Inbound and outbound traffic at the same interface

Unanswered Question
Nov 24th, 2008

Hello,

I pass default traffic from inside to outside interface. Also I have to pass inside traffic back to inside interface to get some servers. I have configured default route to outside and a route to this servers subnet to inside.

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

I have also configured

same-security-traffic permit intra-interface

clear xlate

But traffic icmp does not pass through and I can ping the server from the firewall.

Do I forget any command?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 11/24/2008 - 05:45

Can you give more details about the problem/topology...your question is not clear (atleast to me).


Regards


Farrukh

elecorbalan Mon, 11/24/2008 - 06:39

Yes, of course.

I have as default gateway for LAN PCs the inside ASA interface 10.0.0.22

But this PCs need access to server on a DMZ not configured in the ASA. The address to this DMZ is --.89.192 255.255.255.192

This DMZ is reached through the ASA inside interface.

To ping an DMZ server from a PC 10.0.0.114, the packet must arrive to ASA inside interface check a static route, and then get out from the same inside interface.

I can ping from ASA to a DMZ server, but I cannot ping from a PC to a server.

The config I have is:

interface Ethernet0/0

nameif outside

security-level 0

ip address --.74.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.0.22 255.255.255.0

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any --.74.48 255.255.255.252 echo-reply

access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_1 any eq domain

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended deny ip any any

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit any echo inside

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 --.74.49 1

route inside --.89.192 255.255.255.192 10.0.0.1 1

priority-queue outside

tx-ring-limit 256

priority-queue inside

tx-ring-limit 256

class-map TunelVPNmap

match tunnel-group TunelVPN

policy-map TunelVPNpol

class TunelVPNmap

priority

service-policy TunelVPNpol interface outside

service-policy TunelVPNpol interface inside

srue Mon, 11/24/2008 - 12:38

how is there a dmz reachable on the inside interface of your ASA?

is there an internal router/L3 switch on your LAN?

Farrukh Haroon Tue, 11/25/2008 - 00:27

Exclude this inside >> dmz traffic from NAT using nat exemption or add the following:


global (inside) 101 interface


NAT exemption:


nat (inside) 0 access-list NONAT

access-list NONAT permit ip

Regards


Farrukh




elecorbalan Tue, 11/25/2008 - 02:28

I still have the problem after doing clear xlate for modifying NAT.

Y have oppened nonat for:


access-list inside_nat0_outbound_2 extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192

access-list inside_nat0_outbound_4 extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 0 access-list inside_nat0_outbound_4 outside

nat (inside) 101 0.0.0.0 0.0.0.0


But when I send a telnet to a server --89.203

In ASDM logs I see the message:


%ASA-3-305005: No translation group found for protocol src interface_name:10.0.0.114/1710 dst interface_name: --.89.203/23

Farrukh Haroon Tue, 11/25/2008 - 02:57

Remove this line and it should be OK


nat (inside) 0 access-list inside_nat0_outbound_4 outside


If it does not work...post the logs...and please don't change the 'interface_name' in the log. post the correct one.


Regards


Farrukh

elecorbalan Tue, 11/25/2008 - 03:16

It doesn't work. And I have passed the command

The logs are

3|Nov 25 2008|12:12:08|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

3|Nov 25 2008|12:12:02|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

3|Nov 25 2008|12:11:59|305005|62.97.89.203|23|||No translation group found for tcp src inside:10.0.0.114/1876 dst inside:62.97.89.203/23

4|Nov 25 2008|12:11:59|106100|10.0.0.114|1876|62.97.89.203|23|access-list inside_access_in permitted tcp inside/10.0.0.114(1876) -> inside/--.89.203(23) hit-cnt 1 first hit [0xd26734b7, 0x0]


Farrukh Haroon Tue, 11/25/2008 - 03:37

Make sure the source/destination IPs in your NONAT acl are correct.


Secondly please clear connections and xlates on the firewall:


clear local-host

clear xlate


Regards


Farrukh

elecorbalan Tue, 11/25/2008 - 03:58

It is correct and I have don clear xlate and clear local-host ans no nat-control

But sill doesn't works

Farrukh Haroon Tue, 11/25/2008 - 04:20

Ok then paste the output of the following command:


packet-tracer input inside tcp 10.0.0.114 1876 62.97.89.203 23 detailed


Regards


Farrukh

elecorbalan Tue, 11/25/2008 - 04:24


Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd5a654e0, priority=12, domain=capture, deny=false

hits=1080441, user_data=0xd4516260, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000


Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd566de58, priority=1, domain=permit, deny=false

hits=522895, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 62.97.89.192 255.255.255.192 inside


Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 62.97.89.192 255.255.255.192 log warnings

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd58b39d0, priority=12, domain=permit, deny=false

hits=45, user_data=0xd5c89428, cs_id=0x0, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.255.255.0, port=0

dst ip=62.97.89.192, mask=255.255.255.192, port=0, dscp=0x0


Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd5670928, priority=0, domain=permit-ip-option, deny=true

hits=10549, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


elecorbalan Tue, 11/25/2008 - 04:24


Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside 10.0.0.0 255.255.255.0 inside 62.97.89.192 255.255.255.192

NAT exempt

translate_hits = 57, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd56ac6c8, priority=6, domain=nat-exempt, deny=false

hits=56, user_data=0xd5a93390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.255.255.0, port=0

dst ip=62.97.89.192, mask=255.255.255.192, port=0, dscp=0x0


Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd45d1b80, priority=1, domain=nat, deny=false

hits=257, user_data=0xd45d1ae0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 101 (62.97.74.50 [Interface PAT])

translate_hits = 853, untranslate_hits = 38

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd45d17c8, priority=1, domain=host, deny=false

hits=16941, user_data=0xd55170d0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 10

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd56ab510, priority=1, domain=nat-reverse, deny=false

hits=117, user_data=0xd45d1ae0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Farrukh Haroon Tue, 11/25/2008 - 04:29

Please add the global command I mentioned above.


global (inside) 101 interface

Regards


Farrukh

husycisco Wed, 12/10/2008 - 14:10

RPF check drops because you have the following line


nat (inside) 101 0.0.0.0 0.0.0.0

Since you mention ANY!, the return traffic gets involved in nat statement. Change it as


no nat (inside) 101 0.0.0.0 0.0.0.0

nat (inside) 101 10.0.0.0 255.255.255.0



ajanowska1 Wed, 12/10/2008 - 13:09

Did you worked out solution, I am working on similar scenario, my inbound traffic is on same interface but the subnets are not off the firewall they are routed through firewall so the gateway is same for both subnets.

Thanks

ajanowska1 Wed, 12/10/2008 - 14:11

Thanks,


We actually don't use nat and have no nat controll so I think I found solution by "same-security traffic permit" command and reviewing the access list for that interface.


Anna

solpandor Fri, 12/12/2008 - 04:20

hi hussycisco

im having a similar issue where i get the error "Flow is a loopback" although i have applied same-security-traffic permit intra-interface command.


here are the no nat statements:

nat (inside) 0 access-list no-nat

access-list no-nat line 11 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat line 12 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

here is the static route:

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside (172.16.1.1 is ip of the ISA servers outside interface)


please find attached the network diagram.


Regards




husycisco Fri, 12/12/2008 - 04:38

Hello Suleiman,

I am assuming you get this "flow is a loopback" error when you try to reach webserver from 192.168.1.97 or vice versa. This issue is the same with the one I described in above link. Thats why you shouldnt use exempt nat, assuming that your webserver's gateway is ASA. Please post your entire NAT and global statemens in firewall then let me advise accordingly.


But for security best practises, I highly recommend you to move webserver to another interface of ASA like DMZ, if you dont have a physical interface for achieving this, create a virtual sub-interface.


Regards

solpandor Fri, 12/12/2008 - 04:48

hi husayn


yes it is when i try to access webserver from my pc (192.168.1.97). As per diagram the 192.168 network is behind the ASA and the 172.16. in the perimeter between ASA and ISA. the default gateway for weberservers is inside interface of ASA 172.16.1.254 but for traffic to pass between webservers and 192.168 N/W there is a static route on webservers as follows:

192.168.1.0 255.255.255.0 via 172.16.1.1 (ISA server outside interface) which works as present but i want to move away from this.


here are the nat statements and global


global (outside) 1 81.144.x.x netmask 255.255.255.240


nat (inside) 0 access-list no-nat

nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0


access-list no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0


S 0.0.0.0 0.0.0.0 [1/0] via 81.144.x.x, outside

S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.1, inside



THanks

husycisco Fri, 12/12/2008 - 05:16

Suleiman,

What is the model of your ASA?

Do you have a free available physical interface and adequate license to run it?

Does your license support virtual interfaces?

Is there a switch connecting webserver+ASA inside interface and ISA?

Are there any other clients in between ASA and ISA other than webserver?

solpandor Fri, 12/12/2008 - 06:16

husayn,


its an ASA5510


no free interfaces available and no support for virtual interfaces

yes there is a switch (3com)

No otther clients between asa and ISA.


What are you sugesting i should do? please bear in mind that we cant move from the physical set up.


Regards


husycisco Fri, 12/12/2008 - 06:38

Suleiman,

The simplest solution would be the following


In command prompt of Webserver, enter the following command


route add -p 192.168.1.0 mask 255.255.255.0 172.16.1.1


By above command, Webserver will still be protected from outside (internet) by ASA, but traffic wont pass through ASA when traffic is between inside network and Webserver. Thus, ISA will be responsible about the security between Webserver and inside network, not ASA. So I suggest creating an ACL in ISA blocking any traffic initiated by Webserver, but letting the return traffic of 192.168.1.0/24 network pass statefully.


I think there is an alternative scruffy workaround which lets ASA play in, but I suggest the one above, cleaner.


Regards

solpandor Fri, 12/12/2008 - 06:55

husayn

thanks.


thats what ive already got in place at the moment, hence wanting to move away from that. Am i right in saying that if there were a router between ASA and ISA this would be possible?


Regards


husycisco Fri, 12/12/2008 - 09:25

Suleiman,

As I previously mentioned, it is possible, but a scruffy workaround, I dont think that takes place in documentations. Here is what you have to do.



no access-list no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 host 172.16.1.136

no access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0


access-list PNat permit ip host 172.16.1.136 192.168.1.0 255.255.255.0

static (inside,inside) 172.16.1.140 access-list PNat


Now inside hosts can connect webserver at 172.16.1.140 ip address. If a host record exists in DNS server for webserver, change its IP address from 172.16.1.136 to 172.16.1.140


Dont forget to remove the route you manually entered in webserver

Actions

This Discussion