ASA Transparent Mode NAT from Bogdan Sass on 2012-02-03 (Ccielab archives 02/2012)

From: Bogdan Sass <bogd.no.spam_at_gmail.com>
Date: Fri, 03 Feb 2012 20:39:35 +0200

I've been trying for the last 3 or 4 hours to get NAT to work
through a transparent mode ASA firewall. And I am very thoroughly stuck.

The config is an extremely basic one (based on the one from the INE
Sec WB Vol. 1)

R3--------------------(inside) ASA (outside)------------------R4

The network between the devices is 136.1.100.0/24. R3 has IP
address 192.168.0.3 on Lo1, and that IP is translated to 136.1.200.100
when going through the ASA.

I see the ping packet leaving, being translated, and I see R4
sending the echo reply. However... that's the last I see of the packet.
It doesn't seem to reach R3 - it's just silently eaten by the ASA.

R3#p 136.1.100.4 so lo1 repe 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 136.1.100.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.3
.
Success rate is 0 percent (0/1)

R4#deb ip icmp
ICMP packet debugging is on
R4#
*Feb 3 19:03:43.931: ICMP: echo reply sent, src 136.1.100.4, dst
136.1.200.100

ASA1(config)# logg con 7
ASA1(config)# logg en

%ASA-7-609001: Built local-host outside:136.1.100.4
%ASA-6-305011: Built dynamic ICMP translation from inside:192.168.0.3/12
to outside:136.1.200.100/2242
%ASA-6-302020: Built outbound ICMP connection for faddr 136.1.100.4/0
gaddr 136.1.200.100/2242 laddr 192.168.0.3/12
%ASA-6-302021: Teardown ICMP connection for faddr 136.1.100.4/0 gaddr
136.1.200.100/2242 laddr 192.168.0.3/12
%ASA-7-609002: Teardown local-host outside:136.1.100.4 duration 0:00:00

With nothing in the ASA logs, and no packet-capture, I'm at a loss.
I don't know what else I can try in order to troubleshoot this.

If anyone can point me in the right direction, I would appreciate it!

R3 and R4 are 2811 routers, 12.4(24)T2.
ASA is a 5510 device, 8.0(4)

The configs are below.

Thank you!

-- 
Bogdan Sass
CCSP,LPIC-1,VCP5,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
ASA1# sh run
: Saved
:
ASA Version 8.0(4)
!
firewall transparent
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
  nameif outside
  security-level 0
!
interface Ethernet0/1
  nameif inside
  security-level 100
!
interface Ethernet0/2
  shutdown
  no nameif
  no security-level
!
interface Ethernet0/3
  shutdown
  no nameif
  no security-level
!
interface Management0/0
  shutdown
  no nameif
  no security-level
  management-only
!
ftp mode passive
access-list OUTSIDE_IN extended permit ip any any
pager lines 24
logging enable
logging console debugging
mtu inside 1500
mtu outside 1500
ip address 136.1.100.12 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 136.1.200.100
nat (inside) 1 192.168.0.3 255.255.255.255
access-group OUTSIDE_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
  match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 512
policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
   inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a125a308d28ac00e78419a0d23e16c48
: end
=====================================================================================
R3#sh run
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
no ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
  log config
   hidekeys
!
!
!
!
!
!
!
!
!
interface Loopback0
  ip address 150.1.3.3 255.255.255.0
  no ip route-cache
!
interface Loopback1
  ip address 192.168.0.3 255.255.255.0
  no ip route-cache
!
interface FastEthernet0/0
  ip address 136.1.100.3 255.255.255.0
  no ip route-cache
  duplex auto
  speed auto
!
interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
!
interface Serial0/0/0
  no ip address
  shutdown
  no fair-queue
  clock rate 2000000
!
interface Serial0/0/1
  no ip address
  shutdown
  clock rate 2000000
!
interface Serial0/1/0
  no ip address
  shutdown
!
interface Serial0/1/1
  no ip address
  shutdown
!
ip forward-protocol nd
ip route 150.1.4.4 255.255.255.255 136.1.100.4
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
  login
!
scheduler allocate 20000 1000
end
=====================================================================================
R4#sh run
Building configuration...
Current configuration : 1222 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
memory-size iomem 5
!
dot11 syslog
ip source-route
!
!
no ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
  log config
   hidekeys
!
!
!
!
!
!
!
!
!
interface Loopback0
  ip address 150.1.4.4 255.255.255.0
  no ip route-cache
!
interface FastEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
!
interface FastEthernet0/1
  ip address 136.1.100.4 255.255.255.0
  no ip route-cache
  duplex auto
  speed auto
!
interface Serial0/0/0
  no ip address
  shutdown
  no fair-queue
  clock rate 2000000
!
interface Serial0/0/1
  no ip address
  shutdown
  clock rate 2000000
!
ip forward-protocol nd
ip route 136.1.200.100 255.255.255.255 136.1.100.3
ip route 150.1.3.0 255.255.255.0 136.1.100.3
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
  login
!
scheduler allocate 20000 1000
end
Blogs and organic groups at http://www.ccie.net

Received on Fri Feb 03 2012 - 20:39:35 ART

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART