Solved

1 to 1 NATing on ASA

Posted on 2013-01-25
7
339 Views
Last Modified: 2013-01-25
I'm trying to map an outside IP 1 to 1 to an inside host but I'm getting an error on the packet tracer I can't figure out:

access-list FSM_access_in extended permit tcp any any eq 8443
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255


 packet-tracer input FSM tcp 208.67.222.222 8443 10.1.1.2 8443

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:
0
Comment
Question by:PerimeterIT
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820314
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255
  match ip FSMLAN host 10.1.1.2 FSM any
    static translation to 0.0.0.0
    translate_hits = 0, untranslate_hits = 39
Additional Information:

Translation to 0.0.0.0 doesn't look right.  You showed two config lines - the first was your general nat/pat for outbound internet (I assume)
nat (FSMLAN) 1 10.1.1.0 255.255.255.0
and the second is the static nat
static (FSMLAN,FSM) interface 10.1.1.2 netmask 255.255.255.255

What is the global nat line? If they are both using interface, this won't work. You would have to create a static PAT instead of a 1-to-1 static nat. Also, in your ACL I would be more specific - the source can be any, but the destination should be specific.

On a side note, sometimes packet-tracer doesn't do the best job, so if that's the only method you've used to test, you may want to try having someone on the outside actually attempt a connection while you use the real time log viewer to look in to this matter.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820454
I'm trying with static entries instead but no luck yet...

oncallnetworks# show run global
global (outside) 1 interface
global (FSM) 1 interface
oncallnetworks# show run nat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (FSMLAN) 1 10.1.1.0 255.255.255.0

static (FSMLAN,FSM) tcp interface 6443 10.1.1.25 6443 netmask 255.255.255.255
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820504
I should clarify, I have 2 WAN ports on the firewall

1 for surf traffic, 1 dedicated WAN for an internal server.

FSM - dedicated internet
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 20

Expert Comment

by:rauenpc
ID: 38820525
From what I can see, you have at least 4 interfaces - inside, outside, FSM, and FSMLAN. The RPF check essentially makes sure that the source IP address of a packet entering an interface is valid on that interface. This means that if you have an interface (FSM) that receives a packet with a source of 1.1.1.1, but normal routing would use the outside interface to reach 1.1.1.1, this is an RPF failure because the reverse path can't use the interface the packet was received on originally.

In your packet-tracer, if the FSM interface doesn't have a route to use that interface to reach 208.67.222.222, this will fail regardless of NAT.
Also, since you are using the "interface" in your nat statement, the destination of the packet needs to be that of the interface itself. So if, for example, your interfaces were
FSM: 192.168.1.1/24
FSMLAN: 10.1.1.254/24

then the packet-tracer command would be
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 8443
-or-
packet-tracer input FSM tcp 192.168.1.100 55005 10.1.1.254 6443

The source address needs to be within a subnet that that is normally routable through the receiving interface, and the source port can be random unless the source is specified via ACL. The destination is the address of the interface itself (not the host it will be translated to) and the destination port must match. In you postings you used ports 8443 and 6443.

I would also make your interface ACL reference the specific host IP address in the destination. In your case the destination host IP is the interface's IP address.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38820537
My last post was written before I saw your last post. You cannot load balance with an ASA. You can do failover, but you cannot use two internet connections simultaneously. The best you could do is specify certain public IP's/subnet to go out the secondary WAN.

However, if you have two static default routes, only one can be used at a time which means only one wan interface can be used at a time.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 38820548
OK that makes more sense,

After a quick lookup I've discovered that ASA's don't support Policy based routing, so effectively I can only have a single NAT pool. So my multiple interfaces won't work with NAT because it gets confused and sends stuff out the wrong WAN interface.

GRRR

Looks like I have to go back to the drawing board.

thanks!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820578
Just to clarify, you can use both interfaces, just not simultaneously. Automatic failover can be configured without too much effort.
To use them simultaneously would require you to have some sort of policy routing happening before the traffic gets to the firewall (via router or L3 switch), and then the firewall would have to be configured with multiple contexts (virtual firewalls) to use both wan links simultaneously. That config can get very complex and confusing. I don't recommend it.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question