Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
6
Replies

Tricky Twice NAT scenario

lunadesign
Level 1
Level 1

‎04-10-2014 09:44 PM - edited ‎03-11-2019 09:03 PM

I'm setting up my first ASA 5505 (Security Plus) and want to make sure I'm doing this correctly.

I have a web server on my inside network.  The web server's internal IP is 192.168.1.53.  The web server runs on port 9000.  I want this accessible from several internal VLANs.  I also want to expose this web server externally on one of my static public IP's, x.x.x.172, also on port 9000.

Here's the catch:  My internal users sometimes need to access the web server using the *external* hostname/IP, so I need to enable hairpinning.

I started using Network Object NAT but found that I had to use Twice NAT to get the hairpin scenario to work.  I experimented some more and found that if I adjusted my Twice NAT rule, I didn't need the Network Object NAT rules anymore.

I set this up and it seems to work great internally and externally.  Before I set up a few dozen more of these for different server/port combinations, I wanted to run this by you experts to see if there are any issues with this config that will bite me later down the road.

same-security-traffic permit intra-interface
object network PUBLIC-172
 host x.x.x.172
object network INTERNAL-53
 host 192.168.1.53
object service PORT-9000
 service tcp destination eq 9000
access-list OutsideIn extended permit tcp any host 192.168.1.53 eq 9000
access-group OutsideIn in interface outside
nat (any,inside) source static any interface destination static PUBLIC-172 INTERNAL-53 service PORT-9000 PORT-9000

Thanks!

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎04-10-2014 10:10 PM

I would be careful using the any keyword.  In this case you would be allowing every one access to the server using the external IP (given that access lists permit the connection also.)  It is always a best practice to be very specific with what you configure on the ASA. 

Of course if you don't have a very strict security policy and are allowed to do this, then there is nothing wrong with doing it.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

lunadesign
Level 1
Level 1
In response to Marius Gunnerud

‎04-10-2014 10:29 PM

Hi Marius,

Thanks for the quick reply.

Which "any" were you referring to?  The one in parens representing the "real" interface or the one after the keyword "static"?

0 Helpful

lunadesign
Level 1
Level 1

‎04-10-2014 10:38 PM

And sure enough, I've found a hole.

It appears this NAT rule is being triggered if an internal user tries to go to the internal server URL from one of the VLANs.  The web page doesn't come up and the ASA syslog has this:

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src vlan10:192.168.10.12/3952 dst inside:192.168.1.53/9000 denied due to NAT reverse path failure

I really only want the NAT rules to trigger when a user is accessing the external URL not the internal one so I'm definitely doing something wrong here.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to lunadesign

‎04-10-2014 11:05 PM

nat (any,inside) source static any interface destination static PUBLIC-172 INTERNAL-53 service PORT-9000 PORT-9000

I was refering to both.

I thought that both the host PC and the server were located on the same network?

try changing the souce static to source dynamic...and test

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

lunadesign
Level 1
Level 1
In response to Marius Gunnerud

‎04-10-2014 11:25 PM

Thanks again for your help!

To be clear, I have two client PC's I'm testing with.  One on the "inside" VLAN and one on the "work" VLAN.

If I take out the first "any", I have to reproduce the rule N times for each of my VLANs.  However, even after doing this I'm seeing the same issue -- works if client PC is on "inside" VLAN, fails with "reverse path failure" if client PC is on another other internal VLAN.

I tried replacing the second "any" with INTERNAL-53.and the requests to the internal URL now work from the other VLANs but now the requests to the external URL from those same PCs now doesn't work.  I'm not seeing anything in the syslog though.

Changing from "source static" to "source dynamic" didn't change anything either.

I think I'm being stumped by the tricky syntax of this NAT command.  In essence, I want something that implements "if internal or external user requests this external URL, translate to this instead".  NAT shouldn't be getting involved if an internal user requests and internal URL.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to lunadesign

‎04-29-2014 02:59 AM

Sorry for late reply as I have been away for a few weeks.

Do you require further assistance with this issue?

--

Pease remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card