ASA NAT exempt, TCP sequence

Unanswered Question
Dec 29th, 2009
User Badges:

I bought a new ASA 5505 and am having a bit of a problem configuring it in the way I need it.


Basic diagram:


192.168.1.0 /27 --> ASA --> 3524 switch --> 3725 (router on a stick) --> 3524 --> 192.168.2.0 /27


I have a 192.168.1.0 /27 network that I'm attempting to permit access to 192.168.2.0 /27. I set up a NAT exemption, a static route through another router, and same-security-traffic inter and intra interface commands. With this in place, I can ping hosts in the 2.x network from both the ASA and hosts in the 1.x network. When attempting to do anything else, sessions time out. I pulled up Wireshark on one of the machines in the 1.0 network and am seeing an odd sequence of events with the TCP handshake. When attempting to ssh to the 2.0 network, the PC will send a SYN with TCP sequence number 0 and will recieve a SYN/ACK with from the 2.x host with sequence number 0. Wireshark gives an error about seeing an ack to a segment it hasn't yet sent. This will happen for four attempts and the connection will be aborted on the 1.x host. I had a similar setup with a PIX 501, but never had this problem. I've read a whole slew of documentation on setting up NAT exemptions, but the only option I can find about TCP sequencing is the norandomseq option on the nat (inside) 0 access-list <access-list> command. However, it won't allow you to issue this command on a nat 0. Is there anything else I can do? What would possibly be resetting the sequence number here?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 12/29/2009 - 10:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Moxy82KAW wrote:


I bought a new ASA 5505 and am having a bit of a problem configuring it in the way I need it.


Basic diagram:


192.168.1.0 /27 --> ASA --> 3524 switch --> 3725 (router on a stick) --> 3524 --> 192.168.2.0 /27


I have a 192.168.1.0 /27 network that I'm attempting to permit access to 192.168.2.0 /27. I set up a NAT exemption, a static route through another router, and same-security-traffic inter and intra interface commands. With this in place, I can ping hosts in the 2.x network from both the ASA and hosts in the 1.x network. When attempting to do anything else, sessions time out. I pulled up Wireshark on one of the machines in the 1.0 network and am seeing an odd sequence of events with the TCP handshake. When attempting to ssh to the 2.0 network, the PC will send a SYN with TCP sequence number 0 and will recieve a SYN/ACK with from the 2.x host with sequence number 0. Wireshark gives an error about seeing an ack to a segment it hasn't yet sent. This will happen for four attempts and the connection will be aborted on the 1.x host. I had a similar setup with a PIX 501, but never had this problem. I've read a whole slew of documentation on setting up NAT exemptions, but the only option I can find about TCP sequencing is the norandomseq option on the nat (inside) 0 access-list command. However, it won't allow you to issue this command on a nat 0. Is there anything else I can do? What would possibly be resetting the sequence number here?


Keith


Could you post your ASA config.


Jon

Keith Wood Tue, 12/29/2009 - 11:00
User Badges:

ansalaza, I attempted to do a static translation like that and had the same results.


jon, below is the config. It's still very primitive while all this issue is resolved. One thing to note (as you'll see at the bottom), the static routes were removed and replaced with eigrp for the fun of it.


hostname ASA
names
name 192.168.2.0 servers
name 192.168.1.0 wired
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.224
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list internal_nat-bypass extended permit ip wired 255.255.255.224 servers 255.255.255.224
access-list internal_nat-bypass extended permit ip servers 255.255.255.224 wired 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list internal_nat-bypass
nat (inside) 1 wired 255.255.255.224
!
router eigrp 1
network wired 255.255.255.224
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http wired 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh wired 255.255.255.224 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 4.2.2.2

!
dhcpd address 192.168.1.20-192.168.1.26 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context


ASA(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is (omitted) to network 0.0.0.0

C    (omitted) 255.255.255.128 is directly connected, outside
C    wired 255.255.255.224 is directly connected, inside
D    servers 255.255.255.0 [90/30720] via 192.168.1.30, 75:09:25, inside
d*   0.0.0.0 0.0.0.0 [1/0] via (omitted), outside
ASA(config)#

ansalaza Tue, 12/29/2009 - 11:32
User Badges:
  • Cisco Employee,

From the output of show route it seems like the traffic from 192.168.1.0/27 and 192.168.2.0/24 is originating from the Inside interface.


Please try collecting this information:

ASA(config)# capture inout type asp-drop


Show the capture information:
ASA(config)# sh capture inout


0 packet captured


0 packet shown


Clean the capture:
ASA(config)# clear capture inout
ASA(config)# sh capture inout


0 packet captured


0 packet shown
ASA(config)#


To remove the capture:

ASA(config)# no capture inout
ASA(config)#
ASA(config)# sh capture
ASA(config)#


ASA#show logging

ansalaza Tue, 12/29/2009 - 10:39
User Badges:
  • Cisco Employee,

Do you get the same results using this type of NAT Exemption?



hostname(config)# 
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.224


I've had a similar problem where the ASA fiddled with traffic between my two inside interfaces with same security level.

Despite even deleting all NAT settings and issueing "no nat-control' the ASA kept changing sequence numbers.


I did some further researching and stumbled upon http://cisco.biz/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml - ASA/PIX 7.x and Later: Mitigating the Network Attacks.


I used the "policy-map global_policy" and added "class global-class" with "set connection random-sequence-number disable" and "set connection advanced-options tcp-state-bypass".


Now my traffic passes through the ASA as expected. You might want to restrict that policy to just match the traffic that needs to be unchanged.

Actions

This Discussion