Solved

ASA 5520 NAT ICMP replies Private and not Public

Posted on 2010-09-24
12
1,064 Views
Last Modified: 2013-11-29
I have an ASA 5520 along with a Cisco 3745 Router.  Here is the problem.  I have two separate external networks coming into the ASA 10.10.11.0/24 10.10.12.0/24 and one internal network 172.16.100.0/24.  you can see from the config of what I have.  I have two Static Policy NAT Entries pointing 10.10.11.20 --> 172.16.100.20 and 10.10.12.25 --> 172.16.100.25.
I also have four access rules that allow for ICMP and Telnet.  I can telnet to 10.10.11.20 and it opens the telnet session to 172.16.100.20 and I can also telnet to 10.10.12.25 which also works just fine.  The pings however will not work unless I create a nat rule that sends the traffic out the main GIG0/0 interface. I would liike to be able to pint 10.10.11.20 and get a reply from 10.10.11.20 and not 10.10.10.20 or the internal IP 172.16.100.20.  I hope this makes sense...

this is my configuration

asdm image disk0:/asdm-508.bin
asdm location 10.10.11.20 255.255.255.255 L3_BPG_10_11
asdm location 10.10.12.25 255.255.255.255 L3_10_12
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password NsS17GIs/Rj9OkMS encrypted
passwd bJO8SfDiWpZaUwph encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Diamond DR Lan 172.16.100.5
 nameif DL_172_16
 security-level 100
 ip address 172.16.100.5 255.255.255.0
!
interface GigabitEthernet0/1
 description Internet Connection holding all IP's
 nameif L3_Internet
 security-level 5
 ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1.1
 description L3 BGP Network 10.10.11.0/24
 vlan 200
 nameif L3_BPG_10_11
 security-level 0
 ip address 10.10.11.2 255.255.255.0
!
interface GigabitEthernet0/1.2
 vlan 300
 nameif L3_10_12
 security-level 0
 ip address 10.10.12.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list DL_172_16_pnat_outbound extended permit ip host 172.16.100.20 any
access-list DL_172_16_pnat_outbound_V1 extended permit ip host 172.16.100.25 any
access-list L3_BPG_10_11_access_in extended permit tcp any host 10.10.11.20 eq telnet
access-list L3_BPG_10_11_access_in extended permit icmp any host 10.10.11.20
access-list L3_10_12_access_in extended permit tcp any host 10.10.12.25 eq telnet
access-list L3_10_12_access_in extended permit icmp any host 10.10.12.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu DL_172_16 1500
mtu L3_Internet 1500
mtu L3_BPG_10_11 1500
mtu L3_10_12 1500
no failover
monitor-interface management
monitor-interface DL_172_16
monitor-interface L3_Internet
no monitor-interface L3_BPG_10_11
no monitor-interface L3_10_12
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (L3_BPG_10_11) 11 interface
global (L3_10_12) 12 interface
static (DL_172_16,L3_BPG_10_11) 10.10.11.20  access-list DL_172_16_pnat_outbound dns
static (DL_172_16,L3_10_12) 10.10.12.25  access-list DL_172_16_pnat_outbound_V1 dns
static (DL_172_16,L3_Internet) 10.10.10.20 172.16.100.20 netmask 255.255.255.255
access-group L3_BPG_10_11_access_in in interface L3_BPG_10_11
access-group L3_10_12_access_in in interface L3_10_12
route L3_Internet 0.0.0.0 0.0.0.0 10.10.10.1 1
route L3_BPG_10_11 0.0.0.0 0.0.0.0 10.10.11.1 3
route L3_10_12 0.0.0.0 0.0.0.0 10.10.12.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 DL_172_16
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:984aa816f819a57dfbf47c385c5f522a
: end

0
Comment
Question by:jakmal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 33761774
Is there 2 separate servers that your accessing for testing, or is it just one server with 2 NICs?  I.e. are 172.16.100.20 and 172.16.100.25 on completely separate devices?

0
 

Author Comment

by:jakmal
ID: 33768987
they are on the same Server.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33769271
That is likely the source of the problem.  TCP, the protocol used for telnet is session based, thus the server is able to reply out the interface the traffic came in on and use the default gateway for that interface.  But for non-session based protocols like ICMP or UDP using a single server with 2 interfaces and 2 default gateways will not work in that fashion.  The server is unable to reply out the interface that the traffic came in on, thus ping appears not to work.  

Is this a testing configuration or the end configuration?  If its the testing configuration then use 2 separate servers to test the environment.  If it's the end configuration the only solution I can think of would be to PAT all internet traffic to the 2 inside interfaces.  
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:jakmal
ID: 33769621
it is a test environment that will be mimicked in porduction.  I have two ISP address spaces coming into the ASA and need to route them to the same server for web services.  I will look into doing PAT.

0
 

Author Comment

by:jakmal
ID: 33769943
Here is a question around this then.  since I added Nat statements for anything internal to external interface my ICMP replies work but I am getting replies from my internal Address not the public IP.  Is there anyway that these can be converted to proper public IP's.  when I ping 10.10.12.25 i get replies from 172.16.100.25.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33770188
Again this is happening because the server can't send the traffic out the correct interface when you use ICMP.  So your seeing asymmetric routing.  You send inbound traffic in to 10.10.12.25, but the replies come back out 172.16.100.25.  Because you have 1 server with 2 default routes, one of those routes gets used for ICMP replies.  So the traffic will appear to always come from that IP no matter which interface you ping.



0
 

Author Comment

by:jakmal
ID: 33770224
Actually the server has a single route back to the ASA.  the IP address is just a secondary IP on the same network card.  they are all part of a single network range so default gateway is the same.  172.16.100.0/24 with gateway of 172.16.100.5.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33770416
So the server has 1 NIC with 2 IPs on it, primary being 172.16.100.25, and the additional being 10.10.12.25?  If so then again the issue is the same. The ICMP replies will use the default gateway and thus be seen as coming "from" the primary IP of the server.   Is this a Windows 2008 server?  If so then you should be aware there are other issues that can arise from having 2 IPs on the same NIC on the same server.  Here's some articles to review if using windows:

http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx
http://social.technet.microsoft.com/Forums/en/winserverPN/thread/02c3f5d7-ae2d-48d5-b408-62530b628940

Also, are you testing this through an Internet connection from a completely different subnet then one of the ones that you have on the firewall?  If so then it would not likely work.  The ASA can not use 2 default gateways at the same time.  One will be used unless that interface is down and then the other will be used.  So you will not be able to connect this firewall to 2 Internet connections and access the external IPs from the Internet through 2 separate ISPs.

0
 

Author Comment

by:jakmal
ID: 33770708
Private IP's are 172.16.100.20 and 172.16.100.25
ASA Interface GIG 0/1 10.10.10.0/x Gateway 10.10.10.1 Metric1
ASA Sub interface VLAN200 GIG 0/1.1 10.10.11.20/24 --> 172.16.100.20
ASA Sub interface VLAN300 GIG 0/1.2 10.10.12.25/24 --> 172.16.100.25
The end game is that I have one ISP that is handing me two separate network schemes.  One is using BGP and the other is not using any BGP.
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 33772158
I would consider redesigning the solution to accomplish what you're trying to do.   Have 1 Outside interface to connect to the ISP router.  Have the ISP set a static route for the non-BGP subnet and point it directly to your firewall IP address.

Have 2 IP addresses on the server, setup static NATing for each IP address.   One into the BGP IP block and one in to the non-BGP IP block.

Doing it this way keeps the ASA from having to have 2 default gateways and be connected via 2 interfaces to the Internet.

0
 

Author Comment

by:jakmal
ID: 33807353
Thank you this is what I needed answered as to how to accomplish this.
0
 

Author Comment

by:jakmal
ID: 33807598
I was able to successfully build out the configuration and all was successful!!!  Thank you again.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco SSLVPN webpage is not loading 3 31
"Ensure their internet protocol supports SHA-2 certificate" ?? 5 63
Public DNS  Vs BGP 20 57
Static Route on Cisco ISR 4431's 4 32
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question