ASA Static NAT & ACL Configuration Confusion

Warning – This topic I’m sure has been covered more then a few million times :)

So today I was called on after one of the guys on the team couldnt get external RDP access to an internal host working for a user. I logged onto the ASA and did the normal “show run” and at first even I was even fooled. Mainly because I manage most of my host naming using” names”

name 10.1.31.26 hosta_int
name 172.32.3.3 hostb_ext

Skimming quickly through the config didn’t help, so I removed names, slowed down and began looking again. I was looking at the hitcounts, the interfaces, all sorts of things. Until I slowed down and looked at exactly what the problem was.

The inside IP address of the host needing to be remotely accessible was 10.1.31.26 and the (sanitized) public IP is 172.16.3.3. It looked like this

access-list outside line 8 extended permit tcp any host 10.1.31.26 eq 3389 (hitcnt=0)

This ACL as you can see doesn’t have a single hit, identified by “hitcnt” – this is the number of times the traffic was filtered based on this ACL. See the problem? Basically, the IP used in the ACL is incorrect. The IP in the above statement is the inside IP of our target host. When you think about how ACLs work, you’ll quickly pick out maybe where one of the problems here is.

Permit TCP communication ->  From Any host > To our INSIDE IP 10.1.31.26 -> On Port 3389

Looks almost right though ey?  Not exactly how it should be applied. Problem is it’s impossible for this public internet facing interface to recive traffic destined for a host inside your network on an RFC1918 address :)

Think OUTSIDE, so the ISP is routing the subnets you own to your firewall/router – so the internet knows how to get to us at 172.16.3.3. Because we have an ACL filtering inbound traffic on that outside interface, we have to filter traffic for the public IP users are trying to connect to externally. The inbound ACL is checked first and that needs to say that the traffic coming in for 172.16.3.3 is allowed.  After it makes it past that point, the static NAT mapping will then be applied and it should be routed to our host at 10.1.31.26 on port 3389. But one thing at a time, lets correct the ACL.

asa(config)#access-list outside line 8 extended permit tcp any host 172.16.3.3 eq 3389

Now it reads..

Permit TCP communication ->  From Any host > To our OUTSIDE IP 172.16.3.3 -> On Port 3389

Sounds more like what we’re trying to do! Now to move onto the static NAT mapping..

static (INSIDE,Out) 10.1.31.26 172.16.3.3  netmask 255.255.255.255

Again, looks right when you consider the structure of this statement. This command can be tricky, But the correct syntax is:

static (INSIDE,OUT) extIP inIP netmask xxx.xxx.xxx.xxx

The reasons behind the configuration has to do with interface security and access from a lower security level interface to one with a higher security level.. In this case:

interface GigabitEthernet0/0
description OUTSIDE
nameif Out
security-level 0
ip address 172.16.3.1 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 3
nameif INSIDE
security-level 20
ip address 10.1.31.17 255.255.255.240

You can read more on this in the reference below:

In any case, the correct statement for us is:

static (INSIDE,Out) 172.16.3.3 10.1.31.26  netmask 255.255.255.255

In order for this static NAT to work at all, our ACL has to be in order and we fixed that earlier. Our Static NAT statement is also straight now. So at this point I tried to connect to the host myself to test out the changes and lets see…

asa(config)#show access-list outside
access-list outside line 8 extended permit tcp any host 172.16.3.3 eq 3389 (hitcnt=2)

As you can see we now have some hitcounts and yep! I was successful – Another day defeated! :)

References

Applies to ASA 7.2.x

Access Lists and NAT on Cisco ASA Firewalls

PIX/ASA 7.x : Port Redirection(Forwarding) with nat, global, static and access-list Commands

As always, pointing out anything that you see here that is incorrect or inaccurate is greatly appreciated!

Be sure to rate this post to bring useful material to new and browsing readers!

Cheers!

@LBSources :)

Print Friendly

4 comments to ASA Static NAT & ACL Configuration Confusion

  • Hi Leonard, this is Harris Andrea from tech21century.com.

    Excellent post above. However I wanted to step in and clarify a small point. Whatever you mentioned above is correct for ASA versions prior to 8.3. Now, with ASA version 8.3 and later, Cisco has changed a few things about NAT and Access Lists. Regarding ACLs, now you have to reference the real private IP address and NOT the outside public IP. So in your case (if you had an ASA 8.3) the ACS should have been:

    access-list outside line 8 extended permit tcp any host 10.1.31.26 eq 3389

    Just a clarification.

    Thanks a lot

    Harris

    • Hi Harris – I did mention this post applies to ASA 7.2x :) I’ve heard many stories of how the changes in NAT have been good and bad. Especially when you upgrade to the the new code and don’t review all changes in the new code.

      But thanks for pointing that out :)

  • By the way, I really liked the parallelism you made about ICMP echo and Life. That was a good one.

    Cheers

    Harris

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre user="" computer="" escaped="">