Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Local NAT on ASA 5505

Hello,

I'm quit new to these boards so I'll try to explain my problem as best as I can.

If something is missing or incorrect pls inform me so I can update.

I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.

Here you have the config as it is on the ASA right now.

Local server IP: 10.0.74.5

Required NAT address: 192.168.222.1

Customer range: 10.10.10.0/24

VPN Config:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 200.200.200.200

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key "key"

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT

I'm allowing this first before I start narrowing it down to only ftp!

access-list outside_access_in extended permit tcp any host 192.168.222.1

access-list outside_access_in extended permit ip any host 192.168.222.1

access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list outboundnat2

nat (inside) 1 0.0.0.0 0.0.0.0

Any help would be grately appreciated!

Kind regards,

Eleander

47 REPLIES
Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

You can remove this line

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

because traffic will be from the Natted address ie. NAT happens before the crypto-map access-list check.

The remote peer needs to have a mirror image of this access-list so

access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 host 192.168.222.1

You could also remove the following

access-list outside_access_in extended permit tcp any host 192.168.222.1

as your next line permitting ip covers tcp. But then you say you will be looking to narrow that down.

The only other thing is you need to be aware that with a L2L VPN there are 2 ways in terms of acl's it can be setup

1) "sysopt connection permit-vpn" If you have this line in your config then traffic coming from the remote site down the tunnel is unencrypted and then it bypasses the acl attached to the outside interface ie. the acl on the outside interface does not have any effect on the traffic

2) If you don't have "sysopt connection permit-vpn" then the traffic will be then checked against the acl on the outside interface after being decrypted.

To see whether you are running sysopt connection permit-vpn run

"sh running-config sysopt"

I believe it is on y default.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

Thx for the quick reply.

Changed as you proposed but I can't find any sysopt connection entry.

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

What is the output of running the command

sh running-config sysopt

if you want to turn off bypassing the acl then you will need to enter

asa(config)# no sysopt connection permit-vpn

but that is only if you want the traffic to be subject to your acl on the outside interface.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

No response, just a blank line.

Included the complete config in attachement!

Thx for the quick replies!

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Okay no problem. I just checked the command references and this is on by default -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

So if you want to bypass the acl on the outside interface you don't need to do anything. If you want the incoming VPN traffic to be checked against the acl on the outside interface then you need to enter

asa(config)# no sysopt connection permit-vpn

Still bit of a mystery as to why it doesn't show the sysopt settings -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s6_72.html#wp1287358

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

I've changed the config as you proposed and mailed the customer to try the connection again?

Did you by any chance had a look at the added config in my previous post? To see I didn't made any mistakes in the ACL's?

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

You will need to add the following

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

FTP is a funny one. Do you know if it is passive ftp or not ?

If you have problems getting the FTP to work then you may need to adjust your acl. But first things first, need to see if the VPN tunnel comes up :-)

Jon

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

I addedd the information you requested and also the FTP into the access-list. (see attached word doc)

But now I'm having these problems.

"Rejecting IPSec Tunnel: no matching crypto map entry for remote proxy 10.10.10.87/255.255.255.255/0/0 local proxy 192.168.222.1/255.255.255.255/0/0 on interface outside"

Looking into them right now.

What ACL am I missing?

Really appreciate you spending this much time to find a solution!

Kind regards,

Eleander

New Member

Re: Local NAT on ASA 5505

And here's teh attachement! :)

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

Is this coming up on the ASA we have been modifying the config on ?

Do you happen to have the config for both devices ie. the one we have been dealing with and the other one ?

Just as a quick test could you add this line to your crypto-map access-list and retry

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 host 10.10.10.87

It really should not make a difference but just in case.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

Added the ACL but nothing changes.

In the attachement you can find the latest config.

We only manage this one firewall, which is a pitty and moreso because the firewall on the other site isn't a Cisco. :(

Before making your proposed change for the sysopt the L2L was working. SO it must be in the access lists!

Thx a lot.

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

Can you remove the sysopt line and then let me know if it is working ie.

pix(config)# sysopt connection permit-vpn

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

I also dug a little further and the site-to-site seems to be comming active.

There was a problem within the traffix selection for the L2L.

Thx a lot for the support on the access-list!

Just having this problem right now:

6 Nov 19 2008 16:58:29 302013 10.10.10.87 10.0.74.5 Built inbound TCP connection 5460 for outside:10.10.10.87/37590 (10.10.10.87/37590) to inside:10.0.74.5/21 (192.168.222.1/21)

6 Nov 19 2008 16:58:59 302014 10.10.10.87 10.0.74.5 Teardown TCP connection 5460 for outside:10.10.10.87/37590 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

So connection goes through but time's out!

think changing/adding the ftp instead of the ftp-data will resolve my issue!

Thx a lot!!!

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

Do you think you have it working now or at least know what to do ?

I'm dying to get out on my mountain bike but happy to hang around if you need further help.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

I've made several changes, but the customer also has a ISDN router, on that router I just added the needed entries. (completely forgot about that one)

Get out on your MTB and go out there.

I thank you a lot for your help allready and really appreciate it.

If I can't solve it I'll repost in here.

Tomorrow is another day.

btw I'm situated in Belgium so on the GMT+1 time.

Have fun and hopefully i'll see you around.

Thx again!

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

"Have fun and hopefully i'll see you around"

Will do. I'm in UK so it's dark by about 4:00 (2:30 at the moment) so i'll check later or tomorrow morning.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

I've tested with inspect ftp (enabled or disable) -> no reslut!

I can see that L2L is active within the ASDM logging. (there are only 2 L2L configs on this ASA and they semm both active)

FTP from one site works well. (but the data is exempted)

When checking the log I see SYN Timeouts for this connection.

Added the 10.10.10.0 network within my Cisco 800 router to pass by the firewall (10.0.74.252) to be sure.

I'm quit in the dark here. I'm overseeing something or I'm misunderstanding somthing.

The sysopt is still active though.

Just let me know when you're back so we look any further!

Thx

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Okay. Quick test to see if it is the outside acl that is the problem. Can reenable sysopt connection permit-vpn ie.

asa(config)# sysopt connection permit-vpn

and then retest and let me know. If it works at least we can concentrate on the acl.

Jon

New Member

Re: Local NAT on ASA 5505

Good mornig Jon,

Hope you had a nice ride yesterday.

I've changed the sysopt again and awaiting confirmation from the other side.

In attachement the current running & working config for our customer.

I've exempted trafic from one site and everything works well for them, but to the other site (due to sec reasons) I an only allow ftp! (STill not working)

Getting SYN timeouts within the log but I see the translation is made! Really don't get it.

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Morning. Yes had a good ride. I have to go out in a minute and won't be around until about 12:00 (it's 9:00 now).

But key things to try

1) remove "no sysopt connection permit-vpn" as discussed

2) Have you determined which ftp is in use ie. passive or active. The fixup is there for the active ftp so you don't have to open up all random ports.

If after reenabling sysopt connection permit-vpn it still doesn't work then it looks like it could be an application issue. Do you know if the site that works uses ftp and if they do are they using the same ftp client as the site that isn't working.

Apolgies for not being around this morning. Considering your new to the forums don't think i'm representing them very well.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

Doesn't matter. I haven't had this much support from people in a while. For forum support I'm very very pleased so it doesn't matter!

Everyone tries to help out people on a free basis in their own free time so don't worry really.

The problem is looked into and that's the most important thing. It isn't that I have a network down issue so, and then again there are other solutions for that! :)

I'll see your response when your back.

Kind regards,

Eleander

New Member

Re: Local NAT on ASA 5505

Jon,

removed the no sysopt & still awaiting the test after the ftp fixup change. (update -> still no luck with the fixup enabled or disabled)

The ftp transfer is a "default" ftp so it's the "active" one.

These are the logs I'm getting:

2008-11-20 11:50:03 Local4.Info 10.0.74.252 Nov 20 2008 13:39:04: %ASA-6-302013: Built outbound TCP connection 19941 for outside:10.10.10.87/21 (10.10.10.87/21) to inside:10.0.74.5/5066 (192.168.222.1/5066)

2008-11-20 11:50:33 Local4.Info 10.0.74.252 Nov 20 2008 13:39:34: %ASA-6-302014: Teardown TCP connection 19941 for outside:10.10.10.87/21 to inside:10.0.74.5/5066 duration 0:00:30 bytes 0 SYN Timeout

If I'm getting this right traffic comes in from port 21 but gets translated to a '1024+x' which isn't active on my servers! This means that my NAT isn't right??

I'm getting lost here with my interpretation of the logs!!

Due to sec reasons I constantly needed to alter the IP-adressess in the files I've put only but I thought it might be worth mentioning that the servers I connect to also use a "public" range namely 143.97.x.x! Maybe this can cause problems on NAT settings!

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Eleander

Back now and you have my full attention !

Can you post the config you are working with at the moment.

Jon

New Member

Re: Local NAT on ASA 5505

Like I allready said, no problem Jon, I'm verry thankfull that your willing to help me out! Whish one day my knowledge within Cisco products will grow to your level though.. :)

In attachement you can find my current config.

Bare in mind that I altered the public IP's and that, as mentioned in anothe post, the customers internal range is also a 143.x.x.x network.

As you can see I just changed the ACL for the L2L where the ftp is failing. To do another test.

I changed the ACL from these errors:

2008-11-20 11:50:03 Local4.Info 10.0.74.252 Nov 20 2008 13:39:04: %ASA-6-302013: Built outbound TCP connection 19941 for outside:10.10.10.87/21 (10.10.10.87/21) to inside:10.0.74.5/5066 (192.168.222.1/5066)

2008-11-20 11:50:33 Local4.Info 10.0.74.252 Nov 20 2008 13:39:34: %ASA-6-302014: Teardown TCP connection 19941 for outside:10.10.10.87/21 to inside:10.0.74.5/5066 duration 0:00:30 bytes 0 SYN Timeout

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Okay, i'm going through the config now and there are a few things that are not clear.

1) There are a couple of access-lists that don't seem to be used anywhere eg.

outside_2_cryptomap

outboundnat2 (although it looks like you have removed this ??)

2) You have this global statement

global (outside) 2 192.168.222.10-192.168.222.20 netmask 255.255.255.0

but there is not corresponding NAT statement.

Could you also clarify exactly where the FTP is coming to and going from for both the site that works and the site that doesn't.

Thanks

Jon

New Member

Re: Local NAT on ASA 5505

Indeed I removed the outboundnat2!

The global was in there for a test and I'll delete it! (done)

The outside_2_crytomap is a typo and should be outside_cryptomap_2! (changed)

Because now I don't have any ACL on the outside_cryptomap_2!

In attachement the altered config!

FTP is comming from 10.10.10.x (defined servers in my wrong ACL's) and going to the 192.168.222.1 which is than NAT'ed to the 10.0.74.5. This is the one that is NOT working!

FTP comming an going to 194.78.124.x gives no problems at all!

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

Thanks for update.

access-list outside_cryptomap_2 extended permit ip host 192.168.222.1 Statoil 255.255.255.0

the above is the first line of outside_cryptomap_2. Can't see where Statoil is defined ?

You don't need the rest of this access-list and it is recommended that you do not use TCP ports in your crypto map access-lists. So really you just want the first line but you need to make sure either

a) Statoil relates to something using the "name" command

OR

b) Just use the network subnet

Now because you have now said

access-list outside_cryptomap_2 extended permit ip host 192.168.222.1 Statoil 255.255.255.0

that means to control the traffic you will indeed need to hit the outside acl. So you will have to remove sysopt connection permit-vpn eg.

asa(config)# no sysopt connection permit-vpn

By removing this you will need to ensure that your other site still works but i believe the line

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

will do the job.

However this line also means the Statoil network has full access so you need to modify your outside acl to -

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

*** new line

access-list outside_access_in deny ip 10.10.10.0 255.255.255.0 any

***

where 10.10.10.0 is the Statoil remote subnet.

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

If Statoil are using active FTP then you will need the fixup for FTP.

Sorry for all the edits but the simpler we can make the config the easier to troubleshoot.

Jon

New Member

Re: Local NAT on ASA 5505

Jon,

No problem at all, I'm getting to better understand everything.

I've changed as you proposed. In the attachement you can now find the new config.

The "statoil" referes indeed to the 10.10.10.x subnet

Inspect FTP is active.

I added all these ACL's because the customer only wants to see the allowed servers and not the complete subnet! :)

Kind regards,

Eleander

Hall of Fame Super Blue

Re: Local NAT on ASA 5505

okay, we are getting there.

nat (inside) 0 access-list inside_nat0_outbound_1

You also have a nat0_outbound acl which doesn't seem to be referenced anywhere. If it isn't then you can remove it.

The change made to the outside access-list. You have

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

But you need the additional line before the last 2 lines in your acl. If you do a "sh running-config access-list outside_access_in" then it should give you the line numbers. So you can remove the last line (because it is in the wrong order)

no access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

and then insert it by using the line number eg lets say line 5 puts it's above the last 2 lines

access-list outside_access_in line 5 deny ip Statoil 255.255.255.0 any

You still haven't defined Statoil so best just make the line

access-list outside_access_in line 5 deny ip 10.10.10.0 255.255.255.0 any

As to your last point. If you only want to include individual IP addresses and not the whole subnet then object-groups are the way to go. So lets say you only want to allow

10.10.10.53, 57 & 87

object-group network Statoil_ips

network-object host 10.10.10.53

network-object host 10.10.10.57

network-object host 10.10.10.87

and then your outside access list looks like

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

** change the following 2 lines ***

access-list outside_access_in extended

permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

** to ***

access-list outside_access_in extended permit tcp object-group Statoil_ips host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp object-group Statoil_ips host 192.168.222.1 eq ftp-data

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

** move this line up above the 2 before it **

access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

You can then modify just the object-group in future if you need to add another Statoil IP or remove one of the existing ones.

Jon

441
Views
50
Helpful
47
Replies
CreatePlease to create content