Solved

ASA 5520 NAT ICMP replies Private and not Public

Posted on 2010-09-24
12
1,044 Views
Last Modified: 2013-11-29
I have an ASA 5520 along with a Cisco 3745 Router.  Here is the problem.  I have two separate external networks coming into the ASA 10.10.11.0/24 10.10.12.0/24 and one internal network 172.16.100.0/24.  you can see from the config of what I have.  I have two Static Policy NAT Entries pointing 10.10.11.20 --> 172.16.100.20 and 10.10.12.25 --> 172.16.100.25.
I also have four access rules that allow for ICMP and Telnet.  I can telnet to 10.10.11.20 and it opens the telnet session to 172.16.100.20 and I can also telnet to 10.10.12.25 which also works just fine.  The pings however will not work unless I create a nat rule that sends the traffic out the main GIG0/0 interface. I would liike to be able to pint 10.10.11.20 and get a reply from 10.10.11.20 and not 10.10.10.20 or the internal IP 172.16.100.20.  I hope this makes sense...

this is my configuration

asdm image disk0:/asdm-508.bin
asdm location 10.10.11.20 255.255.255.255 L3_BPG_10_11
asdm location 10.10.12.25 255.255.255.255 L3_10_12
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password NsS17GIs/Rj9OkMS encrypted
passwd bJO8SfDiWpZaUwph encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description Diamond DR Lan 172.16.100.5
 nameif DL_172_16
 security-level 100
 ip address 172.16.100.5 255.255.255.0
!
interface GigabitEthernet0/1
 description Internet Connection holding all IP's
 nameif L3_Internet
 security-level 5
 ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1.1
 description L3 BGP Network 10.10.11.0/24
 vlan 200
 nameif L3_BPG_10_11
 security-level 0
 ip address 10.10.11.2 255.255.255.0
!
interface GigabitEthernet0/1.2
 vlan 300
 nameif L3_10_12
 security-level 0
 ip address 10.10.12.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list DL_172_16_pnat_outbound extended permit ip host 172.16.100.20 any
access-list DL_172_16_pnat_outbound_V1 extended permit ip host 172.16.100.25 any
access-list L3_BPG_10_11_access_in extended permit tcp any host 10.10.11.20 eq telnet
access-list L3_BPG_10_11_access_in extended permit icmp any host 10.10.11.20
access-list L3_10_12_access_in extended permit tcp any host 10.10.12.25 eq telnet
access-list L3_10_12_access_in extended permit icmp any host 10.10.12.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu DL_172_16 1500
mtu L3_Internet 1500
mtu L3_BPG_10_11 1500
mtu L3_10_12 1500
no failover
monitor-interface management
monitor-interface DL_172_16
monitor-interface L3_Internet
no monitor-interface L3_BPG_10_11
no monitor-interface L3_10_12
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (L3_BPG_10_11) 11 interface
global (L3_10_12) 12 interface
static (DL_172_16,L3_BPG_10_11) 10.10.11.20  access-list DL_172_16_pnat_outbound dns
static (DL_172_16,L3_10_12) 10.10.12.25  access-list DL_172_16_pnat_outbound_V1 dns
static (DL_172_16,L3_Internet) 10.10.10.20 172.16.100.20 netmask 255.255.255.255
access-group L3_BPG_10_11_access_in in interface L3_BPG_10_11
access-group L3_10_12_access_in in interface L3_10_12
route L3_Internet 0.0.0.0 0.0.0.0 10.10.10.1 1
route L3_BPG_10_11 0.0.0.0 0.0.0.0 10.10.11.1 3
route L3_10_12 0.0.0.0 0.0.0.0 10.10.12.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 DL_172_16
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:984aa816f819a57dfbf47c385c5f522a
: end

0
Comment
Question by:jakmal
  • 7
  • 5
12 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 33761774
Is there 2 separate servers that your accessing for testing, or is it just one server with 2 NICs?  I.e. are 172.16.100.20 and 172.16.100.25 on completely separate devices?

0
 

Author Comment

by:jakmal
ID: 33768987
they are on the same Server.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33769271
That is likely the source of the problem.  TCP, the protocol used for telnet is session based, thus the server is able to reply out the interface the traffic came in on and use the default gateway for that interface.  But for non-session based protocols like ICMP or UDP using a single server with 2 interfaces and 2 default gateways will not work in that fashion.  The server is unable to reply out the interface that the traffic came in on, thus ping appears not to work.  

Is this a testing configuration or the end configuration?  If its the testing configuration then use 2 separate servers to test the environment.  If it's the end configuration the only solution I can think of would be to PAT all internet traffic to the 2 inside interfaces.  
0
 

Author Comment

by:jakmal
ID: 33769621
it is a test environment that will be mimicked in porduction.  I have two ISP address spaces coming into the ASA and need to route them to the same server for web services.  I will look into doing PAT.

0
 

Author Comment

by:jakmal
ID: 33769943
Here is a question around this then.  since I added Nat statements for anything internal to external interface my ICMP replies work but I am getting replies from my internal Address not the public IP.  Is there anyway that these can be converted to proper public IP's.  when I ping 10.10.12.25 i get replies from 172.16.100.25.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33770188
Again this is happening because the server can't send the traffic out the correct interface when you use ICMP.  So your seeing asymmetric routing.  You send inbound traffic in to 10.10.12.25, but the replies come back out 172.16.100.25.  Because you have 1 server with 2 default routes, one of those routes gets used for ICMP replies.  So the traffic will appear to always come from that IP no matter which interface you ping.



0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:jakmal
ID: 33770224
Actually the server has a single route back to the ASA.  the IP address is just a secondary IP on the same network card.  they are all part of a single network range so default gateway is the same.  172.16.100.0/24 with gateway of 172.16.100.5.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33770416
So the server has 1 NIC with 2 IPs on it, primary being 172.16.100.25, and the additional being 10.10.12.25?  If so then again the issue is the same. The ICMP replies will use the default gateway and thus be seen as coming "from" the primary IP of the server.   Is this a Windows 2008 server?  If so then you should be aware there are other issues that can arise from having 2 IPs on the same NIC on the same server.  Here's some articles to review if using windows:

http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx
http://social.technet.microsoft.com/Forums/en/winserverPN/thread/02c3f5d7-ae2d-48d5-b408-62530b628940

Also, are you testing this through an Internet connection from a completely different subnet then one of the ones that you have on the firewall?  If so then it would not likely work.  The ASA can not use 2 default gateways at the same time.  One will be used unless that interface is down and then the other will be used.  So you will not be able to connect this firewall to 2 Internet connections and access the external IPs from the Internet through 2 separate ISPs.

0
 

Author Comment

by:jakmal
ID: 33770708
Private IP's are 172.16.100.20 and 172.16.100.25
ASA Interface GIG 0/1 10.10.10.0/x Gateway 10.10.10.1 Metric1
ASA Sub interface VLAN200 GIG 0/1.1 10.10.11.20/24 --> 172.16.100.20
ASA Sub interface VLAN300 GIG 0/1.2 10.10.12.25/24 --> 172.16.100.25
The end game is that I have one ISP that is handing me two separate network schemes.  One is using BGP and the other is not using any BGP.
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 33772158
I would consider redesigning the solution to accomplish what you're trying to do.   Have 1 Outside interface to connect to the ISP router.  Have the ISP set a static route for the non-BGP subnet and point it directly to your firewall IP address.

Have 2 IP addresses on the server, setup static NATing for each IP address.   One into the BGP IP block and one in to the non-BGP IP block.

Doing it this way keeps the ASA from having to have 2 default gateways and be connected via 2 interfaces to the Internet.

0
 

Author Comment

by:jakmal
ID: 33807353
Thank you this is what I needed answered as to how to accomplish this.
0
 

Author Comment

by:jakmal
ID: 33807598
I was able to successfully build out the configuration and all was successful!!!  Thank you again.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now