Solved

1 to 1 NATing on ASA

Posted on 2013-01-25
7
342 Views
Last Modified: 2013-01-25
I'm trying to map an outside IP 1 to 1 to an inside host but I'm getting an error on the packet tracer I can't figure out:

access-list FSM_access_in extended permit tcp any any eq 8443
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255


 packet-tracer input FSM tcp 208.67.222.222 8443 10.1.1.2 8443

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:
0
Comment
Question by:PerimeterIT
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820314
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:

Translation to 0.0.0.0 doesn't look right.  You showed two config lines - the first was your general nat/pat for outbound internet (I assume)
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
and the second is the static nat
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255

What is the global nat line? If they are both using interface, this won't work. You would have to create a static PAT instead of a 1-to-1 static nat. Also, in your ACL I would be more specific - the source can be any, but the destination should be specific.

On a side note, sometimes packet-tracer doesn't do the best job, so if that's the only method you've used to test, you may want to try having someone on the outside actually attempt a connection while you use the real time log viewer to look in to this matter.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820454
I'm trying with static entries instead but no luck yet...

oncallnetworks# show run global
global (outside) 1 interface
global (FSM) 1 interface
oncallnetworks# show run nat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (FSMLAN) 1 10.1.1.0 255.255.255.0

static (FSMLAN,FSM) tcp interface 6443 10.1.1.25 6443 netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820504
I should clarify, I have 2 WAN ports on the firewall

1 for surf traffic, 1 dedicated WAN for an internal server.

FSM - dedicated internet
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 20

Expert Comment

by:rauenpc
ID: 38820525
From what I can see, you have at least 4 interfaces - inside, outside, FSM, and FSMLAN. The RPF check essentially makes sure that the source IP address of a packet entering an interface is valid on that interface. This means that if you have an interface (FSM) that receives a packet with a source of 1.1.1.1, but normal routing would use the outside interface to reach 1.1.1.1, this is an RPF failure because the reverse path can't use the interface the packet was received on originally.

In your packet-tracer, if the FSM interface doesn't have a route to use that interface to reach 208.67.222.222, this will fail regardless of NAT.
Also, since you are using the "interface" in your nat statement, the destination of the packet needs to be that of the interface itself. So if, for example, your interfaces were
FSM: 192.168.1.1/24
FSMLAN: 10.1.1.254/24

then the packet-tracer command would be
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 8443
-or-
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 6443

The source address needs to be within a subnet that that is normally routable through the receiving interface, and the source port can be random unless the source is specified via ACL. The destination is the address of the interface itself (not the host it will be translated to) and the destination port must match. In you postings you used ports 8443 and 6443.

I would also make your interface ACL reference the specific host IP address in the destination. In your case the destination host IP is the interface's IP address.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38820537
My last post was written before I saw your last post. You cannot load balance with an ASA. You can do failover, but you cannot use two internet connections simultaneously. The best you could do is specify certain public IP's/subnet to go out the secondary WAN.

However, if you have two static default routes, only one can be used at a time which means only one wan interface can be used at a time.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820548
OK that makes more sense,

After a quick lookup I've discovered that ASA's don't support Policy based routing, so effectively I can only have a single NAT pool. So my multiple interfaces won't work with NAT because it gets confused and sends stuff out the wrong WAN interface.

GRRR

Looks like I have to go back to the drawing board.

thanks!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820578
Just to clarify, you can use both interfaces, just not simultaneously. Automatic failover can be configured without too much effort.
To use them simultaneously would require you to have some sort of policy routing happening before the traffic gets to the firewall (via router or L3 switch), and then the firewall would have to be configured with multiple contexts (virtual firewalls) to use both wan links simultaneously. That config can get very complex and confusing. I don't recommend it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
By pass website on ASA for Websense 4 93
Pfsense - and other email Servers 8 62
Internet Connection -- PING testing ? 1 63
NAT on Fortigate 2 16
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question