Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1639
Views
0
Helpful
11
Replies

ASA - NAT Help

Go to solution
Gregor Blaj
Level 1
Level 1

‎02-02-2017 11:10 AM - edited ‎03-12-2019 01:52 AM

Hi,

I can’t seem to get the below to work, so hopefully someone can help. The ASA has 4 live interfaces as below.

1. Outside (security 0)

2. Inside (one sub interface, security 100)

- inside_11_infrastructure

- - PAT’d to the outside interface (works)

3. Lab (with 2 sub interfaces, security 90 and security 80).

- Lab_13_LAN

- - PAT’d to the outside interface (works)

- Lab_14_DMZ

- - PAT’d to the outside interface (works)

The Lab interfaces are routable between each other, and this works correctly. The Lab subnets are not routable from the ‘inside’ network but I want RDP (3389) NAT’d to one of the inside hosts, and this is where something isn’t quite working. NAT and ACL config below, but please let me know if you need any more info.

NAT

nat (outside,inside_11_infrastructure) source dynamic ANYCONNECT_VPN_SUBNET interface

nat (inside_11_infrastructure,outside) source dynamic CC_11 interface

nat (Lab_13_LAN,outside) source dynamic LAN_13 interface

nat (Lab_14_DMZ,outside) source dynamic DMZ_14 interface

nat (Lab_13_LAN,inside_11_infrastructure) source dynamic LAN_13 interface # added as a test

nat (Lab_14_DMZ,inside_11_infrastructure) source dynamic DMZ_14 interface # added as a test

!

… # few other static NATs

object network LAB_ManagementPC

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389

Access Lists

access-list DMZ_14_out extended permit tcp object DMZ_14 object LAN_13 eq https

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq domain

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq ntp

access-list DMZ_14_out extended permit icmp object DMZ_14 any

access-list LAN_13_out extended permit tcp object LAN_13 any eq https

access-list LAN_13_out extended permit tcp object LAN_13 any eq www

access-list LAN_13_out extended permit tcp object LAN_13 any eq ssh

access-list LAN_13_out extended permit udp object LAN_13 any eq domain

access-list LAN_13_out extended permit udp object LAN_13 any eq ntp

access-list LAN_13_out extended permit icmp object LAN_13 any

access-group inbound in interface outside

access-group LAN_13_out in interface Lab_13_LAN

access-group DMZ_14_out in interface Lab_14_DMZ

When I do a capture, while doing 'telnet ASA_inside_IP 3389', nothing comes up in the log.

Any help appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-02-2017 12:05 PM

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network.  For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-02-2017 11:43 AM

To be clear, you are saying their is no routable path from the inside network to the lab networks?  Can you change this?

0 Helpful

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Philip D'Ath

‎02-02-2017 12:38 PM

Correct. I tried adding a static route to one host but it still doesn't work. I can then ping this host from the lab network which verifies the PAT working. 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-02-2017 12:05 PM

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network.  For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Marius Gunnerud

‎02-02-2017 01:00 PM

I had an any to any ACL in there as a test but it still didn't work. Anyway, the security levels of the interfaces should allow this traffic. 

Its the default gateway for some devices, only a handful. 

Do you suggest I add a second IP to the inside_11_infrastructure interface? How do I then reference this second IP in the NAT statement?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Gregor Blaj

‎02-02-2017 01:19 PM

you don't add an IP to the interface.  You just change the static NAT rule to translate to another IP on the same subnet as the inside_11_infrastructure.

Also run a packet tracer to see where it is stopping up.

packet-tracer input inside_11_infrastructure tcp <source IP> 12345 <destination IP> 3389

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Marius Gunnerud

‎02-02-2017 01:44 PM

Alright, I'll give that a go and post back. 

The packet trace was failing at an implicit ACL, that's when I tried adding the permit any to 11_infrastructure. 

0 Helpful

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Marius Gunnerud

‎02-02-2017 02:10 PM

That works, config below. Can you explain to me why I can't use the ASA's interface IP?

Also, why wasn't I able to capture traffic for port 3389 on the ASA with the previous config? It was as if the traffic wasn't getting there at all, probably related to the first question :|

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389

Thanks so much Marius, much appreciated!

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Gregor Blaj

‎02-02-2017 02:34 PM

Well, theoretically you could use the interface, but I like to keep things seperate as I feel it will be easier to troubleshoot.  The problem you had was that you had a dynamic NAT which is unidirectional, while static NAT is by directional.  You didn't see anything in your capture because traffic is dropped before the capture is taken.  You would however have seen it in the logs if you had the logging level set to informational or lower.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Marius Gunnerud

‎02-03-2017 12:10 AM

I still don't understand this, weren't both NAT's static?

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389 (not working)

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389 (working)

In terms of logging, I was using 'debugging' mode from ASDM, so I would've expected it to show up.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Gregor Blaj

‎02-03-2017 12:40 AM

I am not entirely sure why it did not work. I would need to set this up in a lab to test it, and not sure when I will be able to do that.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Gregor Blaj
Level 1
Level 1
In response to Marius Gunnerud

‎02-03-2017 02:15 AM

No problem, thanks again for your help. I'm happy knowing I didn't do anything obvious wrong :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card