Solved

1 to 1 NATing on ASA

Posted on 2013-01-25
7
335 Views
Last Modified: 2013-01-25
I'm trying to map an outside IP 1 to 1 to an inside host but I'm getting an error on the packet tracer I can't figure out:

access-list FSM_access_in extended permit tcp any any eq 8443
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255


 packet-tracer input FSM tcp 208.67.222.222 8443 10.1.1.2 8443

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:
0
Comment
Question by:PerimeterIT
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820314
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:

Translation to 0.0.0.0 doesn't look right.  You showed two config lines - the first was your general nat/pat for outbound internet (I assume)
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
and the second is the static nat
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255

What is the global nat line? If they are both using interface, this won't work. You would have to create a static PAT instead of a 1-to-1 static nat. Also, in your ACL I would be more specific - the source can be any, but the destination should be specific.

On a side note, sometimes packet-tracer doesn't do the best job, so if that's the only method you've used to test, you may want to try having someone on the outside actually attempt a connection while you use the real time log viewer to look in to this matter.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820454
I'm trying with static entries instead but no luck yet...

oncallnetworks# show run global
global (outside) 1 interface
global (FSM) 1 interface
oncallnetworks# show run nat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (FSMLAN) 1 10.1.1.0 255.255.255.0

static (FSMLAN,FSM) tcp interface 6443 10.1.1.25 6443 netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820504
I should clarify, I have 2 WAN ports on the firewall

1 for surf traffic, 1 dedicated WAN for an internal server.

FSM - dedicated internet
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 20

Expert Comment

by:rauenpc
ID: 38820525
From what I can see, you have at least 4 interfaces - inside, outside, FSM, and FSMLAN. The RPF check essentially makes sure that the source IP address of a packet entering an interface is valid on that interface. This means that if you have an interface (FSM) that receives a packet with a source of 1.1.1.1, but normal routing would use the outside interface to reach 1.1.1.1, this is an RPF failure because the reverse path can't use the interface the packet was received on originally.

In your packet-tracer, if the FSM interface doesn't have a route to use that interface to reach 208.67.222.222, this will fail regardless of NAT.
Also, since you are using the "interface" in your nat statement, the destination of the packet needs to be that of the interface itself. So if, for example, your interfaces were
FSM: 192.168.1.1/24
FSMLAN: 10.1.1.254/24

then the packet-tracer command would be
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 8443
-or-
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 6443

The source address needs to be within a subnet that that is normally routable through the receiving interface, and the source port can be random unless the source is specified via ACL. The destination is the address of the interface itself (not the host it will be translated to) and the destination port must match. In you postings you used ports 8443 and 6443.

I would also make your interface ACL reference the specific host IP address in the destination. In your case the destination host IP is the interface's IP address.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38820537
My last post was written before I saw your last post. You cannot load balance with an ASA. You can do failover, but you cannot use two internet connections simultaneously. The best you could do is specify certain public IP's/subnet to go out the secondary WAN.

However, if you have two static default routes, only one can be used at a time which means only one wan interface can be used at a time.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820548
OK that makes more sense,

After a quick lookup I've discovered that ASA's don't support Policy based routing, so effectively I can only have a single NAT pool. So my multiple interfaces won't work with NAT because it gets confused and sends stuff out the wrong WAN interface.

GRRR

Looks like I have to go back to the drawing board.

thanks!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820578
Just to clarify, you can use both interfaces, just not simultaneously. Automatic failover can be configured without too much effort.
To use them simultaneously would require you to have some sort of policy routing happening before the traffic gets to the firewall (via router or L3 switch), and then the firewall would have to be configured with multiple contexts (virtual firewalls) to use both wan links simultaneously. That config can get very complex and confusing. I don't recommend it.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now