VPN can access certain interfaces without NAT rules. What is causing this?

Unanswered Question
Apr 2nd, 2010

First let me say that I am very new to Cisco ASA administration. I've always used DD-WRT based Linksys routers for networking, so this stuff is very new to me.

I have many questions concerning ASA. Mainly these questions revolve around NAT rules, ACL (ACL Manager), Standard ACL, and Access Rules.

I'm pretty sure I understand the Access Rules fairly well. I configured my Vlans in this order of security (highest to lowest): Inside, DMZ, WIFI, Outside. I intentionally configured them this way so that users of the wifi ONLY have access to the internet. I simply added a Dynamic NAT rule to permit NATing with the internet (outside). Wifi works.

I did not do the initial configuration of this ASA and I would like to figure out why traffic is allowed from "Point A" to "Point B". I'm trying to understand the traffic flow. So really I want to first start by asking why is traffic allowed from VPN (192.168.10.0/24) to DMZ (192.168.100.0/24) without any NAT rules? I have to add a NAT rule to allow VPN -> Wifi and VPN -> Inside. But for some reason, VPN -> DMZ works without any NAT configuration...

Also, when would one use a Nat Exempt rule over a NAT Static rule? What are the differences between them?

The initial configuration included a static rule:

static (inside,dmz) 192.168.100.0 192.168.0.0 netmask 255.255.255.0

This allowed inside <-> DMZ. So logically I assumed that another static rule would allow inside <-> Wifi. This did not work. I used this command:

static (inside,wifi) 192.168.2.0 192.168.0.0 netmask 255.255.255.0

So then I tried a NAT Exempt rule, and I was able to gain access to 192.168.2.0 from inside.

Here is my configuration:

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(1)

!

hostname CoreFW

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.10.0 vpn-network

name 192.168.100.0 dmz-network

name 192.168.0.0 inside-network

name 66.0.180.40 outside-network

name 192.168.2.0 wifi-network

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 250.255.255.248

!

interface Vlan3

nameif dmz

security-level 90

ip address 192.168.100.1 255.255.255.0

!

interface Vlan4

nameif wifi

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 4

!

interface Ethernet0/7

switchport access vlan 3

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list bcc_splitTunnelAcl standard permit inside-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit wifi-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit dmz-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 dmz-network 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu wifi 1500

ip local pool VPNPool01 192.168.10.10-192.168.10.100 mask 255.255.255.0

ip verify reverse-path interface outside

ip audit name Attack attack action alarm drop reset

ip audit name Info attack action alarm

ip audit interface outside Attack

ip audit attack action alarm drop reset

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (wifi) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside-network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map wifi_map interface wifi

crypto isakmp enable outside

crypto isakmp enable wifi

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet inside-network 255.255.255.0 inside

telnet timeout 5

ssh inside-network 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 66.0.214.14 207.230.75.34

dhcpd lease 43200

dhcpd domain bcc.local

!

dhcpd address 192.168.0.101-192.168.0.199 inside

dhcpd enable inside

!

dhcpd address 192.168.2.101-192.168.2.199 wifi

dhcpd enable wifi

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

group-policy bcc internal

group-policy bcc attributes

dns-server value 66.0.214.14 207.230.75.34

vpn-tunnel-protocol IPSec svc

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value bcc_splitTunnelAcl

default-domain value bcc.local

username sandy password hGIma.uniTOo2clx encrypted privilege 0

username sandy attributes

vpn-group-policy bcc

service-type remote-access

username admin password BWYVzIli.IEQNFZZ encrypted privilege 15

username chris password gTVs7SPJe.kfQ8G2 encrypted privilege 15

username jackie password eU4hdFAO+96mPOPTDfiuQQ== nt-encrypted privilege 0

username jackie attributes

vpn-group-policy bcc

service-type remote-access

username jabianm password KiOykgt6IbELsjHa encrypted privilege 15

tunnel-group bcc type remote-access

tunnel-group bcc general-attributes

address-pool VPNPool01

default-group-policy bcc

tunnel-group bcc ipsec-attributes

pre-shared-key *

tunnel-group bcc ppp-attributes

authentication ms-chap-v2

!

!

prompt hostname context

Cryptochecksum:ba71efadf29db6fb0c9b811bfb79f461

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Loading.
Federico Coto F... Fri, 04/02/2010 - 16:06

Hi,

If there's no ''nat-control'' on your configuration, then traffic can flow between interfaces without NAT.

This is something relative new to the ASAs as compared to the older PIXes.

When it comes to NAT, you can basically do four different configurations:

1. NAT0

2. STATIC NAT/PAT

3. Policy NAT

4. Regular NAT/PAT

In fact, the above is the order of NAT operation.

Hope it helps.

Federico.

Federico Coto F... Fri, 04/02/2010 - 16:14

NAT Excemption is NAT0
STATIC NAT is different because the NAT excemption is only for outgoing traffic.
STATIC NAT is bidirectional.
This means that with NAT excemption, traffic can only be initiated from a higher-security interface. The traffic
can be sent back only if there's a session established.

When using STATIC NAT, the traffic can initiate in either direction.

Federico.

rcmcdonald91 Fri, 04/02/2010 - 16:19

Now I'm really confused...

If I remove this line:

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn-network 255.255.255.0

which also removes a Nat Exemption rule, I can no longer access the inside from the VPN... But from what your saying, that NAT Exempt rule should be for outgoing traffic from Inside to VPN.

rcmcdonald91 Fri, 04/02/2010 - 16:15

"If there's no ''nat-control'' on your configuration, then traffic can flow between interfaces without NAT."

If I remove the NAT exempt rule, I can not access the DMZ from Inside. ??? Same with the NAT exempt rule for the Wifi. If I remove it, I can not access the wifi from Inside.

I really need a good explanation of the different NAT rules. Really the only one I understand is the Dynamic Rule. For the most basic "usable" configuration with just 2 interfaces (inside and outside), you would only need a Dynamic rule.

Federico Coto F... Fri, 04/02/2010 - 16:21

In order to access the DMZ from inside you need either regular NAT/PAT or STATIC:

nat (inside) 1 192.168.0.0 255.255.255.0
global (DMZ) 1 interface

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Basically,
When you need to communicate from an interface with a higher-security interface to a lower-security interface
you can use regular NAT or STATIC.

When you need to communicate form an interface with a lower-security interface to a higher-security interface
you need a STATIC NAT.

When nat-control is disabled, you can talk between interfaces (as long as there is an ACL allowing the traffic
in case you need it).

Federico.

Federico Coto F... Fri, 04/02/2010 - 16:23

Just a difference in terminology.

NAT 0 with an access-list is called NAT Excemption.

NAT 0 with access-list is bidirectional.

NAT 0 alone, for example:

nat (inside) 0 192.168.0.0 255.255.255.0

Is only for outbound traffic. The above NAT 0 allows only outbound traffic.

Federico.

Federico Coto F... Fri, 04/02/2010 - 16:26

When you have nat-control enabled, you need to define a NAT rule in order to communicate between interfaces.
This rule can actually translate the traffic or it can be an identity rule to bypass NAT. But there has to be a
matching NAT rule for any traffic.

If you disable the nat-control, the above is false.

Federico.

rcmcdonald91 Fri, 04/02/2010 - 16:31

Concerning "best practices". What is recommended? Enable or Disable? and what is the command for doing so?

I still don't understand why traffic is allowed between VPN and DMZ, but I have to use a NAT:

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn-network 255.255.255.0

to be able to access any inside ip from the VPN.

I can access the DMZ from the VPN without any NAT rules. But to access the Inside from VPN I have to use the above command. Which makes no sense.

It feels like that NAT rule is for traffic that is initiated from the inside and is going to the VPN, no the other way around.

Federico Coto F... Fri, 04/02/2010 - 16:34

Trying to be clear:

NAT 0 with access-list:

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 dmz-network 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

The above NAT, bypasses NAT between the traffic specified in the ACL.
This is called NAT Excemption.

NAT 0 alone:

nat (inside) 0 192.168.0.0 255.255.255.0

This is called NAT Identity and its purpose is to define a NAT rule to avoid NATing the traffic from the inside
interface.
As I said, when you have NAT-CONTROL enabled, there should be a NAT rule for commucation (even if you're
NATing the traffic or NAT).

static (in,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

The above static is also bypassing NAT for the inside network, but its bidirectional.
NAT 0 alone is only for outbound traffic.

Federico.

Federico Coto F... Fri, 04/02/2010 - 16:39

You say that you can access the DMZ from the VPN without any NAT rules.
This is because the command nat-control is not enabled (check this doing a show run nat-control)

To access the inside from VPN you need the command:
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn-network 255.255.255.0

This is because you need to have a rule to bypass NAT, because you already have a NAT rule established from
traffic flowing from the inside and outside interface:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

If you remove the command, the VPN traffic will not work, because it will get NATed by the dynamic NAT rule.

Federico.

Federico Coto F... Fri, 04/02/2010 - 16:42

In other words, since there are no NAT rules for the DMZ interface, you can access it from any other interface
because there is no nat-control.

Since there's a NAT rule already for inside traffic, you need a NAT0 with access-list rule to bypass NAT for the
VPN traffic.

Federico.

Federico Coto F... Fri, 04/02/2010 - 16:53

Best practices?

It depends on what you want...

Do you want to HAVE to need a NAT rule for communication between any interface?

Do you want to allow communication between interfaces without NAT?

Security? Manageability?

Federico.

rcmcdonald91 Fri, 04/02/2010 - 19:21

Actually yea, I would like that. But at this point it doesn't really matter anyway. Because all my interfaces (except outside) are using a dynamic NAT/PAT. Which forces you to add other NAT rules for internal communication, otherwise all traffic gets PATed/NATed through Outside.

I still would appreciate why a static rule does not work between inside <-> wifi. If I enable this rule I get a Land Attack when I view the logs. But if I enable the same rule, just with the DMZ interface/ips, it works perfectly. Why doesn't a static rule work in this case?

Also is my configuration "ok". Is there anything that could potentially cause problems in the future. Is it best way of doing this?

I need all of this conditions meet:

Inside -> Outside nat (inside) 1 0.0.0.0 0.0.0.0

Wifi -> Outside nat (wifi) 1 0.0.0.0 0.0.0.0

DMZ -> Outside  nat (dmz) 1 0.0.0.0 0.0.0.0)

Inside -> wifi (for administration of access point, but wifi users should not be able to access network resources on Inside)

Inside -> DMZ (for administration of security cameras, but should not be able to access network resources on Inside)

VPN01 -> Inside (access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn01-network 255.255.255.0)

VPN01 -> DMZ (access-list dmz_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn01-network 255.255.255.0)

Here is my new config

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(1)

!

hostname CoreFW

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.100.0 dmz-network

name 192.168.0.0 inside-network

name 66.0.180.40 outside-network

name 192.168.2.0 wifi-network

name 192.168.10.0 vpn01-network

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 66.0.180.42 255.255.255.248

!

interface Vlan3

nameif dmz

security-level 90

ip address 192.168.100.1 255.255.255.0

!

interface Vlan4

nameif wifi

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 4

!

interface Ethernet0/7

switchport access vlan 3

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list bcc_splitTunnelAcl standard permit inside-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit wifi-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit dmz-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn01-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 dmz-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0

access-list dmz_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn01-network 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu wifi 1500

ip local pool VPNPool01 192.168.10.10-192.168.10.100 mask 255.255.255.0

ip verify reverse-path interface outside

ip audit name Attack attack action alarm drop reset

ip audit name Info attack action alarm

ip audit interface outside Attack

ip audit attack action alarm drop reset

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (wifi) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 66.0.180.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside-network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map wifi_map interface wifi

crypto isakmp enable outside

crypto isakmp enable wifi

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet inside-network 255.255.255.0 inside

telnet timeout 5

ssh inside-network 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 66.0.214.14 207.230.75.34

dhcpd lease 43200

dhcpd domain bcc.local

!

dhcpd address 192.168.0.101-192.168.0.199 inside

dhcpd enable inside

!

dhcpd address 192.168.2.101-192.168.2.199 wifi

dhcpd enable wifi

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

group-policy bcc internal

group-policy bcc attributes

dns-server value 66.0.214.14 207.230.75.34

vpn-tunnel-protocol IPSec svc

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value bcc_splitTunnelAcl

default-domain value bcc.local

username sandy password hGIma.uniTOo2clx encrypted privilege 0

username sandy attributes

vpn-group-policy bcc

service-type remote-access

username admin password BWYVzIli.IEQNFZZ encrypted privilege 15

username chris password gTVs7SPJe.kfQ8G2 encrypted privilege 15

username jackie password eU4hdFAO+96mPOPTDfiuQQ== nt-encrypted privilege 0

username jackie attributes

vpn-group-policy bcc

service-type remote-access

username jabianm password KiOykgt6IbELsjHa encrypted privilege 15

tunnel-group bcc type remote-access

tunnel-group bcc general-attributes

address-pool VPNPool01

default-group-policy bcc

tunnel-group bcc ipsec-attributes

pre-shared-key *

tunnel-group bcc ppp-attributes

authentication ms-chap-v2

!

!

prompt hostname context

Cryptochecksum:68a687dfc2373877d65c51c87b3e260e

: end

Jennifer Halim Fri, 04/02/2010 - 21:04

Static statement between inside and wifi interfaces should be as follows:

static (inside,wifi) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

The statement is for bidirectional traffic, so you do not need to configure another static statement for static (wifi,inside).

Hope that helps.

Actions

This Discussion