Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

CISCO ASA 5510 - IP REDIRECT

Posted on 2010-09-10
56
1,774 Views
Last Modified: 2013-11-16
I have a spare public IP that I have set up a static NAT translation to a server on our inside network.

object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp eq www
 service-object tcp eq https
access-list inside_access_in extended permit ip any any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside

The connection is denied by the ASA. The logs are suggesting an IP Spoof.

2      Sep 10 2010      05:28:18      106016                              Deny IP spoof from (99.20.99.150) to 222.111.2.25 on interface outside

It is saying the destination IP address is 0 ???....





0
Comment
Question by:FlyingFortress
  • 29
  • 22
  • 2
  • +1
56 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646318
do this

no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255

then do this

no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

that should do you

Pete
www.petenetlive.com
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646324
oops wrong second command

no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

should have read

static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

sorry need coffee

Pete
www.petenetlive.com
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646445
remove this access-list:

access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25

and give this:

access-list
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646491
oops.. sorry about that previous reply

remove this access-list:

no access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25

and remove service-object ip from the object-group:

object-group service DM_INLINE_SERVICE_1
 no service-object ip

and give this:

access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646586
Hi - Sorry please clarify command to remove the current access-list.
Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646639
Ah sorry its in the command...!
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646703
I am having and invalid hostname response when adding

access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1

?
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646725
Could this be a routing issue - i do not get ping responses from our external server's ?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646969
ok... object-group varies in different versions.. try this:

access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
access-list outside permit extended permit tcp any host 222.111.2.25 eq 443

instead of the access-list with object group.. remove the earlier access-list and put in the above ones.

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647042
and this should be there:

static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647060
Sorry

access-list outside permit extended permit tcp any host 222.111.2.25 eq 80

come back with a syntax error
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647085
Invalid host - Is this because i do not have an 'access list outside' i cannot see it in the running config..

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647188
oops.. my bad.. the command is:

access-list outside extended permit tcp any host 222.111.2.25 eq 80
access-list outside extended permit tcp any host 222.111.2.25 eq 443

sorry for that typo..

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647313
No problem - its usually me!

The commands were applied but still no connection....? i am testing from within the LAN so wondering if it is something to do with the access list outside or general routing issue ......

Thanks FF
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647398
can you just paste in your current show run with the changes made.. just to verify if everything is in place..
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647542
Sure

ASA Version 8.2(1)
!
hostname OVERWALL
domain-name default.domain.invalid
enable password L3jXBIU9.f/KXdjK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address 88.88.90.150 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif    
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!            
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 222.111.20.20
 name-server 222.111.20.21
 domain-name default.domain.invalid
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP
 description RDP 3389
 service-object tcp eq 3389
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.99 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.50.99 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!            
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
!            
class-map inspection_default
 match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
 parameters  
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!            
service-policy global_policy global
prompt hostname context
Cryptochecksum:b428b107637e6ca9953e82055ea5a0e2
: end  
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33648364
ok... put these commands in:

access-group outside in interface outside
no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255

this should work...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33648656
Sorry still no joy - definitely no static?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33648768
yea.. since i can see static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255 already there in your config... you can go ahead and remove the other two..

so ideally you should only have:

access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-group outside in interface outside
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

for this to work.
 

0
 
LVL 4

Expert Comment

by:bjove
ID: 33648934
interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address 88.88.90.150 255.255.255.248
...
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1

You should change default route on firewall not to point to outside interface (88.88.90.150), but to IP of the interface of internet router connected to outside interface.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33649003
shitz... i dint notice that!! good one bjove!!! that is a point of concern...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33650369
10-4 on the access list command ullas.

So the interface Ethernet0/0 is connected directly to the LES line router's Ethernet port.

On our previous eSoft firewall the ISP wan settings were as following:

Assign static IP - True
IP Address - 88.88.90.150
Subnet - 255.255.255.248
Gateway IP Address - 88.88.90.153

So I should point at the gateway IP....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

(So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)

Also doe the 1 at the end of the statement assign the order for a failover ?

Thanks

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33650479
yea your right your route should be:

route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

the 1 is the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.
since it is static route it takes metric 1. directly connected network metric is 0 and various routing protocols have various metrics...
0
 
LVL 4

Expert Comment

by:bjove
ID: 33650513
"So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)"
 - Yes.
"route outside 0.0.0.0 0.0.0.0 88.88.90.153 1"
 - This is proper default gateway. 1 is route metric, so if you have more than one route for same subnet, ASA uses the one with lowest metric (usualy used together with dynamic routing).
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33650590
Understood.
Shame I did that.
Makes sense that the ASA regarded the internal request as a spoof  now as it routed back on itself.
* Apart from the static NAT route the office clients did not have any major connectivity to the net - just a little surprised if I was not routing out through the router....

I connected the eSoft back before I left town tonight so will not be able to confirm the results till Monday.

Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33660001
Ok, when I cleansed the IP's on my config I duplicated the IP on the interface0/0. Sorry
So the route outside was correct....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

The only clues i have is that the log is treating the inbound connection as a spoof and the server is failing to detect the proxy.






0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33660128
For testing sakes I have just attempted to set up a static route through to a client terminal with RDP.

access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-list outside extended permit tcp any host 222.111.2.25 eq ftp
access-list outside extended permit tcp any host 222.111.2.25 eq 3389

nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.50.96 netmask 255.255.255.255

This also failed and have checked the inbound log and getting the same message -
2      Sep 13 2010      08:34:24      106016                              Deny IP spoof from (88.88.90.158) to 222.111.2.26 on interface outside

I also have the same message for the .25 address

Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33660245
Sorry this line also
access-list outside extended permit tcp any host 222.111.2.26 eq 3389 for the RDP
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661503
106016  Error Message    %ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on  interface interface_name.  

Explanation    This message is generated when a packet arrives at the adaptive security appliance  interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the adaptive  security appliance interface. In addition, this message is generated when the adaptive security  appliance discarded a packet with an invalid source address, which may include one of the following  or some other invalid address:

 •Loopback network (127.0.0.0)  

 •Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)  

 •The destination host (land.c)  

 To further enhance spoof packet detection, use the icmp  command to configure the adaptive security appliance to discard packets  with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.  

Recommended Action   Determine if an external user is trying to compromise the protected network.  Check for misconfigured clients.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33661548
I have added a static IP address of my terminal on the LAN as this was the only way that I could access the CLI through my SSH client.

I am also sending the requests from the same terminal.

ssh 192.168.50.99 255.255.255.255 inside
Is the netmask the issue?

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661607
so are you trying to acces 222.111.2.26 from 192.168.50.99?
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33661673
That is just where I am testing from its my terminal at work (And where I am connecting to the CLI) . With the esoft firewall the same service was set up but it would still connect from a client on the lan as the request would formally route out through the gateway and then back in.

The server I am trying to connect to is a BOMGAR support server which has a web front end and the IP 2xx.xxx.x.25 is just not resolving through the ASA as documented.

Is there a fundemental floor with the basic routing set up?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661721
so i just tried http to that ip and i am able to get the portal. so it is accessible from the outside. so you should be able to access it on 192.168.50.5 from the inside. and if you are trying to access the server on its public ip from the inside then there is an other set of commands you need to put in....
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33661790
Ah ok.
I can get to the IP from the LAN 192.168.50.5 no problem....

So additional commands are needed just for internal network to route out?

Cheers
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661916
ok so this is what happens when you try to access 217.169.2.25 from the internal network....

you have this:

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

so your having source nat, so when you go to the internet your private ip will be changed to the interface ip ie. 88.88.90.150.
now when you access 2xx.xxx.x.25  the request goes to the internet with a source ip of  88.88.90.150 and when the internet routes it back to the firewall the firewall sees the source ip is 88.88.90.150 and it is the firewalls interface ip so it thinks that some attacker in the internet has spoofed the ip and is trying to compromise the server so it drops the packet. that is how a firewall is supposed to behave.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661965
if you want your internal ip to access the server via its external ip then put in these commands.

static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
same-security-traffic permit intra-interface

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662192
Hi I am getting -
 mapped-address conflict with existing static
  inside:192.168.51.5 to outside:2xx.xxx.x.25 netmask 255.255.255.255
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662390
it should not be a problem... its just a warning.. can you try accessing 2xx.xxx.x.25 from inside...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662418
Sure unfortunatley the same SPOOF msg.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662454
hope you put this command too:

same-security-traffic permit intra-interface

can you attach the output of :

sh run static
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662551
Yep and it is in the running config

static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662579
hope you were trying http...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662602
Yes  and with https
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662683
no static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255

static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255

give in these two commands and try....
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662771
Done, the second had a conflict error. unfortunately same error. Sorry
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662813
Sorry - static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255

Should that be (inside,inside) - Just thought i would check
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662971
yea it should be.. inside,outside is for traffic from the outside and inside,inside should be for traffic from inside.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663058
Ok thanks. So just to clarify here is the statics

static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,inside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663112
WIthin the ASDM the anti-spoofing is set to 'no'
Should this be enabled for this command to be effective - (same-security-traffic permit intra-interface) ?




0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33663196
well.. last try... give in these commands...

access-list server_ext permit ip 192.168.50.0 255.255.255.0 host 2xx.xxx.x.25

nat (inside) 10 access-list server_ext
global (inside) 10 interface

and then try.... http on 2xx.xxx.x.25
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663549
It worked!! Genius!

Do I remove the static entries?

So my understanding is that you created an access list (server_ext) and permitted the whole subnet through a host table (Like what you can do on your client pc) and then added it to the access list to the nat table. Or something like that...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663632
Ah no the statics are still required for sure
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33663720
statics are required for sure.... they are for destination translation... and the latest set of commands i gave you is for source translation....

cool... ok so the last set of commands are for source translation...it  translates your source ie internal ip to the interface ip of your inside  so that the reply also comes back via the firewall.... what was  happening before is that the source translation was not there and the request goes from the client to server via firewall but the return traffic was directly coming via your switch... because earlier we were not doing source translation so when the server sees the request came from 192 network it will reply via switch and not firewall....


0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663959
Brillant.

So I have added the additional static routes through the Firewall and then added the IP's to the access-list.
I take it you can have as many access lists as you wish?
So I will always have to add the following

Step 1.
access-list outside extended permit tcp any host (PUBLIC_IP) eq (PORT)

Step 2. (Static routes)
static (inside,outside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes outside to inside)
static (inside,inside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes inside to inside)

Step 3. (Source translation)
access-list server_ext extended permit ip (LAN SUBNET_IP) 255.255.255.0 host (PUBLIC_IP)

I ave a general idea but please define what the commands here have done (The 10 was a little bit of a curve ball)  -

nat (inside) 10 access-list server_ext
global (inside) 10 interface

Thanks v.Much
0
 
LVL 1

Author Closing Comment

by:FlyingFortress
ID: 33663979
Excellent*
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall SHA issue 4 40
Anyconnect landing page login failed 2 27
Cisco IPSec lan to lan tunnel - encryption domain. 3 35
Upgrading from Sonicwall Tz210 6 12
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question