01-27-2014 11:39 AM - edited 03-11-2019 08:36 PM
I am still having access issues when using NAT on my ASA 5510. I think it is due to the way I have my ASA setup and the usage of PAT and NAT. I am not sure of the differences in them as of yet, but because I have routers behind my ASA, it seems to me that the issues might relate to the PAT, NAT and the Routers.
Can refer to this link to see my network diagram.
https://supportforums.cisco.com/message/4145313#4145313
The problem is, I cannot seem to access any devices behind the routers.
My initial thought when I started this learning process was to use the ASA as the one point of access to the internet as a firewall. Then behind that I would have my routers and the subnets behind them, including switches and all that stuff. But there is apparently different ways of doing this and the information I get doesn't seem to be consistent, or I should say it is consistent, but doesn't work.
For some reason, I cannot seem to forward packets from the external interface (internet) on the ASA, to resources behind the routers.
I create a network object. Assign it a host. Create the NAT statement. Create the access list. and yet the packets still get denied. The error I see on the ASDM is basically always the same.
6 | Jan 27 2014 | 10:36:46 | 98.22.xxx.xxx | 14979 | 192.168.1.2 | 3389 | Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/14979 to Inside:192.168.1.2/3389 |
One thing I noticed is that no matter what I specify as the port leaving my network here at work, the ASA doesn't see it as that port. RDP, for example, is supposed to use 3389. But as you see from this caption of my ASA log, I initiated an RDP connection from my work computer and when it hit the ASA is is on port 14979 which if I read this correctly is 98.22.xxx.xxx 14979 then converted to 192.168.1.2 port 3389.
I created a Object Network Group:
object network RDP-DC1
host 192.168.1.2
Set NAT within the group:
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
Then created an Access-List:
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389
But the result is the same as I get when I created the one to allow http traffic on port 8080 to hit an internal address on port 80.
I don't know where my NAT issue is, but I am beginning to think it is in the PAT. Maybe I should create only static routes from the ASA to the routers and then setup the routers to allow access as needed? Right now, I believe the routers are allowing any traffic, since I have the access-list permit any any statement. That does mean allow any traffic to any location, including from the 'Outside' source?
Is the PAT trying to bypass the routers?
Here are some outputs:
ASA5510(config)# sh run nat
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
!
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
ASA5510(config)# sh run access-list
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA5510(config)# sh run object-group
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.xxx.xxx
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
I seem to be missing something in my config preventing nat from working as it should and the work arounds that I do seem to not work properly.
The only statements that do work are the o nes that allow me to SSH into the Routers that are on each interface of the ASA. So I can ssh into the 2811, 2821 fine, but nothing behind them.
01-27-2014 12:57 PM
Mitchell
Do you have a route on your ASA telling it how to get to 192.168.1.2 ie.
route inside 192.168.1.0 255.255.255.0 10.10.1.2
In addition does the router have a route pointing to the ASA eg.
ip route 0.0.0.0 0.0.0.0 10.10.1.1
Jon
01-27-2014 01:45 PM
The 2811 has:
CISCO-2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.1.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/30 is directly connected, FastEthernet0/0
L 10.10.1.2/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.10.0/24 is directly connected, FastEthernet0/1.1
L 172.16.10.1/32 is directly connected, FastEthernet0/1.1
C 172.16.20.0/24 is directly connected, FastEthernet0/1.2
L 172.16.20.1/32 is directly connected, FastEthernet0/1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1.3
L 192.168.1.1/32 is directly connected, FastEthernet0/1.3
The ASA has:
ASA5510# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 199.195.xxx.xxx to network 0.0.0.0
C 199.195.xxx.xxx 255.255.255.240 is directly connected, Outside
C 10.10.0.0 255.255.255.252 is directly connected, DMZ
C 10.10.1.0 255.255.255.252 is directly connected, Inside
C 10.10.2.0 255.255.255.252 is directly connected, VOIP
S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.xxx.xxx, Outside
ASA5510# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 Inside 10.10.1.1 255.255.255.252 CONFIG
Ethernet0/1 Outside 199.195.xxx.xxx 255.255.255.240 CONFIG
Ethernet0/2 DMZ 10.10.0.1 255.255.255.252 manual
Ethernet0/3 VOIP 10.10.2.1 255.255.255.252 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 Inside 10.10.1.1 255.255.255.252 CONFIG
Ethernet0/1 Outside 199.195.xxx.xxx 255.255.255.240 CONFIG
Ethernet0/2 DMZ 10.10.0.1 255.255.255.252 manual
Ethernet0/3 VOIP 10.10.2.1 255.255.255.252 manual
01-27-2014 02:06 PM
Mitchell
One thing I noticed is that no matter what I specify as the port leaving my network here at work, the ASA doesn't see it as that port. RDP, for example, is supposed to use 3389. But as you see from this caption of my ASA log, I initiated an RDP connection from my work computer and when it hit the ASA is is on port 14979 which if I read this correctly is 98.22.xxx.xxx 14979 then converted to 192.168.1.2 port 3389.
I think you are reading it incorrectly. What it is saying is the source of the packet is 98.22.x.x using a random port and the destination is the 192.168.1.2 using RDP ie. it has already translated the destination IP from the interface IP to 192.168.1.2.
There is a route on the ASA for 192.168.1.0/24. From the ASA can you ping 192.168.1.2 ?
Jon
01-27-2014 02:10 PM
I cannot ping any addresses behind the routers, including 192.168.1.2.
ASA5510(config)# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
01-27-2014 02:16 PM
Mitchell
For some reason the ASA is not using the route for 192.168.1.0/24 you have added.
Can you post "sh xlate local 192.168.1.2"
Jon
01-27-2014 02:27 PM
ASA5510(config)# sh xlate local 192.168.1.2
21 in use, 784 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.xxx.xxx 3389-3389
flags sr idle 3:19:10 timeout 0:00:00
Here is the one for the WEBCAM that is also not working:
ASA5510(config)# sh xlate local 192.168.1.5
36 in use, 784 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.xxx.xxx 8080-8080
flags sr idle 0:43:27 timeout 0:00:00
01-27-2014 02:42 PM
Mitchell
I can't see anything obviously wrong with this.
It has the correct xlate entry and the correct route for this to work.
How are you accessing it ie. via VPN or not ?
Jon
01-27-2014 04:12 PM
From a static IP (not VPN) at work. No VPN tunnel, just from my works PC, which runs on a 192.168.116.0 subnet through a couple of routers and out a firewall with the static IP of 98.22.xxx.xxx and then to my ASA @ home.
Message was edited by: Mitchell Tuckness : IP (not VPN)
01-27-2014 07:16 PM
I noticed I had ip source-route enabled on the router, you don't think that could have any impact on this issue? I also read that depending on the license on the ASA it can only do so much?
I tured off ip source-route since it seems like most posts say it is not usually enabled. I am at a loss as to why I can't get this to work.
01-28-2014 08:11 AM
No more ideas? I am a /sad sad camper. I hate it when you're (think) doing things right and it doesn't work and your trying to learn and not sure what's up.
01-28-2014 10:56 AM
Is there anything I can run to help diagnose this? Something on the ASA or router? Some config I might run that would help figure it out?
01-28-2014 01:14 PM
Mitchell
I still can't see what's wrong with this. Can you try removing the NAT statement for the routers outside interface ie. the ssh one and see if you still see the same problem.
The failed to locate next hop is usually to do with VPN traffic which is why i asked about it.
I don't think it is anything on the router as it is the ASA that seems unable to use the route in it's routing table.
Jon
01-28-2014 02:30 PM
I'm sorry, which statement should I remove?
01-28-2014 02:32 PM
Mitchell
The NAT statement you have for the outside interface of the 2811. It is a long shot but i am wondering if because the next hop in the route also has a NAT statement for the same IP they are somehow conflicting.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: