ASA / Intermittent NAT problem

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I'm kind of stuck at trying to troubleshoot a problem I have with a set
of Cisco ASA boxes. The box has address 217.x.y.26, and I've configured 2
extra IP addresses: .15 to redirect http to a reverse proxy and .25 to
redirect http/https to a server. Furthermore .15 is (ab)used to redirect
a few ports to various machines for RDP.
The webserver (192.168.1.201) is on the inside interface. The
reverseproxy is on an extra interface "hb" with securitylevel 50.

So far so good, and this works almost all of the time.

The weird thing is that a couple of times a day http traffic to .15 ends
up at the webserver behind .25 (and the existing RDP sessions die).
Didn't find any way to reproduce it. No obvious logic behind when it
happens. I've checked various loggings, I've tried capturing traffic.
But nothing that would explain such behaviour.

Is this something anyone recognizes (and might trigger a "do this or check
that"), or did I do something stupid in configuring the boxes?

I've included a (slightly stripped) configuration which should include the
relevant configuration items below.

Thanks for any hints

Mark

==============================

ASA Version 8.2(1)
!
names
name 192.168.128.3 INT_reverseproxy description reverse proxy internal address
name 217.x.y.15 EXT_reverseproxy description reverse proxy external address
name 192.168.1.201 INT_webserver description webserver internal address
name 217.x.y.25 EXT_webserver description webserver external address
name 192.168.1.210 dns1 description dns and ntp
name 192.168.1.211 dns2 description dns and ntp
name 192.168.128.0 ssncb-network description testnetwork
name 192.168.128.101 INT_srv1
name 192.168.128.102 INT_srv2
name 192.168.128.103 INT_srv3
name 192.168.128.104 INT_srv4
name 192.168.128.105 INT_srv5
name 192.168.128.106 INT_srv6

int Ethernet0/0
  nameif outside
  security-level 0
  ip address 217.x.y.26 255.255.255.224 standby 217.x.y.16

interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.1.253 255.255.255.0 standby 192.168.1.252

interface Ethernet0/2
 description trunk for internal vlans
 nameif trunk
 security-level 0
 no ip address

interface Ethernet0/2.953
 vlan 953
 nameif hb
 security-level 50
 ip address 192.168.128.1 255.255.255.0 standby 192.168.128.2

interface Ethernet0/3
 description LAN/STATE Failover

interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.130.231 255.255.255.0 standby 192.168.130.218
 management-only

same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_2 tcp
 group-object rdp
 port-object range 3390 3396
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq ssh
object-group service rdp tcp
 description Remote Desktop / Terminal services
 port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
 group-object rdp
 port-object range 3390 3396
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq ssh
 port-object eq 81
object-group network DM_INLINE_NETWORK_4
 network-object host dns1
 network-object host dns2
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object udp eq domain
 service-object tcp eq smtp
 service-object udp eq ntp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp


access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0
ssncb-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0
network192168 255.255.0.0

access-list outside_access_in extended permit icmp any any object-group
DM_INLINE_ICMP_1 log disable
access-list outside_access_in remark allow service delivery for webserver
access-list outside_access_in extended permit tcp any host EXT_webserver
object-group DM_INLINE_TCP_1 log disable
access-list outside_access_in remark access to reverseproxy
access-list outside_access_in extended permit tcp any host EXT_reverseproxy
object-group DM_INLINE_TCP_2 log disable
access-list outside_access_in extended permit tcp any host EXT_reverseproxy
object-group DM_INLINE_TCP_3 log disable
access-list outside_access_in remark block but don't log
access-list outside_access_in extended deny tcp any any eq 445 log disable

access-list inside_access_in remark allow traffic from services boxes to hb
network
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4
ssncb-network 255.255.255.0 log disable
access-list inside_access_in remark default policy: no traffic to hb vlan
access-list inside_access_in extended deny ip any ssncb-network 255.255.255.0
log disable
access-list inside_access_in remark outside is allowed
access-list inside_access_in extended permit ip any any log disable

access-list hb_access_in remark Allow some services to inside
access-list hb_access_in extended permit object-group DM_INLINE_SERVICE_1 any
192.168.1.0 255.255.255.0 log disable
access-list hb_access_in remark block but don't log traffic on port 137 (windows
services)
access-list hb_access_in extended deny object-group TCPUDP any 192.168.1.0
255.255.255.0 eq 137 log disable
access-list hb_access_in remark No traffic between the networks unless specified
access-list hb_access_in extended deny ip any 192.168.1.0 255.255.255.0
access-list hb_access_in remark Outside traffic is OK
access-list hb_access_in extended permit ip any any log disable

access-list hb_nat0_outbound remark no nat for traffic from sslvpn
access-list hb_nat0_outbound extended permit ip ssncb-network 255.255.255.0
192.168.253.0 255.255.255.0

failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover link failover Ethernet0/3
failover interface ip failover 192.168.67.1 255.255.255.0 standby 192.168.67.2

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (hb) 0 access-list hb_nat0_outbound
nat (hb) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp EXT_webserver www INT_webserver 8000 netmask
255.255.255.255
static (inside,outside) tcp EXT_webserver https INT_webserver 8001 netmask
255.255.255.255
static (inside,outside) tcp EXT_webserver ssh INT_webserver ssh netmask
255.255.255.255
static (inside,outside) tcp EXT_webserver 30000 INT_webserver 30000 netmask
255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy www INT_reverseproxy www
netmask 255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy 3389 INT_srv1 3389 netmask
255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy 3390 INT_srv2 3389 netmask
255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy 3391 INT_srv3 3389 netmask
255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy 3392 INT_srv4 3389 netmask
255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy 3394 INT_srv5 3389 netmask
255.255.255.255
static (healthbook,outside) tcp EXT_reverseproxy 3395 INT_srv6 3389 netmask
255.255.255.255

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group hb_access_in in interface hb

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 description netflow for m2m
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp

service-policy global_policy global

Re: ASA / Intermittent NAT problem
The wise Mark Huizer enlightened me with:
Quoted text here. Click to load it

Well, if you start the party, you should feel the pain...
Finally solved it. IP address was 'used' for a software router+vmware
clone to test stuff, and was switched on and sometimes giving duplicate
mac troubles.

So silly, but then again... no logging found to warn me of this :-(

Mark

Site Timeline