Link to home
Start Free TrialLog in
Avatar of FlyingFortress
FlyingFortressFlag for United Kingdom of Great Britain and Northern Ireland

asked on

CISCO ASA 5510 - IP REDIRECT

I have a spare public IP that I have set up a static NAT translation to a server on our inside network.

object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp eq www
 service-object tcp eq https
access-list inside_access_in extended permit ip any any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside

The connection is denied by the ASA. The logs are suggesting an IP Spoof.

2      Sep 10 2010      05:28:18      106016                              Deny IP spoof from (99.20.99.150) to 222.111.2.25 on interface outside

It is saying the destination IP address is 0 ???....





Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

do this

no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255

then do this

no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

that should do you

Pete
www.petenetlive.com
oops wrong second command

no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

should have read

static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

sorry need coffee

Pete
www.petenetlive.com
remove this access-list:

access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25

and give this:

access-list
oops.. sorry about that previous reply

remove this access-list:

no access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25

and remove service-object ip from the object-group:

object-group service DM_INLINE_SERVICE_1
 no service-object ip

and give this:

access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
Avatar of FlyingFortress

ASKER

Hi - Sorry please clarify command to remove the current access-list.
Thanks
Ah sorry its in the command...!
I am having and invalid hostname response when adding

access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1

?
Could this be a routing issue - i do not get ping responses from our external server's ?
ok... object-group varies in different versions.. try this:

access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
access-list outside permit extended permit tcp any host 222.111.2.25 eq 443

instead of the access-list with object group.. remove the earlier access-list and put in the above ones.

and this should be there:

static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
Sorry

access-list outside permit extended permit tcp any host 222.111.2.25 eq 80

come back with a syntax error
Invalid host - Is this because i do not have an 'access list outside' i cannot see it in the running config..

oops.. my bad.. the command is:

access-list outside extended permit tcp any host 222.111.2.25 eq 80
access-list outside extended permit tcp any host 222.111.2.25 eq 443

sorry for that typo..

No problem - its usually me!

The commands were applied but still no connection....? i am testing from within the LAN so wondering if it is something to do with the access list outside or general routing issue ......

Thanks FF
can you just paste in your current show run with the changes made.. just to verify if everything is in place..
Sure

ASA Version 8.2(1)
!
hostname OVERWALL
domain-name default.domain.invalid
enable password L3jXBIU9.f/KXdjK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address 88.88.90.150 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif    
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown    
 no nameif    
 no security-level
 no ip address
!            
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!            
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 222.111.20.20
 name-server 222.111.20.21
 domain-name default.domain.invalid
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP
 description RDP 3389
 service-object tcp eq 3389
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.99 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.50.99 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!            
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
!            
class-map inspection_default
 match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
 parameters  
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!            
service-policy global_policy global
prompt hostname context
Cryptochecksum:b428b107637e6ca9953e82055ea5a0e2
: end  
ok... put these commands in:

access-group outside in interface outside
no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255

this should work...
Sorry still no joy - definitely no static?
yea.. since i can see static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255 already there in your config... you can go ahead and remove the other two..

so ideally you should only have:

access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-group outside in interface outside
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255

for this to work.
 

interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address 88.88.90.150 255.255.255.248
...
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1

You should change default route on firewall not to point to outside interface (88.88.90.150), but to IP of the interface of internet router connected to outside interface.
shitz... i dint notice that!! good one bjove!!! that is a point of concern...
10-4 on the access list command ullas.

So the interface Ethernet0/0 is connected directly to the LES line router's Ethernet port.

On our previous eSoft firewall the ISP wan settings were as following:

Assign static IP - True
IP Address - 88.88.90.150
Subnet - 255.255.255.248
Gateway IP Address - 88.88.90.153

So I should point at the gateway IP....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

(So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)

Also doe the 1 at the end of the statement assign the order for a failover ?

Thanks

yea your right your route should be:

route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

the 1 is the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.
since it is static route it takes metric 1. directly connected network metric is 0 and various routing protocols have various metrics...
"So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)"
 - Yes.
"route outside 0.0.0.0 0.0.0.0 88.88.90.153 1"
 - This is proper default gateway. 1 is route metric, so if you have more than one route for same subnet, ASA uses the one with lowest metric (usualy used together with dynamic routing).
Understood.
Shame I did that.
Makes sense that the ASA regarded the internal request as a spoof  now as it routed back on itself.
* Apart from the static NAT route the office clients did not have any major connectivity to the net - just a little surprised if I was not routing out through the router....

I connected the eSoft back before I left town tonight so will not be able to confirm the results till Monday.

Thanks
Ok, when I cleansed the IP's on my config I duplicated the IP on the interface0/0. Sorry
So the route outside was correct....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1

The only clues i have is that the log is treating the inbound connection as a spoof and the server is failing to detect the proxy.






For testing sakes I have just attempted to set up a static route through to a client terminal with RDP.

access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-list outside extended permit tcp any host 222.111.2.25 eq ftp
access-list outside extended permit tcp any host 222.111.2.25 eq 3389

nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.50.96 netmask 255.255.255.255

This also failed and have checked the inbound log and getting the same message -
2      Sep 13 2010      08:34:24      106016                              Deny IP spoof from (88.88.90.158) to 222.111.2.26 on interface outside

I also have the same message for the .25 address

Thanks
Sorry this line also
access-list outside extended permit tcp any host 222.111.2.26 eq 3389 for the RDP
106016  Error Message    %ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on  interface interface_name.  

Explanation    This message is generated when a packet arrives at the adaptive security appliance  interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the adaptive  security appliance interface. In addition, this message is generated when the adaptive security  appliance discarded a packet with an invalid source address, which may include one of the following  or some other invalid address:

 •Loopback network (127.0.0.0)  

 •Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)  

 •The destination host (land.c)  

 To further enhance spoof packet detection, use the icmp  command to configure the adaptive security appliance to discard packets  with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.  

Recommended Action   Determine if an external user is trying to compromise the protected network.  Check for misconfigured clients.
I have added a static IP address of my terminal on the LAN as this was the only way that I could access the CLI through my SSH client.

I am also sending the requests from the same terminal.

ssh 192.168.50.99 255.255.255.255 inside
Is the netmask the issue?

so are you trying to acces 222.111.2.26 from 192.168.50.99?
That is just where I am testing from its my terminal at work (And where I am connecting to the CLI) . With the esoft firewall the same service was set up but it would still connect from a client on the lan as the request would formally route out through the gateway and then back in.

The server I am trying to connect to is a BOMGAR support server which has a web front end and the IP 2xx.xxx.x.25 is just not resolving through the ASA as documented.

Is there a fundemental floor with the basic routing set up?
so i just tried http to that ip and i am able to get the portal. so it is accessible from the outside. so you should be able to access it on 192.168.50.5 from the inside. and if you are trying to access the server on its public ip from the inside then there is an other set of commands you need to put in....
Ah ok.
I can get to the IP from the LAN 192.168.50.5 no problem....

So additional commands are needed just for internal network to route out?

Cheers
ok so this is what happens when you try to access 217.169.2.25 from the internal network....

you have this:

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

so your having source nat, so when you go to the internet your private ip will be changed to the interface ip ie. 88.88.90.150.
now when you access 2xx.xxx.x.25  the request goes to the internet with a source ip of  88.88.90.150 and when the internet routes it back to the firewall the firewall sees the source ip is 88.88.90.150 and it is the firewalls interface ip so it thinks that some attacker in the internet has spoofed the ip and is trying to compromise the server so it drops the packet. that is how a firewall is supposed to behave.
if you want your internal ip to access the server via its external ip then put in these commands.

static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
same-security-traffic permit intra-interface

Hi I am getting -
 mapped-address conflict with existing static
  inside:192.168.51.5 to outside:2xx.xxx.x.25 netmask 255.255.255.255
it should not be a problem... its just a warning.. can you try accessing 2xx.xxx.x.25 from inside...
Sure unfortunatley the same SPOOF msg.
hope you put this command too:

same-security-traffic permit intra-interface

can you attach the output of :

sh run static
Yep and it is in the running config

static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255

hope you were trying http...
Yes  and with https
no static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255

static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255

give in these two commands and try....
Done, the second had a conflict error. unfortunately same error. Sorry
Sorry - static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255

Should that be (inside,inside) - Just thought i would check
yea it should be.. inside,outside is for traffic from the outside and inside,inside should be for traffic from inside.
Ok thanks. So just to clarify here is the statics

static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,inside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255

WIthin the ASDM the anti-spoofing is set to 'no'
Should this be enabled for this command to be effective - (same-security-traffic permit intra-interface) ?




well.. last try... give in these commands...

access-list server_ext permit ip 192.168.50.0 255.255.255.0 host 2xx.xxx.x.25

nat (inside) 10 access-list server_ext
global (inside) 10 interface

and then try.... http on 2xx.xxx.x.25
It worked!! Genius!

Do I remove the static entries?

So my understanding is that you created an access list (server_ext) and permitted the whole subnet through a host table (Like what you can do on your client pc) and then added it to the access list to the nat table. Or something like that...
Ah no the statics are still required for sure
ASKER CERTIFIED SOLUTION
Avatar of ullas_unni
ullas_unni
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Brillant.

So I have added the additional static routes through the Firewall and then added the IP's to the access-list.
I take it you can have as many access lists as you wish?
So I will always have to add the following

Step 1.
access-list outside extended permit tcp any host (PUBLIC_IP) eq (PORT)

Step 2. (Static routes)
static (inside,outside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes outside to inside)
static (inside,inside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes inside to inside)

Step 3. (Source translation)
access-list server_ext extended permit ip (LAN SUBNET_IP) 255.255.255.0 host (PUBLIC_IP)

I ave a general idea but please define what the commands here have done (The 10 was a little bit of a curve ball)  -

nat (inside) 10 access-list server_ext
global (inside) 10 interface

Thanks v.Much
Excellent*