ASA / Intermittent NAT problem

Discussion in 'Cisco' started by Mark Huizer, Aug 16, 2011.

  1. Mark Huizer

    Mark Huizer Guest

    Hi all,

    I'm kind of stuck at trying to troubleshoot a problem I have with a set
    of Cisco ASA boxes. The box has address 217.x.y.26, and I've configured 2
    extra IP addresses: .15 to redirect http to a reverse proxy and .25 to
    redirect http/https to a server. Furthermore .15 is (ab)used to redirect
    a few ports to various machines for RDP.
    The webserver (192.168.1.201) is on the inside interface. The
    reverseproxy is on an extra interface "hb" with securitylevel 50.

    So far so good, and this works almost all of the time.

    The weird thing is that a couple of times a day http traffic to .15 ends
    up at the webserver behind .25 (and the existing RDP sessions die).
    Didn't find any way to reproduce it. No obvious logic behind when it
    happens. I've checked various loggings, I've tried capturing traffic.
    But nothing that would explain such behaviour.

    Is this something anyone recognizes (and might trigger a "do this or check
    that"), or did I do something stupid in configuring the boxes?

    I've included a (slightly stripped) configuration which should include the
    relevant configuration items below.

    Thanks for any hints

    Mark

    ==============================

    ASA Version 8.2(1)
    !
    names
    name 192.168.128.3 INT_reverseproxy description reverse proxy internal address
    name 217.x.y.15 EXT_reverseproxy description reverse proxy external address
    name 192.168.1.201 INT_webserver description webserver internal address
    name 217.x.y.25 EXT_webserver description webserver external address
    name 192.168.1.210 dns1 description dns and ntp
    name 192.168.1.211 dns2 description dns and ntp
    name 192.168.128.0 ssncb-network description testnetwork
    name 192.168.128.101 INT_srv1
    name 192.168.128.102 INT_srv2
    name 192.168.128.103 INT_srv3
    name 192.168.128.104 INT_srv4
    name 192.168.128.105 INT_srv5
    name 192.168.128.106 INT_srv6

    int Ethernet0/0
    nameif outside
    security-level 0
    ip address 217.x.y.26 255.255.255.224 standby 217.x.y.16

    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.253 255.255.255.0 standby 192.168.1.252

    interface Ethernet0/2
    description trunk for internal vlans
    nameif trunk
    security-level 0
    no ip address

    interface Ethernet0/2.953
    vlan 953
    nameif hb
    security-level 50
    ip address 192.168.128.1 255.255.255.0 standby 192.168.128.2

    interface Ethernet0/3
    description LAN/STATE Failover

    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.130.231 255.255.255.0 standby 192.168.130.218
    management-only

    same-security-traffic permit intra-interface
    object-group service DM_INLINE_TCP_2 tcp
    group-object rdp
    port-object range 3390 3396
    object-group service DM_INLINE_TCP_4 tcp
    port-object eq ftp
    port-object eq www
    port-object eq https
    object-group icmp-type DM_INLINE_ICMP_1
    icmp-object echo
    icmp-object echo-reply
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    port-object eq ssh
    object-group service rdp tcp
    description Remote Desktop / Terminal services
    port-object eq 3389
    object-group service DM_INLINE_TCP_2 tcp
    group-object rdp
    port-object range 3390 3396
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq www
    port-object eq ssh
    port-object eq 81
    object-group network DM_INLINE_NETWORK_4
    network-object host dns1
    network-object host dns2
    object-group service DM_INLINE_SERVICE_1
    service-object icmp
    service-object udp eq domain
    service-object tcp eq smtp
    service-object udp eq ntp
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp


    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 ssncb-network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 network192168 255.255.0.0

    access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable
    access-list outside_access_in remark allow service delivery for webserver
    access-list outside_access_in extended permit tcp any host EXT_webserver object-group DM_INLINE_TCP_1 log disable
    access-list outside_access_in remark access to reverseproxy
    access-list outside_access_in extended permit tcp any host EXT_reverseproxy object-group DM_INLINE_TCP_2 log disable
    access-list outside_access_in extended permit tcp any host EXT_reverseproxy object-group DM_INLINE_TCP_3 log disable
    access-list outside_access_in remark block but don't log
    access-list outside_access_in extended deny tcp any any eq 445 log disable

    access-list inside_access_in remark allow traffic from services boxes to hb network
    access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 ssncb-network 255.255.255.0 log disable
    access-list inside_access_in remark default policy: no traffic to hb vlan
    access-list inside_access_in extended deny ip any ssncb-network 255.255.255.0 log disable
    access-list inside_access_in remark outside is allowed
    access-list inside_access_in extended permit ip any any log disable

    access-list hb_access_in remark Allow some services to inside
    access-list hb_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.1.0 255.255.255.0 log disable
    access-list hb_access_in remark block but don't log traffic on port 137 (windows services)
    access-list hb_access_in extended deny object-group TCPUDP any 192.168.1.0 255.255.255.0 eq 137 log disable
    access-list hb_access_in remark No traffic between the networks unless specified
    access-list hb_access_in extended deny ip any 192.168.1.0 255.255.255.0
    access-list hb_access_in remark Outside traffic is OK
    access-list hb_access_in extended permit ip any any log disable

    access-list hb_nat0_outbound remark no nat for traffic from sslvpn
    access-list hb_nat0_outbound extended permit ip ssncb-network 255.255.255.0 192.168.253.0 255.255.255.0

    failover
    failover lan unit secondary
    failover lan interface failover Ethernet0/3
    failover key *****
    failover link failover Ethernet0/3
    failover interface ip failover 192.168.67.1 255.255.255.0 standby 192.168.67.2

    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside

    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (hb) 0 access-list hb_nat0_outbound
    nat (hb) 1 0.0.0.0 0.0.0.0

    static (inside,outside) tcp EXT_webserver www INT_webserver 8000 netmask 255.255.255.255
    static (inside,outside) tcp EXT_webserver https INT_webserver 8001 netmask 255.255.255.255
    static (inside,outside) tcp EXT_webserver ssh INT_webserver ssh netmask 255.255.255.255
    static (inside,outside) tcp EXT_webserver 30000 INT_webserver 30000 netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy www INT_reverseproxy www netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy 3389 INT_srv1 3389 netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy 3390 INT_srv2 3389 netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy 3391 INT_srv3 3389 netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy 3392 INT_srv4 3389 netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy 3394 INT_srv5 3389 netmask 255.255.255.255
    static (healthbook,outside) tcp EXT_reverseproxy 3395 INT_srv6 3389 netmask 255.255.255.255

    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group hb_access_in in interface hb

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00

    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    description netflow for m2m
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp

    service-policy global_policy global
     
    Mark Huizer, Aug 16, 2011
    #1
    1. Advertising

  2. Mark Huizer

    Mark Huizer Guest

    The wise Mark Huizer enlightened me with:
    > Hi all,
    >
    > The weird thing is that a couple of times a day http traffic to .15 ends
    > up at the webserver behind .25 (and the existing RDP sessions die).
    > Didn't find any way to reproduce it. No obvious logic behind when it
    > happens. I've checked various loggings, I've tried capturing traffic.
    > But nothing that would explain such behaviour.
    >


    Well, if you start the party, you should feel the pain...
    Finally solved it. IP address was 'used' for a software router+vmware
    clone to test stuff, and was switched on and sometimes giving duplicate
    mac troubles.

    So silly, but then again... no logging found to warn me of this :-(

    Mark
     
    Mark Huizer, Aug 20, 2011
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    8
    Views:
    1,902
  2. R.B.P.

    Static NAT problem at an ASA

    R.B.P., Apr 30, 2007, in forum: Cisco
    Replies:
    1
    Views:
    434
    Walter Roberson
    May 1, 2007
  3. richard pijlgroms

    asa 5505 not nat problem

    richard pijlgroms, Mar 27, 2008, in forum: Cisco
    Replies:
    1
    Views:
    1,313
    richard pijlgroms
    Mar 27, 2008
  4. tman
    Replies:
    2
    Views:
    969
  5. shbbjj
    Replies:
    0
    Views:
    412
    shbbjj
    Apr 22, 2009
Loading...

Share This Page