Solved

1 to 1 NATing on ASA

Posted on 2013-01-25
7
343 Views
Last Modified: 2013-01-25
I'm trying to map an outside IP 1 to 1 to an inside host but I'm getting an error on the packet tracer I can't figure out:

access-list FSM_access_in extended permit tcp any any eq 8443
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255


 packet-tracer input FSM tcp 208.67.222.222 8443 10.1.1.2 8443

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:
0
Comment
Question by:PerimeterIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820314
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:

Translation to 0.0.0.0 doesn't look right.  You showed two config lines - the first was your general nat/pat for outbound internet (I assume)
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
and the second is the static nat
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255

What is the global nat line? If they are both using interface, this won't work. You would have to create a static PAT instead of a 1-to-1 static nat. Also, in your ACL I would be more specific - the source can be any, but the destination should be specific.

On a side note, sometimes packet-tracer doesn't do the best job, so if that's the only method you've used to test, you may want to try having someone on the outside actually attempt a connection while you use the real time log viewer to look in to this matter.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820454
I'm trying with static entries instead but no luck yet...

oncallnetworks# show run global
global (outside) 1 interface
global (FSM) 1 interface
oncallnetworks# show run nat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (FSMLAN) 1 10.1.1.0 255.255.255.0

static (FSMLAN,FSM) tcp interface 6443 10.1.1.25 6443 netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820504
I should clarify, I have 2 WAN ports on the firewall

1 for surf traffic, 1 dedicated WAN for an internal server.

FSM - dedicated internet
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 20

Expert Comment

by:rauenpc
ID: 38820525
From what I can see, you have at least 4 interfaces - inside, outside, FSM, and FSMLAN. The RPF check essentially makes sure that the source IP address of a packet entering an interface is valid on that interface. This means that if you have an interface (FSM) that receives a packet with a source of 1.1.1.1, but normal routing would use the outside interface to reach 1.1.1.1, this is an RPF failure because the reverse path can't use the interface the packet was received on originally.

In your packet-tracer, if the FSM interface doesn't have a route to use that interface to reach 208.67.222.222, this will fail regardless of NAT.
Also, since you are using the "interface" in your nat statement, the destination of the packet needs to be that of the interface itself. So if, for example, your interfaces were
FSM: 192.168.1.1/24
FSMLAN: 10.1.1.254/24

then the packet-tracer command would be
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 8443
-or-
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 6443

The source address needs to be within a subnet that that is normally routable through the receiving interface, and the source port can be random unless the source is specified via ACL. The destination is the address of the interface itself (not the host it will be translated to) and the destination port must match. In you postings you used ports 8443 and 6443.

I would also make your interface ACL reference the specific host IP address in the destination. In your case the destination host IP is the interface's IP address.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38820537
My last post was written before I saw your last post. You cannot load balance with an ASA. You can do failover, but you cannot use two internet connections simultaneously. The best you could do is specify certain public IP's/subnet to go out the secondary WAN.

However, if you have two static default routes, only one can be used at a time which means only one wan interface can be used at a time.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820548
OK that makes more sense,

After a quick lookup I've discovered that ASA's don't support Policy based routing, so effectively I can only have a single NAT pool. So my multiple interfaces won't work with NAT because it gets confused and sends stuff out the wrong WAN interface.

GRRR

Looks like I have to go back to the drawing board.

thanks!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820578
Just to clarify, you can use both interfaces, just not simultaneously. Automatic failover can be configured without too much effort.
To use them simultaneously would require you to have some sort of policy routing happening before the traffic gets to the firewall (via router or L3 switch), and then the firewall would have to be configured with multiple contexts (virtual firewalls) to use both wan links simultaneously. That config can get very complex and confusing. I don't recommend it.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question