Solved: Prob with DynamicPolicyNat on Asa 9.1(1)

Uwe Bauschke · ‎09-03-2013

Hello,

i ran into some problems while implementing DynamicPolicyNat on our Asa 5550.

Goal is to enable filetransfer for clients on our inside network to some servers on our outside network.

So i set up following config:

object service SFTP

service tcp source range 1024 65535 destination eq 22

object service FTP

service tcp source range 1024 65535 destination eq 21

nat (inside,outside) source dynamic inside-hosts interface destination static outside-servers service SFTP SFTP

nat (inside,outside) source dynamic inside-hosts interface destination static outside-servers service FTP FTP

For the first nat-rule everything works fine but the second one isn't!

Packet-tracer gives me the following output:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in outside-network outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Why is one rule working and the other one, with same hosts on both sides, not!?!?

In my test-environment running 8.4(2) all is working perfect!!

Regards Uwe

Jouni Forss · ‎09-04-2013

Hi,

So if I understood your situation correctly you need to have the traffic go through the firewall without NAT and this is why you need to specify some traffic that needs NAT and cant apply that NAT to all the traffic between these interfaces.

I would have to guess that this is some sort of bug. I know there has been some bugs related to Manual NAT and FTP specifically.

This was the only BugID I managed to find at the moment but it doesnt exactly match your situation while otherwise similiar. In this case configuring the type of NAT you have just caused other NAT to fail.

Click to Enlarge

I would suggest going with some other software. I guess the different latest software levels to choose from would be

8.4(6)
9.0(3)
9.1(2)

I have mainly stayed in the 8.4(x) software levels. Ofcourse no guarantee that they wouldnt have some bugs in them also.

Of if your situation permits that this NAT can be done between these internal and external hosts for all services then I would try to loose the "service" section of the "nat" configuration and try with that.

- Jouni

View solution in original post

Jouni Forss · ‎09-04-2013

Also to a little,

You dont necesarily need to specify the "source" ports in the "object service". It should work fine with the "destination" parameters. assume the idea was to do NAT when the internal hosts were accessing an external FTP/SFTP server?

- Jouni

View solution in original post

Jouni Forss · ‎09-03-2013

Hi,

What is the purpose of this NAT configuration if you only need to enable outbound SFTP and FTP access?

Are other users using different NAT IP address than the "outside" interface IP address that is used in these configurations? I mean is the purpose to modify certain users FTP/SFTP traffic to certain destination address to have their own NAT IP?

It also seems to me that the above format of the "nat" configuration is not valid as after "destination static" you only have a single object listed while there should be 2. It should have the "object" / "object-group" for mapped and real addresses.

Also provide the "object" / "object-group" configurations used in the NAT confgurations and the actual "packet-tracer" commands used.

Though I have to say that there has been several problems with the NAT (bugs) in the newer software so I wouldnt rule that out.

- Jouni

Uwe Bauschke · ‎09-04-2013

Hello,

we need these nat-rules as our outside-network consists of several subnets and these subnets don't know about the inside-network, so we are solving the routing prob with it. But some hosts on the outside are located in the subnet directly connected to the asa and have a route set to the asa, so there is no routing prob and our software-vendor recommends to use a "direct-connection" without nat for these servers (don't ask me why, for me this makes no sense...). That's why we don't use global-nat on outside.

About the "destination static" you are completly right, was my mistake while anonyizing the rules, outside-servers is twice in the rule:

nat (inside,outside) source dynamic inside-hosts interface destination static outside-servers outside-servers service SFTP SFTP

nat (inside,outside) source dynamic inside-hosts interface destination static outside-servers outside-servers service FTP FTP

Here the object-groups:

object-group network inside-hosts

network-object host 10.x.x.1

network-object host 10.x.x.2

network-object host 10.x.x.3

object-group network outside-servers

network-object host 172.x.x.1

network-object host 172.x.x.2

network-object host 172.x.x.3

packet-tracer-command used was:

packet-tracer input inside tcp 10.x.x.2 2345 172.x.x.3 21

Output as above.

Regards Uwe

Jouni Forss · ‎09-04-2013

Hi,

So if I understood your situation correctly you need to have the traffic go through the firewall without NAT and this is why you need to specify some traffic that needs NAT and cant apply that NAT to all the traffic between these interfaces.

I would have to guess that this is some sort of bug. I know there has been some bugs related to Manual NAT and FTP specifically.

This was the only BugID I managed to find at the moment but it doesnt exactly match your situation while otherwise similiar. In this case configuring the type of NAT you have just caused other NAT to fail.

Click to Enlarge

I would suggest going with some other software. I guess the different latest software levels to choose from would be

8.4(6)
9.0(3)
9.1(2)

I have mainly stayed in the 8.4(x) software levels. Ofcourse no guarantee that they wouldnt have some bugs in them also.

Of if your situation permits that this NAT can be done between these internal and external hosts for all services then I would try to loose the "service" section of the "nat" configuration and try with that.

- Jouni

Jouni Forss · ‎09-04-2013

Also to a little,

You dont necesarily need to specify the "source" ports in the "object service". It should work fine with the "destination" parameters. assume the idea was to do NAT when the internal hosts were accessing an external FTP/SFTP server?

- Jouni

Uwe Bauschke · ‎09-04-2013

Hello,

yes, you understood right, that's exactly my situation!

Thanks a lot for the Bug, so it seems the be a prob on the Asa itself and not in my mind! :-)

"Of if your situation permits that this NAT can be done between these internal and external hosts for all services then I would try to loose the "service" section of the "nat" configuration and try with that."

That's what i have implemented at the moment as workaround, nat all traffic between inside-hosts and outside-servers, and additionally only permit ftp- and sftp-traffic via access-list on inside interface.

Thank's a lot fro your replies!!

Regards Uwe

Jouni Forss · ‎09-04-2013

Hi,

I guess the solution to use the original configuration would probably be to change to some other software than 9.1(1) if that is possible. As you mentioned, it worked on the 8.4(2) software level.

I think I might try this out later today at home with my ASA and see if I can replicate the problem. I will let you know how it goes if I test it.

Please do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers.

- Jouni