Cisco ASA – NAT Forcing Traffic Out Wrong Interface on Cisco ASA

cisco-asa

Cisco ASA 5508, 9.6.3 code. I have 2 outside interfaces BACKUP and PRIMARY and a INSIDE interface. For some reason the NAT sends traffic out the BACKUP interface even when BACKUP is down!

[Edit I have isolated the issue and made this question simpler]

I have found that if you're using twice NAT that has a destination, the ASA will route the packet based on the NAT and completely ignore the routing table. Here is the relavant config.

interface GigabitEthernet0/0
 nameif PRIMARY
 security-level 0
 ip address 22.22.22.22 255.255.255.240
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 172.16.1.10 255.255.255.0
interface GigabitEthernet0/2
 nameif BACKUP
 security-level 0
 ip address 33.33.33.33 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 22.22.22.23 1

object network OBJ-55.55.55.55
 host 55.55.55.55
object service OBJ-HTTP
 service tcp destination eq 80
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55 
nat (INSIDE,PRIMARY) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55 
nat (INSIDE,any) source static any any service OBJ-HTTP OBJ-HTTP no-proxy-arp

My goal is to NAT traffic going to 55.55.55.55 to the Interface, and nonat everything else that's on port 80.

When I do this config and try a packet trace, we can see it takes the wrong path.

ASA-DEV# packet-tracer input INSIDE tcp 172.16.1.99 2222 55.55.55.55 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
NAT divert to egress interface BACKUP-INTERNET-TEST
Untranslate 55.55.55.55/80 to 55.55.55.55/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-INSIDE-IN in interface INSIDE
access-list ACL-INSIDE-IN extended permit ip any host 55.55.55.55
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
Static translate 172.16.1.99/2222 to 192.168.79.1/2222

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: inspect-http
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http PMAP-HTTP-INSPECT
service-policy global_policy global
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1404251, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: BACKUP
output-status: down
output-line-status: down
Action: allow

Some more show commands:

ASA-DEV(config)# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 208.69.250.17 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 22.22.22.23, OUTSIDE
C        172.16.1.0 255.255.255.0 is directly connected, INSIDE

ASA-DEV(config)# sho int ip brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         22.22.22.22     YES CONFIG up                    up
GigabitEthernet0/1         172.16.1.10     YES CONFIG up                    up
GigabitEthernet0/2         33.33.33.33     YES manual down                  down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down

As you can see my routing table is bare bones and my BACKUP interface (G0/2) isn't even up. SO WHY ON EARTH IS THE NAT TRYING TO ROUTE OUT THE BACKUP INTERFACE!?

Best Answer

This is a very specific part of the ASA packet processing that many don't know about called NAT Divert Check

Simply explained here:

The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.

If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.

If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.

Cisco has stated these NAT rules are intended to override the routing table.

You can use an EEM script as a workaround to keep your NAT statements and still make it work. The script relies on IP SLA to track for a syslog message the IP SLA failure would trigger, then adds or removes your NAT when that happens. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco ASA double NAT with DNS translation

Answering my own question to help future googlers. I spent about 3 hours on the phone with TAC; we finally got to the root cause of the issue.

The solution is to add a special NAT entry, which matches the IP address in the DNS A-Record when it arrives on the INSIDE interface.

object network DNS_NAT_masd1
 description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
 host 1.195.18.182
 nat (DMZ,INSIDE) static 10.195.18.182

When I asked for a pointer to documentation that describes why DNS translation works this way, the TAC lead said that he didn't know of any that described this behavior. The TAC lead also mentioned that with more code, the ASA would know to automatically translate the DNS A-Record without explicitly adding object network DNS_NAT_masd1; however, that is not how the dns keyword for ASA NAT works today. For reasons that still are not completely clear yet, the ASA requires the DNS A-Record IP to match the <proxy_addr> in the NAT statement, using syntax similar to this...

object network obj-EXAMPLE
 description NAT object explicitly for translating DNS A-Records
 host <proxy_addr>
 nat (<REAL_INTF>,<PROXY_INTF>) static <real_addr> dns

The difficulty is that this configuration is exactly backwards for what you need to do if you're going to nat regular "data plane" IP traffic through the firewall.

This is the whole configuration that works...

object network DMZ_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
 host 1.195.18.182
 description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
!
object network DMZ_NAT_masd1
 nat (DMZ,INSIDE) static 192.168.11.101
object network INSIDE_NAT_masd1
 nat (INSIDE,DMZ) static 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
 nat (DMZ,INSIDE) static 10.195.18.182 dns

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco ASA double NAT with DNS translation

Related Topic