Solved

CISCO ASA 5510 - IP REDIRECT

Posted on 2010-09-10
56
1,747 Views
Last Modified: 2013-11-16
I have a spare public IP that I have set up a static NAT translation to a server on our inside network.

object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp eq www
 service-object tcp eq https
access-list inside_access_in extended permit ip any any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside

The connection is denied by the ASA. The logs are suggesting an IP Spoof.

2      Sep 10 2010      05:28:18      106016                              Deny IP spoof from (99.20.99.150) to 222.111.2.25 on interface outside

It is saying the destination IP address is 0 ???....





0
Comment
Question by:FlyingFortress
  • 29
  • 22
  • 2
  • +1
56 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646318
do this

no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255

then do this

no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

that should do you

Pete
www.petenetlive.com
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646324
oops wrong second command

no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

should have read

static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

sorry need coffee

Pete
www.petenetlive.com
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646445
remove this access-list:

access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25

and give this:

access-list
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646491
oops.. sorry about that previous reply

remove this access-list:

no access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25

and remove service-object ip from the object-group:

object-group service DM_INLINE_SERVICE_1
 no service-object ip

and give this:

access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646586
Hi - Sorry please clarify command to remove the current access-list.
Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646639
Ah sorry its in the command...!
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646703
I am having and invalid hostname response when adding

access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1

?
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33646725
Could this be a routing issue - i do not get ping responses from our external server's ?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646969
ok... object-group varies in different versions.. try this:

access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
access-list outside permit extended permit tcp any host 222.111.2.25 eq 443

instead of the access-list with object group.. remove the earlier access-list and put in the above ones.

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647042
and this should be there:

static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647060
Sorry

access-list outside permit extended permit tcp any host 222.111.2.25 eq 80

come back with a syntax error
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647085
Invalid host - Is this because i do not have an 'access list outside' i cannot see it in the running config..

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647188
oops.. my bad.. the command is:

access-list outside extended permit tcp any host 222.111.2.25 eq 80
access-list outside extended permit tcp any host 222.111.2.25 eq 443

sorry for that typo..

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647313
No problem - its usually me!

The commands were applied but still no connection....? i am testing from within the LAN so wondering if it is something to do with the access list outside or general routing issue ......

Thanks FF
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647398
can you just paste in your current show run with the changes made.. just to verify if everything is in place..
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33647542
Sure

ASA Version 8.2(1)
!
hostname OVERWALL
domain-name default.domain.invalid
enable password L3jXBIU9.f/KXdjK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address 88.88.90.150 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif    
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!            
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 222.111.20.20
 name-server 222.111.20.21
 domain-name default.domain.invalid
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP
 description RDP 3389
 service-object tcp eq 3389
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.99 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.50.99 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!            
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
!            
class-map inspection_default
 match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
 parameters  
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!            
service-policy global_policy global
prompt hostname context
Cryptochecksum:b428b107637e6ca9953e82055ea5a0e2
: end  
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33648364
ok... put these commands in:

access-group outside in interface outside
no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255

this should work...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33648656
Sorry still no joy - definitely no static?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33648768
yea.. since i can see static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255 already there in your config... you can go ahead and remove the other two..

so ideally you should only have:

access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-group outside in interface outside
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

for this to work.
 

0
 
LVL 4

Expert Comment

by:bjove
ID: 33648934
interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address 88.88.90.150 255.255.255.248
...
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1

You should change default route on firewall not to point to outside interface (88.88.90.150), but to IP of the interface of internet router connected to outside interface.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33649003
shitz... i dint notice that!! good one bjove!!! that is a point of concern...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33650369
10-4 on the access list command ullas.

So the interface Ethernet0/0 is connected directly to the LES line router's Ethernet port.

On our previous eSoft firewall the ISP wan settings were as following:

Assign static IP - True
IP Address - 88.88.90.150
Subnet - 255.255.255.248
Gateway IP Address - 88.88.90.153

So I should point at the gateway IP....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

(So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)

Also doe the 1 at the end of the statement assign the order for a failover ?

Thanks

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33650479
yea your right your route should be:

route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

the 1 is the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.
since it is static route it takes metric 1. directly connected network metric is 0 and various routing protocols have various metrics...
0
 
LVL 4

Expert Comment

by:bjove
ID: 33650513
"So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)"
 - Yes.
"route outside 0.0.0.0 0.0.0.0 88.88.90.153 1"
 - This is proper default gateway. 1 is route metric, so if you have more than one route for same subnet, ASA uses the one with lowest metric (usualy used together with dynamic routing).
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33650590
Understood.
Shame I did that.
Makes sense that the ASA regarded the internal request as a spoof  now as it routed back on itself.
* Apart from the static NAT route the office clients did not have any major connectivity to the net - just a little surprised if I was not routing out through the router....

I connected the eSoft back before I left town tonight so will not be able to confirm the results till Monday.

Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33660001
Ok, when I cleansed the IP's on my config I duplicated the IP on the interface0/0. Sorry
So the route outside was correct....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

The only clues i have is that the log is treating the inbound connection as a spoof and the server is failing to detect the proxy.






0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33660128
For testing sakes I have just attempted to set up a static route through to a client terminal with RDP.

access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-list outside extended permit tcp any host 222.111.2.25 eq ftp
access-list outside extended permit tcp any host 222.111.2.25 eq 3389

nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.50.96 netmask 255.255.255.255

This also failed and have checked the inbound log and getting the same message -
2      Sep 13 2010      08:34:24      106016                              Deny IP spoof from (88.88.90.158) to 222.111.2.26 on interface outside

I also have the same message for the .25 address

Thanks
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:FlyingFortress
ID: 33660245
Sorry this line also
access-list outside extended permit tcp any host 222.111.2.26 eq 3389 for the RDP
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661503
106016  Error Message    %ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on  interface interface_name.  

Explanation    This message is generated when a packet arrives at the adaptive security appliance  interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the adaptive  security appliance interface. In addition, this message is generated when the adaptive security  appliance discarded a packet with an invalid source address, which may include one of the following  or some other invalid address:

 •Loopback network (127.0.0.0)  

 •Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)  

 •The destination host (land.c)  

 To further enhance spoof packet detection, use the icmp  command to configure the adaptive security appliance to discard packets  with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.  

Recommended Action   Determine if an external user is trying to compromise the protected network.  Check for misconfigured clients.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33661548
I have added a static IP address of my terminal on the LAN as this was the only way that I could access the CLI through my SSH client.

I am also sending the requests from the same terminal.

ssh 192.168.50.99 255.255.255.255 inside
Is the netmask the issue?

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661607
so are you trying to acces 222.111.2.26 from 192.168.50.99?
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33661673
That is just where I am testing from its my terminal at work (And where I am connecting to the CLI) . With the esoft firewall the same service was set up but it would still connect from a client on the lan as the request would formally route out through the gateway and then back in.

The server I am trying to connect to is a BOMGAR support server which has a web front end and the IP 2xx.xxx.x.25 is just not resolving through the ASA as documented.

Is there a fundemental floor with the basic routing set up?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661721
so i just tried http to that ip and i am able to get the portal. so it is accessible from the outside. so you should be able to access it on 192.168.50.5 from the inside. and if you are trying to access the server on its public ip from the inside then there is an other set of commands you need to put in....
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33661790
Ah ok.
I can get to the IP from the LAN 192.168.50.5 no problem....

So additional commands are needed just for internal network to route out?

Cheers
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661916
ok so this is what happens when you try to access 217.169.2.25 from the internal network....

you have this:

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

so your having source nat, so when you go to the internet your private ip will be changed to the interface ip ie. 88.88.90.150.
now when you access 2xx.xxx.x.25  the request goes to the internet with a source ip of  88.88.90.150 and when the internet routes it back to the firewall the firewall sees the source ip is 88.88.90.150 and it is the firewalls interface ip so it thinks that some attacker in the internet has spoofed the ip and is trying to compromise the server so it drops the packet. that is how a firewall is supposed to behave.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33661965
if you want your internal ip to access the server via its external ip then put in these commands.

static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
same-security-traffic permit intra-interface

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662192
Hi I am getting -
 mapped-address conflict with existing static
  inside:192.168.51.5 to outside:2xx.xxx.x.25 netmask 255.255.255.255
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662390
it should not be a problem... its just a warning.. can you try accessing 2xx.xxx.x.25 from inside...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662418
Sure unfortunatley the same SPOOF msg.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662454
hope you put this command too:

same-security-traffic permit intra-interface

can you attach the output of :

sh run static
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662551
Yep and it is in the running config

static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662579
hope you were trying http...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662602
Yes  and with https
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662683
no static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255

static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255

give in these two commands and try....
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662771
Done, the second had a conflict error. unfortunately same error. Sorry
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33662813
Sorry - static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255

Should that be (inside,inside) - Just thought i would check
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33662971
yea it should be.. inside,outside is for traffic from the outside and inside,inside should be for traffic from inside.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663058
Ok thanks. So just to clarify here is the statics

static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,inside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663112
WIthin the ASDM the anti-spoofing is set to 'no'
Should this be enabled for this command to be effective - (same-security-traffic permit intra-interface) ?




0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33663196
well.. last try... give in these commands...

access-list server_ext permit ip 192.168.50.0 255.255.255.0 host 2xx.xxx.x.25

nat (inside) 10 access-list server_ext
global (inside) 10 interface

and then try.... http on 2xx.xxx.x.25
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663549
It worked!! Genius!

Do I remove the static entries?

So my understanding is that you created an access list (server_ext) and permitted the whole subnet through a host table (Like what you can do on your client pc) and then added it to the access list to the nat table. Or something like that...
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663632
Ah no the statics are still required for sure
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33663720
statics are required for sure.... they are for destination translation... and the latest set of commands i gave you is for source translation....

cool... ok so the last set of commands are for source translation...it  translates your source ie internal ip to the interface ip of your inside  so that the reply also comes back via the firewall.... what was  happening before is that the source translation was not there and the request goes from the client to server via firewall but the return traffic was directly coming via your switch... because earlier we were not doing source translation so when the server sees the request came from 192 network it will reply via switch and not firewall....


0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33663959
Brillant.

So I have added the additional static routes through the Firewall and then added the IP's to the access-list.
I take it you can have as many access lists as you wish?
So I will always have to add the following

Step 1.
access-list outside extended permit tcp any host (PUBLIC_IP) eq (PORT)

Step 2. (Static routes)
static (inside,outside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes outside to inside)
static (inside,inside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes inside to inside)

Step 3. (Source translation)
access-list server_ext extended permit ip (LAN SUBNET_IP) 255.255.255.0 host (PUBLIC_IP)

I ave a general idea but please define what the commands here have done (The 10 was a little bit of a curve ball)  -

nat (inside) 10 access-list server_ext
global (inside) 10 interface

Thanks v.Much
0
 
LVL 1

Author Closing Comment

by:FlyingFortress
ID: 33663979
Excellent*
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now