Solved

Cisco ASA NAT Issue

Posted on 2015-02-02
6
196 Views
Last Modified: 2015-03-17
I am having a NAT issue with a Cisco ASA on 8.0(4).

I have a server that already has a static NAT as follows.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000

I now need to allow access to this server over an IPSec VPN but the remote peer requires me to source NAT to a specific private IP address (172.28.0.201). My configuration now looks like this.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit ip 10.178.32.144 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.32.144 255.255.255.240 host 192.168.31.40
global (outside) 1 interface
global (outside) 12 172.28.0.201
nat (dev-dmz) 0 access-list no-nat-dev-dmz
nat (dev-dmz) 12 access-list NAT-DEV-IIS-01
nat (dev-dmz) 1 0.0.0.0 0.0.0.0


I would expect from this the following.

1. Any traffic between 192.168.31.40 and 10.178.16.224 255.255.255.240 or 10.178.32.144 255.255.255.240 will go out with a source IP of 172.28.0.201.
2. All other traffic from 192.168.31.40 out to the internet will out go out with a source IP of 99.99.99.99.

This isn't happening. When I try to ping a host on the remote side from 192.168.31.40 the NAT to 172.28.0.201 is not happening. My xlates relevant to this are as follows.

# show xlate | inc 172.28
Global 172.28.0.202 Local 192.168.31.41
Global 172.28.0.202 Local 192.168.31.41
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
Global 172.28.0.203 Local 192.168.30.5
Global 172.28.0.203 Local 192.168.30.5
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0


The xlate from 192.168.31.40 to 172.28.0.201 is not listed.

Can anyone tell me what I'm doing wrong ?

TIA
0
Comment
Question by:ccfcfc
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
Comment Utility
Hello,
Try to switch NAT IDs:
global (outside) 1 172.28.0.201
global (outside) 12 interface
nat (dev-dmz) 1 access-list NAT-DEV-IIS-01
nat (dev-dmz) 12 0.0.0.0 0.0.0.0

Regards!
0
 

Author Comment

by:ccfcfc
Comment Utility
Does it process those global statements in order then ?
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
chances are that you forgot to configure internal access-list, e.g. the one applied to dev-dmz interface.

For example, if you want to do policy nat for the following:
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

you need to allow that rule on the very same interface:
access-list <the one applied on dev-dmz interface> extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

otherwise packets are dropped BEFORE natting them.

hope this helps
max
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:ccfcfc
Comment Utility
I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL
0
 

Author Comment

by:ccfcfc
Comment Utility
Sorry - that last comment was posted prematurely. I will repost it in the complete form in this comment.

I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL

access-list 136 extended permit ip host 172.28.0.201 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.201 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.32.144 255.255.255.240

- SNAT ACL

access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240

- SNAT Static

static (dev-dmz,outside) 172.28.0.201  access-list DELTA-NAT-DEV-IIS-01

With these settings the following is the relevant output from show xlate.

Global 172.28.0.201 Local 192.168.31.40
Global 172.28.0.201 Local 192.168.31.40

This would appear to show that the SNAT is working, but if I try to ping 10.178.32.150 from 192.168.31.40 I get no response.

Phase 1 seems to be up and running - this connection shows as MM_ACTIVE if I look at my isakmp SAs - but I have no IPSec SA for this tunnel.

If I use the packet trace tool on ASDM it passes everything up to the VPN. The last entries are as follows.

Type - NAT Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.32.144 255.255.255.240 static translation to 172.28.0.201 translate_hits = 1192, untranslate_hits = 0
Info
Static translate 192.168.31.40/0 to 172.28.0.201/0 using netmask 255.255.255.255

Type - NAT Subtype - host-limits Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.16.224 255.255.255.240 static translation to 172.28.0.201 translate_hits = 0, untranslate_hits = 0

Type - VPN Subtype - encrypt Action - DROP

Do I understand this correctly - does that VPN drop mean that the traffic is failing to pass the Crypto ACL ??
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
since you have natted 192.168.31.40 to  172.28.0.201, you need to have an access-list on the way back for the packets: assuming you have an access-list on outside interface named "acc_list_out", you need to add:

access-list acc_list_out permit ip host 10.178.32.150 host 192.168.31.40

the above will allow communication between 192.168.31.40 and 10.178.32.150.

Should you want to extend to other ip, you need to add / modify the access-list.

hope this helps
max
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now