Trying to get my IDS to talk to my server through the ASA

Unanswered Question
Aug 27th, 2010
User Badges:

Can someone take a look at my asa config?


I'm trying to get my IDS box to talk to my syslog server through the asa


IDS box is off the DMZ interface with IP 10.231.30.254 - it initiates a connection to my syslog server off MPLS interface with ip 10.24.0.46


it talks udp 514 (syslog) - one way, the server doesn't talk back


i have an acl on the DMZ interface to allow it, i also have identity  nat from DMZ to MPLS.

should the config work if it's initiated from DMZ to MPLS?

is that NAT correct? And would return traffic get back if it needed to, since it's a /24 static nat and not a /32?

i think the dmz acl isn't need since it's higher to lower correct? But since it's there it would still get processed correct?


i did a packet tracer and it allowed


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

XXX-FW1-2-254# packet-tracer input DMZ udp 10.231.30.254 3000 10.24.0.46 syslog detail

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc8952040, priority=12, domain=capture, deny=false

        hits=4967, user_data=0xc9326ab8, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc8818ca8, priority=1, domain=permit, deny=false

        hits=5540888, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.0.0.0       MPLS

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl_DMZ_in in interface DMZ

access-list acl_DMZ_in extended permit udp host 10.231.30.254 host 10.24.0.46 eq syslog

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc8a6f628, priority=12, domain=permit, deny=false

        hits=3, user_data=0xc8a6f5e8, cs_id=0x0, flags=0x0, protocol=17

        src ip=10.231.30.254, mask=255.255.255.255, port=0

        dst ip=10.24.0.46, mask=255.255.255.255, port=514

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc881c100, priority=0, domain=permit-ip-option, deny=true

        hits=1417, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc950fa80, priority=12, domain=capture, deny=false

        hits=721, user_data=0xc9326ab8, cs_id=0xc96e75e0, reverse, flags=0x0, protocol=0

        src ip=10.231.30.254, mask=255.255.255.255, port=0

        dst ip=10.24.0.46, mask=255.255.255.255, port=0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

  match ip DMZ 10.231.30.0 255.255.255.0 MPLS any

    static translation to 10.231.30.0

    translate_hits = 6, untranslate_hits = 1411

Additional Information:

Static translate 10.231.30.0/0 to 10.231.30.0/0 using netmask 255.255.255.0

Forward Flow based lookup yields rule:

in  id=0xc953f918, priority=5, domain=nat, deny=false

        hits=5, user_data=0xc8957670, cs_id=0x0, flags=0x0, protocol=0

        src ip=10.231.30.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

  match ip DMZ 10.231.30.0 255.255.255.0 MPLS any

    static translation to 10.231.30.0

    translate_hits = 6, untranslate_hits = 1411

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc87daad0, priority=5, domain=host, deny=false

        hits=2776, user_data=0xc8957670, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.231.30.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xc87ee108, priority=0, domain=permit-ip-option, deny=true

        hits=170122184, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca79d8e8, priority=12, domain=capture, deny=false

        hits=0, user_data=0xc9326ab8, cs_id=0xc96e75e0, reverse, flags=0x0, protocol=0

        src ip=10.24.0.46, mask=255.255.255.255, port=0

        dst ip=10.231.30.254, mask=255.255.255.255, port=0

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 288342322, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

             

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 13

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.3.14 using egress ifc MPLS

adjacency Active

next-hop mac address 0017.5acc.cbcd hits 2710501

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: MPLS

output-status: up

output-line-status: up

Action: allow


Thanks!!


bryan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Thompso7540_2 Fri, 08/27/2010 - 06:15
User Badges:

also i see a connection open - but it has no flags....weird


UDP out 10.24.0.46:514 in 10.231.30.254:514 idle 0:02:41 flags -

praprama Fri, 08/27/2010 - 07:55
User Badges:
  • Cisco Employee,

Hi Bryan,


You do not see flags as the connection is a UDP connection which is stateless. Also, looking at your packet tracer and the configuration, everything seems alright?


Are you not seeing logs on the syslog server? If not, please apply captures on the DMZ and MPLS interface between the IDS and the SYSLOGS server's IP address and vice versa. We can see what's going on then and if any packets are being dropped by the ASA.


Regards,

Prapanch

Thompso7540_2 Fri, 08/27/2010 - 08:07
User Badges:

hey Prapanch,

    Good catch on the udp. I did perform a capture on teh dmz interface and i can see the ids sending data


iPX-FW1-2-254# show capture
capture ids_test type raw-data access-list ids trace interface DMZ [Capturing - 72957 bytes]


AiPX-FW1-2-254# show access-list ids
access-list ids; 2 elements
access-list ids line 1 extended permit ip host 10.231.30.254 host 10.24.0.46 (hitcnt=344) 0xa7239793
access-list ids line 2 extended permit ip host 10.24.0.46 host 10.231.30.254 (hitcnt=0) 0xba1b07b3


i also performed the same on the MPLS interface and got some data - can you tell me what the UDP numbers at the end of the packets mean? Are they just sequence numbers?



AiPX-FW1-2-254# show capture

capture ids_test type raw-data access-list ids trace interface MPLS


AiPX-FW1-2-254# show capture ids_test decode
72 packets captured
   1: 08:43:49.028593 10.231.30.254.514 > 10.24.0.46.514:  udp 180
   2: 08:45:02.592117 10.231.30.254.514 > 10.24.0.46.514:  udp 35
   3: 08:45:02.592132 10.231.30.254.514 > 10.24.0.46.514:  udp 56
   4: 08:45:02.593734 10.231.30.254.514 > 10.24.0.46.514:  udp 55
   5: 08:45:02.600463 10.231.30.254.514 > 10.24.0.46.514:  udp 79
   6: 08:45:02.602568 10.231.30.254.514 > 10.24.0.46.514:  udp 70
   7: 08:45:02.612715 10.231.30.254.514 > 10.24.0.46.514:  udp 81
   8: 08:45:02.617170 10.231.30.254.514 > 10.24.0.46.514:  udp 72
   9: 08:49:59.341824 10.231.30.254.514 > 10.24.0.46.514:  udp 180
  10: 08:50:02.381968 10.231.30.254.514 > 10.24.0.46.514:  udp 181
  11: 08:50:02.662166 10.231.30.254.514 > 10.24.0.46.514:  udp 56
  12: 08:50:02.668239 10.231.30.254.514 > 10.24.0.46.514:  udp 55
  13: 08:50:02.669444 10.231.30.254.514 > 10.24.0.46.514:  udp 51
  14: 08:50:02.670741 10.231.30.254.514 > 10.24.0.46.514:  udp 70
  15: 08:50:02.672847 10.231.30.254.514 > 10.24.0.46.514:  udp 79
  16: 08:50:02.684718 10.231.30.254.514 > 10.24.0.46.514:  udp 81
  17: 08:50:02.686121 10.231.30.254.514 > 10.24.0.46.514:  udp 72
  18: 08:50:08.396723 10.231.30.254.514 > 10.24.0.46.514:  udp 181
  19: 08:55:01.727119 10.231.30.254.514 > 10.24.0.46.514:  udp 55
  20: 08:55:01.728752 10.231.30.254.514 > 10.24.0.46.514:  udp 56
  21: 08:55:01.737175 10.231.30.254.514 > 10.24.0.46.514:  udp 70
  22: 08:55:01.738044 10.231.30.254.514 > 10.24.0.46.514:  udp 79
  23: 08:55:01.747992 10.231.30.254.514 > 10.24.0.46.514:  udp 81
  24: 08:55:01.751792 10.231.30.254.514 > 10.24.0.46.514:  udp 72
  25: 08:59:27.413735 10.231.30.254.514 > 10.24.0.46.514:  udp 180
  26: 09:00:01.793141 10.231.30.254.514 > 10.24.0.46.514:  udp 56
  27: 09:00:01.821887 10.231.30.254.514 > 10.24.0.46.514:  udp 51
  28: 09:00:01.823062 10.231.30.254.514 > 10.24.0.46.514:  udp 55
  29: 09:00:01.824267 10.231.30.254.514 > 10.24.0.46.514:  udp 70
  30: 09:00:01.824862 10.231.30.254.514 > 10.24.0.46.514:  udp 79
  31: 09:00:01.825488 10.231.30.254.514 > 10.24.0.46.514:  udp 81
  32: 09:00:01.826892 10.231.30.254.514 > 10.24.0.46.514:  udp 72
  33: 09:01:01.829043 10.231.30.254.514 > 10.24.0.46.514:  udp 58
  34: 09:05:01.864869 10.231.30.254.514 > 10.24.0.46.514:  udp 55


also - is teh below nat going to work for traffic to go from dmz to mpls? does it matter that it's a /24?


static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0

praprama Fri, 08/27/2010 - 08:33
User Badges:
  • Cisco Employee,

Hey,


If i am not mistaken, they are actually sizes of each of the UDP packets in "bytes". Try gettting the captures from the ASA in a .pcap format and open it using wireshark to confirm the same. They can not be sequence numbers as first UDP is connectionless and second we don't see any particular sequence being followed.


Regarding the captures, it will be helpfule if you apply separate captures on the DMZ and the MPLS interfaces (each capture should have a different name). then we can see separate captures on the DMZ and the MPLS interfaces and compare those much better. But looking at the capture output attached, does not look like anything wrong that the ASA is doing.


> also - is teh below nat going to work for traffic to go from dmz to  mpls? does it matter that it's a /24?


The NAT is ok. A /24 is going to translate the entire subnet, that is, 10.231.30.x to 10.231.30.x.


Regards,

Prapanch

Thompso7540_2 Fri, 08/27/2010 - 11:18
User Badges:

thanks


Here is my capture - i put it on DMZ and MPLS interface  - it's the same on both captures, so i guess the traffic i definitly making it out the MPLS interface


AiPX-FW1-2-254# show access-list ids_acl
access-list ids_acl; 2 elements
access-list ids_acl line 1 extended permit ip host 10.231.30.254 host 10.24.0.46 (hitcnt=30) 0x435208d5
access-list ids_acl line 2 extended permit ip host 10.24.0.46 host 10.231.30.254 (hitcnt=0) 0x081d9389
AiPX-FW1-2-254# show capture           
capture ids_dmz type raw-data access-list ids_acl trace interface DMZ [Capturing - 2850 bytes]
capture ids_mpls type raw-data access-list ids_acl trace interface MPLS [Capturing - 2850 bytes]


another question - i currently see a connection is made, but i don't see it's being translated...shouldn't i see it hit my /24 identity nat when i do a show xlate? But i also did a show xlate pipe include the /24 and it shows it in there


AiPX-FW1-2-254# show conn | i 10.231.30.254
UDP out 10.24.0.46:514 in 10.231.30.254:514 idle 0:00:29 flags -
TCP out 43.98.184.136:443 in 10.231.30.254:35826 idle 0:00:58 bytes 20662198 flags UIO


AiPX-FW1-2-254# show xlate | i 10.231.30.254
PAT Global 47.148.97.62(20925) Local 10.231.30.254(35826)

AiPX-FW1-2-254# show xlate | i 10.231.30.0
Global 10.231.30.0 Local 10.231.30.0



Also another little question:


I heard somewhere at Cisco Live this year that nat statements actually are what makes the ASA choose the egress interface for a destination, rather than the route. Is that true or am i mistaken?

praprama Fri, 08/27/2010 - 17:37
User Badges:
  • Cisco Employee,

Hi,


The captures indeed seem to show that traffic is passing just fine through the ASA.


> i currently see a connection is made, but i don't see it's being  translated...shouldn't i see it hit my /24 identity nat when i do a show  xlate? But i also did a show xlate pipe include the /24 and it shows it  in there


As attached and as seen from the packet-tracer, the traffic is indeed hitting the identity NAT. The output that you are seeing is the way it is.


> I heard somewhere at Cisco Live this year that nat statements actually  are what makes the ASA choose the egress interface for a destination,  rather than the route. Is that true or am i mistaken?


Well, yes. Part of it is true. The ASA first tries to decide the egress interface (or routing) using a NAT rule for the destination IP address of the packet.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095480


It looks for an existing translation entry first, then a Static translation (using the Static command) and the using the routing table. Let's take our example.


static (DMZ,MPLS) 10.231.30.0 10.231.30.0 netmask 255.255.255.0


How this is read (with respect to destination translation) is when a request comes in on the MPLS interface for an IP in the subnet 10.231.30.0/24, translate (better said as "untranslat" or UN-NAT) the destination IP address of the packet to 10.231.30.0/24 and send it out the DMZ interface. Of course, this is done following an access-list lookup, that is, if we do not have an access-list permitting ttraffic to 10.231.30.0/24, then the apcket will be dropped. Similar is the case in case of an existing translation, for example, the one you have attached:


AiPX-FW1-2-254# show xlate | i 10.231.30.254
PAT Global  47.148.97.62(20925) Local 10.231.30.254(35826)


So in this case, when the ASA sees a request coming on the outside interface with the destrination IP:PORT combination as 47.148.97.62:20925, it will UN-NAT the destination IP:PORT to 10.231.30.254:35826 and send it out the DMZ interface. Let me know if this is clear enough.


Regards,

Prapanch

Actions

This Discussion