Re: ASA Transparent Mode NAT from Piotr Kaluzny on 2012-02-03 (Ccielab archives 02/2012)

From: Piotr Kaluzny <piotrk_at_ipexpert.com>
Date: Fri, 3 Feb 2012 19:53:55 +0100
Bogdan,
I would go ahead and add a route for the post-NAT address (136.1.200.100)
towards R3. The bottom line is that it should resolve via "inside".
Let us know if it helps
Regards,
--
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
On Fri, Feb 3, 2012 at 7:39 PM, Bogdan Sass <bogd.no.spam_at_gmail.com> wrote:
>    I've been trying for the last 3 or 4 hours to get NAT to work through a
> transparent mode ASA firewall. And I am very thoroughly stuck.
>
>    The config is an extremely basic one (based on the one from the INE Sec
> WB Vol. 1)
>
> R3--------------------(inside) ASA (outside)------------------R4
>
>    The network between the devices is 136.1.100.0/24. R3 has IP address
> 192.168.0.3 on Lo1, and that IP is translated to 136.1.200.100 when going
> through the ASA.
>
>    I see the ping packet leaving, being translated, and I see R4 sending
> the echo reply. However... that's the last I see of the packet. It doesn't
> seem to reach R3 - it's just silently eaten by the ASA.
>
> R3#p 136.1.100.4 so lo1 repe 1
>
> Type escape sequence to abort.
> Sending 1, 100-byte ICMP Echos to 136.1.100.4, timeout is 2 seconds:
> Packet sent with a source address of 192.168.0.3
> .
> Success rate is 0 percent (0/1)
>
> R4#deb ip icmp
> ICMP packet debugging is on
> R4#
> *Feb  3 19:03:43.931: ICMP: echo reply sent, src 136.1.100.4, dst
> 136.1.200.100
>
>
> ASA1(config)# logg con 7
> ASA1(config)# logg en
>
> %ASA-7-609001: Built local-host outside:136.1.100.4
> %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.0.3/12to outside:
> 136.1.200.100/2242
> %ASA-6-302020: Built outbound ICMP connection for faddr 136.1.100.4/0gaddr
> 136.1.200.100/2242 laddr 192.168.0.3/12
> %ASA-6-302021: Teardown ICMP connection for faddr 136.1.100.4/0 gaddr
> 136.1.200.100/2242 laddr 192.168.0.3/12
> %ASA-7-609002: Teardown local-host outside:136.1.100.4 duration 0:00:00
>
>    With nothing in the ASA logs, and no packet-capture, I'm at a loss. I
> don't know what else I can try in order to troubleshoot this.
>
>    If anyone can point me in the right direction, I would appreciate it!
>
>    R3 and R4 are 2811 routers, 12.4(24)T2.
>    ASA is a 5510 device, 8.0(4)
>
>    The configs are below.
>
>    Thank you!
>
> --
> Bogdan Sass
> CCSP,LPIC-1,VCP5,CCIE #22221 (RS)
> Information Systems Security Professional
> "Curiosity was framed - ignorance killed the cat"
>
>
>
> ASA1# sh run
> : Saved
> :
> ASA Version 8.0(4)
> !
> firewall transparent
> hostname ASA1
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> names
> !
> interface Ethernet0/0
>  nameif outside
>  security-level 0
> !
> interface Ethernet0/1
>  nameif inside
>  security-level 100
> !
> interface Ethernet0/2
>  shutdown
>  no nameif
>  no security-level
> !
> interface Ethernet0/3
>  shutdown
>  no nameif
>  no security-level
> !
> interface Management0/0
>  shutdown
>  no nameif
>  no security-level
>  management-only
> !
> ftp mode passive
> access-list OUTSIDE_IN extended permit ip any any
> pager lines 24
> logging enable
> logging console debugging
> mtu inside 1500
> mtu outside 1500
> ip address 136.1.100.12 255.255.255.0
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> global (outside) 1 136.1.200.100
> nat (inside) 1 192.168.0.3 255.255.255.255
> access-group OUTSIDE_IN in interface outside
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
> !
> class-map inspection_default
>  match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
>  parameters
>  message-length maximum 512
> policy-map global_policy
>  class inspection_default
>  inspect dns preset_dns_map
>  inspect ftp
>  inspect h323 h225
>  inspect h323 ras
>  inspect rsh
>  inspect rtsp
>  inspect esmtp
>  inspect sqlnet
>  inspect skinny
>  inspect sunrpc
>  inspect xdmcp
>  inspect sip
>  inspect netbios
>  inspect tftp
>  inspect icmp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:**a125a308d28ac00e78419a0d23e16c**48
> : end
>
> ==============================**==============================**
> =========================
>
>
> R3#sh run
> Building configuration...
>
>
> Current configuration : 1281 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R3
> !
> boot-start-marker
> boot-end-marker
> !
> logging message-counter syslog
> !
> no aaa new-model
> !
> dot11 syslog
> ip source-route
> !
> !
> no ip cef
> !
> !
> no ipv6 cef
> !
> multilink bundle-name authenticated
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> voice-card 0
> !
> !
> !
> !
> !
> archive
>  log config
>  hidekeys
> !
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
>  ip address 150.1.3.3 255.255.255.0
>  no ip route-cache
> !
> interface Loopback1
>  ip address 192.168.0.3 255.255.255.0
>  no ip route-cache
> !
> interface FastEthernet0/0
>  ip address 136.1.100.3 255.255.255.0
>  no ip route-cache
>  duplex auto
>  speed auto
> !
> interface FastEthernet0/1
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface Serial0/0/0
>  no ip address
>  shutdown
>  no fair-queue
>  clock rate 2000000
> !
> interface Serial0/0/1
>  no ip address
>  shutdown
>  clock rate 2000000
> !
> interface Serial0/1/0
>  no ip address
>  shutdown
> !
> interface Serial0/1/1
>  no ip address
>  shutdown
> !
> ip forward-protocol nd
> ip route 150.1.4.4 255.255.255.255 136.1.100.4
> no ip http server
> no ip http secure-server
> !
> !
> !
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
>  login
> !
> scheduler allocate 20000 1000
> end
>
>
>
>
>
>
> ==============================**==============================**
> =========================
>
>
>
>
> R4#sh run
> Building configuration...
>
>
> Current configuration : 1222 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R4
> !
> boot-start-marker
> boot-end-marker
> !
> logging message-counter syslog
> !
> no aaa new-model
> memory-size iomem 5
> !
> dot11 syslog
> ip source-route
> !
> !
> no ip cef
> !
> !
> no ipv6 cef
> !
> multilink bundle-name authenticated
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> voice-card 0
> !
> !
> !
> !
> !
> archive
>  log config
>  hidekeys
> !
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
>  ip address 150.1.4.4 255.255.255.0
>  no ip route-cache
> !
> interface FastEthernet0/0
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface FastEthernet0/1
>  ip address 136.1.100.4 255.255.255.0
>  no ip route-cache
>  duplex auto
>  speed auto
> !
> interface Serial0/0/0
>  no ip address
>  shutdown
>  no fair-queue
>  clock rate 2000000
> !
> interface Serial0/0/1
>  no ip address
>  shutdown
>  clock rate 2000000
> !
> ip forward-protocol nd
> ip route 136.1.200.100 255.255.255.255 136.1.100.3
> ip route 150.1.3.0 255.255.255.0 136.1.100.3
> no ip http server
> no ip http secure-server
> !
> !
> !
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
>  login
> !
> scheduler allocate 20000 1000
> end
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________**______________________________**
> ___________
> Subscription information may be found at: http://www.groupstudy.com/**
> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 03 2012 - 19:53:55 ART
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART