NAT exemption not working

Unanswered Question
Mar 5th, 2010

Hello all,

I am trying to setup an NAT exmption between two DMZ specific IP's on two ASA's, both with DMZ Interfaces but when I do Packet Tracer it fails on a Dynamic NAT statement we have setup.

Here's the relevant config of one of the ASA's (the other is a mirror image):

interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.68.240 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.80.185.21 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.80.186.1 255.255.254.0

access-list dmz_in line 39 extended permit ip host 10.80.186.10 host 10.80.242.10
access-list nonat extended permit ip host 10.80.186.10 host 10.80.242.10
access-list dmz_nonat extended permit ip host 10.80.186.10 host 10.80.242.10

global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (outside) 1 access-list outside_nat_outbound outside
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nonat
nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 208.255.68.239 10.80.186.10 netmask 255.255.255.255

access-group dmz_in in interface dmz

route inside 10.0.0.0 255.0.0.0 10.80.185.1 1

Here's the outcome of Packet Tracer:


Type - NAT    Subtype - rpf-check    Action - DROP
Config
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any dmz any
dynamic translation to pool 1 (10.80.186.1 [Interface PAT])
translate_hits = 5627923, untranslate_hits = 1724

Thanks in advance for any assistance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Guneet Gulati Fri, 03/05/2010 - 07:25

Hi Jeff,

The access-list you configured for both nonat and dmz-nonat are incorrect i.e. source and destination IP's are reversed, modify them it will work.

also for your help, avoid complexity of nonat as ASA 7.0 and above you can use no nat-control, to avoid nonat traffic to and from DMZ's

Regards,

Guneet Singh Gulati

JEFF SPRADLING Fri, 03/05/2010 - 10:15

guneetgulati wrote:

Hi Jeff,

The access-list you configured for both nonat and dmz-nonat are incorrect i.e. source and destination IP's are reversed, modify them it will work.

also for your help, avoid complexity of nonat as ASA 7.0 and above you can use no nat-control, to avoid nonat traffic to and from DMZ's

Regards,

Guneet Singh Gulati

Guneet,

Thanks very much for your reply, but I am confused by your answer.  Is the ACL format not - access-list name extended permit ip source destination?  Wouldn't the source be the IP of the device connected to that ASA?

Just in case, I did try your suggestions and the packet trace completely dies before getting started (see below, if you can read it).  Also, no nat-control is setup on both firewalls.  I really believe my issues is in the Dynamic NAT with is applied on all three interfaces.

Thanks again for any suggestions.  I'm new to ASA and I've inherited what looks to be a mess.

Guneet Gulati Fri, 03/05/2010 - 10:55

Hi

If you have no nat control already present, please remove the following commands, and it will work for you .

global (inside) 1 interface
global (dmz) 1 interface

nat (inside) 0 access-list nonat

nat (dmz) 1 0.0.0.0 0.0.0.0

I think it would be easy way for you now as the config seems to be bit messed up and it would be easier for you.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

As far as my previous mail goes

The config you created for nonat was

access-list nonat extended permit ip host 10.80.186.10 host 10.80.242.10

nat (inside) 0 access-list nonat

Since its applied on inside interface it will not work because inside source should be in subnet 10.80.185.XXX/24, Also the IP address 10.80.242.10 is not the conneted subnet, so i think this information is either missing or not correct.

IP address 10.80.242.10 holds true for below ACL as well
access-list dmz_nonat extended permit ip host 10.80.186.10 host 10.80.242.10

Basic Q is does firewall knows where to route IP 10.80.242.10 ? which seems to be routing issue if the config you send is complete

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It would be good if you can give a small network diagram with what you want to achieve i can give to the sample config for the same.you can also pm me @ [email protected] for any further help

Thanks and Regards,

Guneet Singh Gulati

JEFF SPRADLING Fri, 03/05/2010 - 13:26

guneetgulati wrote:

Hi

If you have no nat control already present, please remove the following commands, and it will work for you .

global (inside) 1 interface
global (dmz) 1 interface

nat (inside) 0 access-list nonat

nat (dmz) 1 0.0.0.0 0.0.0.0

I think it would be easy way for you now as the config seems to be bit messed up and it would be easier for you.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

As far as my previous mail goes

The config you created for nonat was

access-list nonat extended permit ip host 10.80.186.10 host 10.80.242.10

nat (inside) 0 access-list nonat

Since its applied on inside interface it will not work because inside source should be in subnet 10.80.185.XXX/24, Also the IP address 10.80.242.10 is not the conneted subnet, so i think this information is either missing or not correct.

IP address 10.80.242.10 holds true for below ACL as well
access-list dmz_nonat extended permit ip host 10.80.186.10 host 10.80.242.10

Basic Q is does firewall knows where to route IP 10.80.242.10 ? which seems to be routing issue if the config you send is complete

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It would be good if you can give a small network diagram with what you want to achieve i can give to the sample config for the same.you can also pm me @ [email protected] for any further help

Thanks and Regards,

Guneet Singh Gulati

Thanks much, Guneet.  I will forward you a diagram and a scrubbed config so you can see the whole picture.

JEFF SPRADLING Mon, 03/08/2010 - 10:14

I was unable to send you email to the address you provided, so I'm posting it here.

Here's the relevant config:

interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.68.240 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.80.185.21 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.80.186.1 255.255.254.0
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
description STATE Failover Interface

same-security-traffic permit inter-interface


access-list dmz_in extended permit ip host 10.80.186.10 any
access-list dmz_in extended permit icmp any any

access-list DMZOutside extended permit icmp any any

access-list nonat extended permit ip host 10.80.242.10 host 10.80.186.10

!
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (outside) 1 access-list outside_nat_outbound outside
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nonat
nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,inside) 10.80.186.10 10.80.186.10 netmask 255.255.255.255

access-group dmz_in in interface dmz
route inside 10.0.0.0 255.0.0.0 10.80.185.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout uauth 0:05:00 absolute

!
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match any
!
!
policy-map global_policy
class inspection_default
  inspect pptp
  inspect ftp
class http-map1
  set connection advanced-options mss-map
class class-default
!
service-policy global_policy global

The communication should take place over the inside network.  I appreciate any feedback!

Actions

This Discussion