ASA - NAT Help

Answered Question
Feb 2nd, 2017
User Badges:

Hi,


I can’t seem to get the below to work, so hopefully someone can help. The ASA has 4 live interfaces as below.


1. Outside (security 0)


2. Inside (one sub interface, security 100)

- inside_11_infrastructure

- - PAT’d to the outside interface (works)


3. Lab (with 2 sub interfaces, security 90 and security 80).

- Lab_13_LAN

- - PAT’d to the outside interface (works)

- Lab_14_DMZ

- - PAT’d to the outside interface (works)


The Lab interfaces are routable between each other, and this works correctly. The Lab subnets are not routable from the ‘inside’ network but I want RDP (3389) NAT’d to one of the inside hosts, and this is where something isn’t quite working. NAT and ACL config below, but please let me know if you need any more info.


NAT

nat (outside,inside_11_infrastructure) source dynamic ANYCONNECT_VPN_SUBNET interface

nat (inside_11_infrastructure,outside) source dynamic CC_11 interface

nat (Lab_13_LAN,outside) source dynamic LAN_13 interface

nat (Lab_14_DMZ,outside) source dynamic DMZ_14 interface

nat (Lab_13_LAN,inside_11_infrastructure) source dynamic LAN_13 interface # added as a test

nat (Lab_14_DMZ,inside_11_infrastructure) source dynamic DMZ_14 interface # added as a test

!

… # few other static NATs

object network LAB_ManagementPC

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389


Access Lists

access-list DMZ_14_out extended permit tcp object DMZ_14 object LAN_13 eq https

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq domain

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq ntp

access-list DMZ_14_out extended permit icmp object DMZ_14 any

access-list LAN_13_out extended permit tcp object LAN_13 any eq https

access-list LAN_13_out extended permit tcp object LAN_13 any eq www

access-list LAN_13_out extended permit tcp object LAN_13 any eq ssh

access-list LAN_13_out extended permit udp object LAN_13 any eq domain

access-list LAN_13_out extended permit udp object LAN_13 any eq ntp

access-list LAN_13_out extended permit icmp object LAN_13 any

access-group inbound in interface outside

access-group LAN_13_out in interface Lab_13_LAN

access-group DMZ_14_out in interface Lab_14_DMZ


When I do a capture, while doing 'telnet ASA_inside_IP 3389', nothing comes up in the log.


Any help appreciated.

Correct Answer by Marius Gunnerud about 3 months 2 weeks ago

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network.  For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

--

Please remember to select a correct answer and rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Philip D'Ath Thu, 02/02/2017 - 11:43
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN, LAN, VPN

To be clear, you are saying their is no routable path from the inside network to the lab networks?  Can you change this?

Gregor Blaj Thu, 02/02/2017 - 12:38
User Badges:

Correct. I tried adding a static route to one host but it still doesn't work. I can then ping this host from the lab network which verifies the PAT working. 

Correct Answer
Marius Gunnerud Thu, 02/02/2017 - 12:05
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network.  For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

--

Please remember to select a correct answer and rate helpful posts

Gregor Blaj Thu, 02/02/2017 - 13:00
User Badges:

I had an any to any ACL in there as a test but it still didn't work. Anyway, the security levels of the interfaces should allow this traffic. 

Its the default gateway for some devices, only a handful. 

Do you suggest I add a second IP to the inside_11_infrastructure interface? How do I then reference this second IP in the NAT statement?

Marius Gunnerud Thu, 02/02/2017 - 13:19
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

you don't add an IP to the interface.  You just change the static NAT rule to translate to another IP on the same subnet as the inside_11_infrastructure.

Also run a packet tracer to see where it is stopping up.

packet-tracer input inside_11_infrastructure tcp <source IP> 12345 <destination IP> 3389

--

Please remember to select a correct answer and rate helpful posts

Gregor Blaj Thu, 02/02/2017 - 13:44
User Badges:

Alright, I'll give that a go and post back. 

The packet trace was failing at an implicit ACL, that's when I tried adding the permit any to 11_infrastructure. 

Gregor Blaj Thu, 02/02/2017 - 14:10
User Badges:

That works, config below. Can you explain to me why I can't use the ASA's interface IP?


Also, why wasn't I able to capture traffic for port 3389 on the ASA with the previous config? It was as if the traffic wasn't getting there at all, probably related to the first question :|


nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389


Thanks so much Marius, much appreciated!

Marius Gunnerud Thu, 02/02/2017 - 14:34
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Well, theoretically you could use the interface, but I like to keep things seperate as I feel it will be easier to troubleshoot.  The problem you had was that you had a dynamic NAT which is unidirectional, while static NAT is by directional.  You didn't see anything in your capture because traffic is dropped before the capture is taken.  You would however have seen it in the logs if you had the logging level set to informational or lower.

--

Please remember to select a correct answer and rate helpful posts

Gregor Blaj Fri, 02/03/2017 - 00:10
User Badges:

I still don't understand this, weren't both NAT's static?

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389 (not working)

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389 (working)

In terms of logging, I was using 'debugging' mode from ASDM, so I would've expected it to show up.

Marius Gunnerud Fri, 02/03/2017 - 00:40
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

I am not entirely sure why it did not work. I would need to set this up in a lab to test it, and not sure when I will be able to do that.

--

Please remember to select a correct answer and rate helpful posts

Gregor Blaj Fri, 02/03/2017 - 02:15
User Badges:

No problem, thanks again for your help. I'm happy knowing I didn't do anything obvious wrong :)

Actions

This Discussion