Solved: Auto NAT and outside pool ip address

mahesh18 · ‎08-14-2013

Hi Everyone,

If i do Auto NAT from DMZ interface to outside interface using config below

object network Auto_NAT

subnet 192.168.70.0 255.255.255.0 *********************DMZ subnet

description Auto NAT DMZ Interface

object network Outside_pool

range 192.168.51.3 192.168.51.100

object network Auto_NAT

nat (DMZ,outside) dynamic Outside_pool

My outside interface has IP of 192.168.71.2

I am unable to access the internet using above config

when i change the range in outside_pool to 192.168.71.3 192.168.71.100 i am able to access the internet.

Does this mean that using auto nat using dynamic NAT the outside pool range should be in same subnet as outside interface ip address?

Regards

MAhesh

Jouni Forss · ‎08-14-2013

Hi Mahesh,

The NAT Pool doesnt have to be the same network as the "outside" interfaces network.

But in that case you have to make sure that the router infront of the ASA knows about this NAT Pool network.

The router either needs

A route for the network used as the NAT Pool pointing towards the current "outside" interface IP address of the ASA
OR the router interface facing ASA needs an "secondary" address configured in the network that includes the NAT Pool used
- In this case you also need the command "arp permit-nonconnected" enabled on the ASA

- Jouni

View solution in original post

Julio Carvajal · ‎08-14-2013

Hello Mahesh,

No it does not,

That behavior let us know that there is an ARP issue with those IP addresses,

Does the ISP side know that you have that range of IP addresses 192.168.51.x.

Also what version are you running as Proxy-ARP is disabled in some versions (8.4.3 and 8.6 if I am not wrong ) so the ASA will not proxy-arp for IP addresses not connected or on the same subnet than the ASA.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-14-2013

Hello,

The command that jounni recommend (arp permit non-connected) is available on that version

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-15-2013

Hello Mahesh,

The configuration on the ASA should remain the same.

On the Upstream device it should be:

no ip route 192.168.72.0 255.255.255.0 192.168.71.2

ip route 192.168.51.0 255.255.255.0 192.168.71.2

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-15-2013

Hello Mahesh,

Okey,

Please share both the config from L3 switch and ASA at the moment,

I will need to analize the configuration

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-15-2013

Hello,

Looks like we are receiving a Reset pacekt from the device on the lower security level.

The Deny TCP no connection could mean 2 things

1)Asymetric routing

2) Server is sending information after the connection was released on the ASA

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-15-2013

Hello Mahesh,

But I mean that traffic is on the same subnet, I mean 70.3 to 70.1...

Can you share the configuration please Or you can email me the setup

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-16-2013

Hello Mahesh,

Configuration looks good ( I did not see something wrong)

Add

fixup protocol icmp

cap capin interface inside match icmp any any eq 4.2.2.2

cap capout interface outside match icmp any any eq 4.2.2.2

Then ping from an inside PC to 4.2.2.2

and provide

show cap capin

show cap capout

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-16-2013

Hello Mahesh,

I must have been really tired when I send the capture syntax lol. It's completely wrong.

It should be

cap capdmz interface dmz match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

I am sorry

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-16-2013

There are no packets comming back from the Switch.

Add the following to the ASA

arp permit-nonconnected

Can you share the show ip route from the Switch (I just need the entry for the 192.168.72.0)

also show arp | include 192.168.72.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-16-2013

Hello.

Do the following on the ASA side

arp permit non-connected and then try again

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-16-2013

Hello,

At the moment, the only thing that I could possibly think of is make sure that the router 192.168.5.3 has a route to the 192.168.72 subnet and that it's also Natting this Subnet range

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-17-2013

Hello Mahesh,

Well basically:

The ASA had the right configuration (we could see the packets going out to the outside interface)
We make sure the ASA reply to ARP packets not on the same subnet that it's interfaces (arp permit non-conected)
We make sure the Switch knew how to get to the subnet being used by the DMZ
I check the switch to see if the NAT was being done there but that was not the case so only 2 options more :A-the device doing the NAT does not include the subnet used by the DMZ.B- The device on the edge of the network does not know how to get to that subnet on the DMZ.

Long troubleshooting Mahesh But we did it.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎08-14-2013

Hi Mahesh,

The NAT Pool doesnt have to be the same network as the "outside" interfaces network.

But in that case you have to make sure that the router infront of the ASA knows about this NAT Pool network.

The router either needs

A route for the network used as the NAT Pool pointing towards the current "outside" interface IP address of the ASA
OR the router interface facing ASA needs an "secondary" address configured in the network that includes the NAT Pool used
- In this case you also need the command "arp permit-nonconnected" enabled on the ASA

- Jouni

mahesh18 · ‎08-14-2013

Hi Julio,

Something new learn today .

I will test that tomorrow.

Best regards

MAhesh

Julio Carvajal · ‎08-14-2013

Hello Mahesh,

No it does not,

That behavior let us know that there is an ARP issue with those IP addresses,

Does the ISP side know that you have that range of IP addresses 192.168.51.x.

Also what version are you running as Proxy-ARP is disabled in some versions (8.4.3 and 8.6 if I am not wrong ) so the ASA will not proxy-arp for IP addresses not connected or on the same subnet than the ASA.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎08-14-2013

Hi Julio,

IOS is

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(2)

I will test it tomorrow after work

Regards

MAhesh

Julio Carvajal · ‎08-14-2013

Hello,

The command that jounni recommend (arp permit non-connected) is available on that version

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎08-15-2013

Hi jouni,

I config the Outside pool ip which was not from the outside interface of ASA.

Also on Switch which has direct connection to ASA outside interface ip i config command

3550SMIA(config)#ip route 192.168.72.0 255.255.255.0 192.168.71.2

where 192.168.71.2 is ASA outside interface ip.

Now i can not access the internet.

ciscoasa# sh xlate

1 in use, 3 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

NAT from DMZ:192.168.70.3 to outside:192.168.72.56 flags i idle 0:00:00 timeout 3:00:00

Regards

Mahesh

Julio Carvajal · ‎08-15-2013

Hello Mahesh,

The configuration on the ASA should remain the same.

On the Upstream device it should be:

no ip route 192.168.72.0 255.255.255.0 192.168.71.2

ip route 192.168.51.0 255.255.255.0 192.168.71.2

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎08-15-2013

Hi Julio,

I change the outside_pool ip to subnet 192.168.72.0

object network Auto_NAT_DMZ

subnet 192.168.70.0 255.255.255.0

description Auto NAT DMZ Interface

object network Outside_pool

range 192.168.72.3 192.168.72.100

Regards

MAhesh

Julio Carvajal · ‎08-15-2013

Hello Mahesh,

Okey.

And what happens, same thing?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎08-15-2013

Yea samething no internet from pc

but from asa i can ping internet

Julio Carvajal · ‎08-15-2013

Hello Mahesh,

Okey,

Please share both the config from L3 switch and ASA at the moment,

I will need to analize the configuration

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎08-15-2013

Hi Julio,

Here is log from ASA

Aug 15 2013 22:09:08: %ASA-6-302014: Teardown TCP connection 8398 for DMZ:192.168.70.3/5703 to identity:192.168.70.1/443 duration 0:00:00 bytes 3619 TCP Reset-O

Aug 15 2013 22:09:08: %ASA-6-106015: Deny TCP (no connection) from 192.168.70.3/5703 to 192.168.70.1/443 flags FIN ACK on interface D

Config is attached with original post.

Regards

Mahesh

Julio Carvajal · ‎08-15-2013

Hello,

Looks like we are receiving a Reset pacekt from the device on the lower security level.

The Deny TCP no connection could mean 2 things

1)Asymetric routing

2) Server is sending information after the connection was released on the ASA

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎08-15-2013

Hi Julio,

As per this message seems its natting issue

Aug 15 2013 22:11:59: %ASA-6-110003: Routing failed to locate next hop for TCP from identity:192.168.70.1/443 to DMZ:192.168.70.3/5712

where 70.3 is pc ip

70.1 is DMZ interface

Regards

mahesh