 10.10.1.3 255.255.255.255 inside
ssh 192.168.2.201 255.255.255.255 inside
ssh timeout 15
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map new
!
service-policy global_policy global
Cryptochecksum:60cb50f074198556b616eae8dcf1e1ab
: end
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
ID: 22675657
The NAT 0 actually has to be applied to each interface you want to allow VPN users access to.
Run the attached commands to fix the problem.
Cheers! Let me know if you have any question!

interface Ethernet0/2

no shutdown

no access-list inside_nat0_outbound_V1 extended permit ip object-group LAN_ALL_INTERNAL VPNClients 255.255.255.0

no access-list inside_nat0_outbound_V1 extended permit ip object-group LAN_ALL_INTERNAL 192.168.255.16 255.255.255.252

access-list inside_nat0_outbound extended permit ip object-group LAN_ALL_INTERNAL VPNClients 255.255.255.0

no nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list inside_nat0_outbound

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675659
BTW - since the DMZ is not running NAT, there is no need for NAT exemption on the interface.
Cheers!
0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22675677
I'll give that a go.  As our ISA server is currently server our Webserver, I cannot test it right now (hence why Ethernet0/2 is shutdown).  I will test tonight and let you know how it goes!

Thanks again for the help!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675729
Ahhhh I see.... Just let me know!
Cheers!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22678238
You might want to remove the acls from these interfaces

access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz

your dmz acl is way too restrictive and the inside acl is basically permit ip any any which is the default. Only apply an acl to the inside interface if you want to restrict traffic going out.

You should end up with 2 different nat_0 acls, one applied to inside and one applied to dmz

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22679548
Yeah, I just didn't want to mention it for now to make sure there was no confusion. :)
Cheers!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 5

Author Comment

by:NutrientMS
ID: 22683257
Thanks for the tips guys!  I will be testing this stuff tomorrow night and will report back how it goes!

Cheers.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22683770
kk! Let us know!
0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22704638
Hey guys,

I ran the code attached by Pugglewuggle and I am still getting this and no access to the webserver:

No translation group found for tcp src outside:10.99.0.10/2190 dst dmz:WEBSERVER/443

Cheers
0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22704739
Hi lrmoore,

Yes, our DMZ currently only has a webserver, and I would like to restrict all traffic in and out of there except for port 443.  As for internal access outbound, we do restrict outbound traffic to a number of ports.  Currently it is set to Allow all outbound, but it will be locked down to the Restricted_Outbound_Protocols group once it is in production.
0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22705646
Also, to allow the traffic to flow between internal and DMZ without NAT, I need to set no nat-control correct?

Really the only NAT we need to use is from Inside to Outside. Internal -> VPN is routed. VPN and Inside to DMZ is routed.  Outside to Inside uses statics commands.

Cheers.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22708094
Can you please post your updated config so I can take a look?
no nat-c doesn't hurt anything - feel free to use it.
 
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 22708283
Did you apply a nat0 acl to the dmz interface?

access-list dmz_nat0 permit ip host WEBSERVER 10.99.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0
0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22710905
Hi Pugglewuggle,

I definitely need the line:
no access-list inside_nat0_outbound_V1 extended permit ip object-group LAN_ALL_INTERNAL 192.168.255.16 255.255.255.252

As I removed it, and internally I could no longer get to the DMZ. Add it back in, and it's all good.  I added it to inside_nat0_outbound instead of the V1 rule.

lrmoore, I have applied your nat0 acl and VPNClients -> WEBSERVER is working now.

I will post another copy of my current config, if you guys could make any comments / question any of the config as I don't really know any of the "best practices" for setting up an ASA device specifically.

Cheers

0
 
LVL 5

Author Comment

by:NutrientMS
ID: 22710990
Actually, no that should be another question.  Thank you Pugglewuggle and lrmoore for your help!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now