Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA NAT Issue

Posted on 2015-02-02
6
Medium Priority
?
213 Views
Last Modified: 2015-03-17
I am having a NAT issue with a Cisco ASA on 8.0(4).

I have a server that already has a static NAT as follows.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000

I now need to allow access to this server over an IPSec VPN but the remote peer requires me to source NAT to a specific private IP address (172.28.0.201). My configuration now looks like this.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit ip 10.178.32.144 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.32.144 255.255.255.240 host 192.168.31.40
global (outside) 1 interface
global (outside) 12 172.28.0.201
nat (dev-dmz) 0 access-list no-nat-dev-dmz
nat (dev-dmz) 12 access-list NAT-DEV-IIS-01
nat (dev-dmz) 1 0.0.0.0 0.0.0.0


I would expect from this the following.

1. Any traffic between 192.168.31.40 and 10.178.16.224 255.255.255.240 or 10.178.32.144 255.255.255.240 will go out with a source IP of 172.28.0.201.
2. All other traffic from 192.168.31.40 out to the internet will out go out with a source IP of 99.99.99.99.

This isn't happening. When I try to ping a host on the remote side from 192.168.31.40 the NAT to 172.28.0.201 is not happening. My xlates relevant to this are as follows.

# show xlate | inc 172.28
Global 172.28.0.202 Local 192.168.31.41
Global 172.28.0.202 Local 192.168.31.41
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
Global 172.28.0.203 Local 192.168.30.5
Global 172.28.0.203 Local 192.168.30.5
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0


The xlate from 192.168.31.40 to 172.28.0.201 is not listed.

Can anyone tell me what I'm doing wrong ?

TIA
0
Comment
Question by:ccfcfc
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 2000 total points
ID: 40585742
Hello,
Try to switch NAT IDs:
global (outside) 1 172.28.0.201
global (outside) 12 interface
nat (dev-dmz) 1 access-list NAT-DEV-IIS-01
nat (dev-dmz) 12 0.0.0.0 0.0.0.0

Regards!
0
 

Author Comment

by:ccfcfc
ID: 40586242
Does it process those global statements in order then ?
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 40586333
Hi,
chances are that you forgot to configure internal access-list, e.g. the one applied to dev-dmz interface.

For example, if you want to do policy nat for the following:
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

you need to allow that rule on the very same interface:
access-list <the one applied on dev-dmz interface> extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

otherwise packets are dropped BEFORE natting them.

hope this helps
max
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:ccfcfc
ID: 40616611
I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL
0
 

Author Comment

by:ccfcfc
ID: 40616647
Sorry - that last comment was posted prematurely. I will repost it in the complete form in this comment.

I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL

access-list 136 extended permit ip host 172.28.0.201 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.201 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.32.144 255.255.255.240

- SNAT ACL

access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240

- SNAT Static

static (dev-dmz,outside) 172.28.0.201  access-list DELTA-NAT-DEV-IIS-01

With these settings the following is the relevant output from show xlate.

Global 172.28.0.201 Local 192.168.31.40
Global 172.28.0.201 Local 192.168.31.40

This would appear to show that the SNAT is working, but if I try to ping 10.178.32.150 from 192.168.31.40 I get no response.

Phase 1 seems to be up and running - this connection shows as MM_ACTIVE if I look at my isakmp SAs - but I have no IPSec SA for this tunnel.

If I use the packet trace tool on ASDM it passes everything up to the VPN. The last entries are as follows.

Type - NAT Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.32.144 255.255.255.240 static translation to 172.28.0.201 translate_hits = 1192, untranslate_hits = 0
Info
Static translate 192.168.31.40/0 to 172.28.0.201/0 using netmask 255.255.255.255

Type - NAT Subtype - host-limits Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.16.224 255.255.255.240 static translation to 172.28.0.201 translate_hits = 0, untranslate_hits = 0

Type - VPN Subtype - encrypt Action - DROP

Do I understand this correctly - does that VPN drop mean that the traffic is failing to pass the Crypto ACL ??
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 40627736
Hi,
since you have natted 192.168.31.40 to  172.28.0.201, you need to have an access-list on the way back for the packets: assuming you have an access-list on outside interface named "acc_list_out", you need to add:

access-list acc_list_out permit ip host 10.178.32.150 host 192.168.31.40

the above will allow communication between 192.168.31.40 and 10.178.32.150.

Should you want to extend to other ip, you need to add / modify the access-list.

hope this helps
max
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month20 days, 20 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question