Re: NAT exemption crashed my LAN

l-durocher · ‎08-20-2013

I added a NAT exemption for a server in my DMZ for a subnet Elm and Roc

nat (Inside,Any) source static Elm Roc Elm Roc destination static DMZ-Sever DMZ-Server

About 20 minutes after adding this rule to my Firewall, clients in the Elm Subnet were disconnected from Windows server, AS/400s, DNS

The Roc sunbet was connected through a IPSec VPN tunnel through this same firewall. My Cicso Core Router 10.0.0.1 is the default gateway for devices in the Elm subnet, Cisco ASA 10.0.0.254 (this is the last resort route)

The issues were not all at once it would happen, then some stuff would work and then drop and not connect.

After I removed this NAT command (which took 4 hours to identify this was the issue) with in 15 minutes the servers, AS/400 and DNS all started working.

I am being asked to Identify why this command would cause this issue and I don't know why it did!

Could anyone shead some light onto this for me?

Leo

Jouni Forss · ‎08-20-2013

Hi,

I guess the above NAT is not the exact format of the command you had. Mainly because you have "Elm Roc Elm Roc" as the "source" parameters. (the source static should be followed by a single object defining the real source and a single object defining the mapped source)

I would presume that the objects are actuall named something like "Elm_Roc" or "Elm-Roc" ?

What the above configuration essentially tells us

NAT is done between "Inside" and "any" interfaces. The actual interface instead of "any" will be determined by using the routing table of ASA
Any network/networks specified under "Elm Roc" are located behind "Inside" interface
Any network/networks speficied under "DMZ-Server" are located behind some interface that the above information doesnt tell us

So we would really need to know the specific configurations and routing of the ASA to determine if this configurations is the one you should have configured (though naturally it seems it wasnt the correct one)

If I would presume that you wanted to prevent any NAT for a DMZ server when the destination was some INSIDE network then I would have configured the NAT something like this

object network LAN

subnet 10.10.10.0 255.255.255.0

object network DMZ-SERVER

host 192.168.10.10

nat (DMZ,LAN) source static DMZ-SERVER DMZ-SERVER destination static LAN LAN

This would essentially mean that the hosts on the network 10.10.10.0/24 would be able to connect to the DMZ server with both source and destination IP address staying the same. This naturally applies for the other direction.

So to get to the bottom of this we need more specific information about the current setup (routing table, information related to the above NAT configurations actual networks/hosts addresses) and what stopped working (for example source and destination IP address)

- Jouni

l-durocher · ‎08-21-2013

Workstations (10.0.1.1 /16) telneting to as/400

Workstations (10.0.1.1 /16) connecting windows file sharing, DNS, DC, Web server

Elm - 10.0.0.0 /16 (LAN)

Roc - 10.20.0.0 /16 (over a VPN tunnel)

MPLS network 10.30 - 100 .0.0 /16

DMZ - 10.1.0.0 /16 (DMZ network)

AS/400 10.0.101.1 /16

Server 10.0.100.1 /16

Core Router 10.0.250.1 /16 (this is all machines in Elm default Gateway)

Firewall Inside 10.0.250.200 /16

Firewall DMZ 10.1.250.1 /16

Firewall Outside 3.3.3.3

DMZ -Server 10.1.100.1 /16

Routes

The Core Router -- 0.0.0.0 0.0.0.0 10.0.250.200

multiple routes for MPLS for -- 10.30 - 100

-- 10.20.0.0 255.255.0.0 10.0.250.200

The Firewall -- 0.0.0.0 0.0.0.0 1.1.1.1

-- 10.0.0.0 255.0.0.0 10.0.250.1

-- 10.20.0.0 255.255.0.0 2.2.2.2