NAT exemption with Cisco ASA 5510



  • Hi all,

    I have a pfsense unit which is doing the routing for a DMZ in my network. It works nicely standalone but I wanted to integrate it into the rest of the network using the OPT1 interface connected to my core switch which is in turn connected to my ASA 5510 which handles all the main traffic for the network. The main reason for this is so that I can allow hosts on the ASA network to be able to manage the hosts in the DMZ.

    I configured the OPT int as follows:

    192.168.16.128/22, GW 192.168.16.1 (ASA)

    I then created a static route on the ASA pointing all DMZ traffic (10.30.30.0/24) to use 192.168.16.128 as the gateway.

    I then created some NAT exemption rules on the ASA and made sure my access rules were good at that end. All seems ok as I can ping hosts on the pfsense network (10.30.30.0/24). I couldn't connect however so I assumed that I needed to create some NAT exemption rules on the other side.

    On the pfsense I created a test rule on the ASA connection interface to allow all traffic and I then created a Manual Outbound NAT rule as follows:

    ticked disable NAT
    int ASA (192.168.16.128)
    Protocol any
    Source Network 192.168.16.0/22
    Destination Network 10.30.30.0/24

    I can still ping hosts on the pfSense network from the ASA network but cannot connect so I'm guessing this is a NAT thing.

    Can anyone see a problem with this setup? Am using 2.0.1

    Thanks,
    Chris.



  • I am guessing that since you can ping them, that you have create the appropriate rules on the OPT1 interface to allow the traffic.
    The manual rules created when you switch from auto are all for the WAN interface, so you should already not be NATing from LAN to OPT1 or from OPT1 to LAN. In any case, you would need to remove any NAT rules for OPT1 or LAN interfaces.
    Do you have rules setup on the LAN of the DMZ to restrict outbound rules? For the rule you created in ASA (OPT1) did you leave the default of keep states?
    Not sure on the config for the ASA, but it sounds right. I would try traceroutes to and from the DMZ.



  • @podilarius:

    I am guessing that since you can ping them, that you have create the appropriate rules on the OPT1 interface to allow the traffic.
    The manual rules created when you switch from auto are all for the WAN interface, so you should already not be NATing from LAN to OPT1 or from OPT1 to LAN. In any case, you would need to remove any NAT rules for OPT1 or LAN interfaces.
    Do you have rules setup on the LAN of the DMZ to restrict outbound rules? For the rule you created in ASA (OPT1) did you leave the default of keep states?
    Not sure on the config for the ASA, but it sounds right. I would try traceroutes to and from the DMZ.

    Hi,
    Thanks for the swift reply.
    Ok, have removed all my outbound NAT rule attempts and switched it back to auto (just leaving the default WAN rules).
    No rules set on the LAN of the DMZ to restrict outbound rules. In fact, purely for testing I have created a allow any to any rules on both the LAN of the DMZ and the ASA.
    Not sure what you mean by "default of keep states" on the ASA.
    Running a packet trace on the ASA: 192.168.16.2 (port 22) to 10.30.30.33 (port 22) allows the packet which is really confusing.
    Not sure what else to try. Any ideas?
    Thanks again,
    Chris.



  • What I mean is that in the advanced options of the rules, there is an option to change state handling. Default is to keep state. Some who route, turn this off by mistake.
    First … can you traceroute from each network to the other ... what is the output?
    Are there any blocks in the FW system logs on either the Cisco ASA or pfSense?
    Could there be a possibility of an asymmetric route?



  • Hiya,

    This is what I'm seeing in the logs on the Cisco ASA when I try to ssh from the ASA network to the pfSense DMZ:

    The adaptive security appliance discarded a TCP packet that has no associated connection in the adaptive security appliance connection table. The adaptive security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the adaptive security appliance discards the packet.

    This is followed by a lot of Built TCP, tear-down TCP entries which look ok. This continues until the connection times out.

    c:)



  • Take a test machine and set a route to  the DMZ using pfsense OPT1 address as the gateway. If you are able to connect, then the issue is in the Cisco ASA and its rule set.



  • Hi there,

    Thought I'd reply that I got this working in the end. As you rightly guessed, Asymmetric Routing was the problem. I had to enable TCP State Bypass on the ASA to get things working. Thanks for your help!

    I have another issue now which is applying deny rules on the LAN interface to stop hosts talking to each other. Should I start another thread for that?

    Thanks again,
    c:)



  • Yes please start a new thread and be sure to include details.


Locked