• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Route vs NAT

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Route vs NAT Page: [1]
Login
Message << Older Topic   Newer Topic >>
Route vs NAT - 10.Jun.2008 2:43:17 PM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline
Hi Everyone,
I've come across something very odd in my lab setup.  I'm setting up a ASA frontend and ISA backend (using Back Firewall Template).  The setup looks like this:

             Internet
                |
                | NAT
                |
               ASA
                | 192.168.1.1
                |
    192.168.1.x | 
                |  
                | 192.168.1.100
               ISA
                | 192.168.2.1
                |
    192.168.2.x |
                |
                | 192.168.2.2
               PC
 
I've allowed HTTPS & HTTP to External from Internal, and going out via SecureNAT for now.  I set the PC for the ISA as the Default Gateway, and set ISA to ROUTE to ASA.  But for some reason that doesn't work.  So I tried NAT from ISA to ASA, and for some reason that works.  I thought if I'm going from Private to Private that I should ROUTE.

Did I set this up incorrectly?  Why does NAT work and ROUTE doesn't.  I just find it kind of weird doing a double NAT.

Thanks
Post #: 1
RE: Route vs NAT - 10.Jun.2008 3:32:24 PM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
I just finished creating a front/back ISA config in my lab, with a private address perimeter. I'm using a Route relationship on the Back ISA, and NAT on the front. There's no (obvious) reason that it won't work.

Can you put a computer in the perimeter for testing?
Can you get from Perimeter to External via ASA from that system?
Can you ping the test system from the PC (enable a Ping rule on ISA) when you're in Route mode?

Oh - and - very important...
Is the ASA aware of the networks behind the ISA, and is it routing to them via the ISA??? In NAT mode, the ASA simply replies to the ISA, which is directly connected. In Route mode, the ASA needs to know that it must forward packets to the ISA for any host BEHIND the ISA.

Glenn

(in reply to davidwat)
Post #: 2
RE: Route vs NAT - 10.Jun.2008 5:10:29 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I agree with Glenn, the normal missing element is adding route statements to send internal traffic back through the ISA as the incoming gateway for ASA.

I don;t think there is anything wrong with double NAT-ing but with this configuration you will never see the "real" IP address behind ISA which can sometimes be handy for controlling outbound access at the ASA for unique internal hosts.

You may also need to add static NAT entries on the ASA to make sure traffic destined for the internet has a valid return route.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to gbarnas)
Post #: 3
RE: Route vs NAT - 12.Jun.2008 5:45:33 PM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline
Hi Glenn an JJ,
Thanks for your posts. 

Glenn,
After reading your posts, I did put a switch between ASA and ISA, and attached a test Linux box.  I allowed PING and TELNET from Internal to External on ISA.  When PING or TELNET the IP address of the Linux box, ROUTE for some reason doesn't work, but NAT does.  I don't know what I missed, but I know I'm not hitting the ASA to get to the Linux box.  Any ideas on this?

Just for my information as I'm really not quite sure how this works, but with ROUTE what needs to be configured on ISA and ASA (both incoming and outgoing) in order for PCs behind ISA to access the Internet and the DMZ segment on ASA, where I want to use web proxy or firewall client on ISA to control outgoing access to these networks.  Also, I want to have reverse-proxy to Exchange for OWA on ISA.  Will ROUTE still make this possible. 

Thanks

(in reply to davidwat)
Post #: 4
RE: Route vs NAT - 12.Jun.2008 7:37:26 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What gateway address does the Linux box have?

If it is not ISA, you will need static routes on the Linux box which route 192.168.2.x traffic back through the ISA external interface (192.168.1.100).

Route will work David, you just need to get routing correct. NAT avoids this requirement, but is not as elegant a solution to me...

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to davidwat)
Post #: 5
RE: Route vs NAT - 12.Jun.2008 11:17:33 PM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
Here's a few tests to perform to verify/validate your configuration. They assume that your test system is still in the perimeter. For the purpose of discussion, we'll refer to the Perimeter Host as "PH" with an IP address of 192.168.1.200. We'll also refer to an Iinternal Host as "IH" with an IP of 192.168.2.2. It also assumes that your ISA server is configured to permit Ping from anywhere to anywhere for this test.

From ASA:
Ping an Internet address - should succeed because the ASA's default route is to the internet.
Ping PH - should respond because the host is on a directly connected network, regardless of the DG setting in PH.
Ping ISA (1.100) - should respond for the same reason as above.
Ping IH. If it fails, it could be due to the fact that ASA is unaware of the 2.x network. You'll need a route statement similar to
route add 192.168.2.0 mask 255.255.255.0 192.168.1.100
This will tell the ASA to forward packets for the 2.0 network to the ISA interface. My IOS skills are rusty, so translate the route statement accordingly. ;)

From PH
PH should use the ASA as its Default Gateway. It will need the same route as above, so packets for the internal network are forwarded to the ISA directly. Without the route, packets will be forwarded to ASA, which should forward them based on its routing table to the ISA, resulting in an extra hop. Works, but inelegant.
Ping ASA and ISA (1.100) - both should succeed because they are directly connected.
Ping an internet addres - should succeed if ASA permits it and the gateway is correctly pointing to the ASA.
Ping IH - should succeed if the route is defined properly, otherwise will fail. NOTE  - if this test fails, check the ISA logs to be sure it is not blocking pings. If you see Denied messages in ISA, the routing is correct, and ISA rules are preventing the ping.

From ISA
Since ISA is directly connected to every network, and (I assume) uses the ASA as its default gateway, it should be able to ping ASA, PH, IH, and an internet host without issue.

From IH
Ping ISA (2.1) - succeeds because it is directly connected
Ping PH - should succeed because ISA is the DG for this host, and ISA is directly connected to PH's network.
Ping ASA - should succeed if the ASA knows the route back to the internal network.
Ping internet host - same expected result as above.

I'm pretty sure that the issue is simply that the ASA is not "aware" of the network on the other side of the ISA. Once you verify/add the route to the ASA to forward the 192.168.2.0 network to the ISA, you should be fine.

This is a classic "network behind network" issue discussed several times on this site.

Good luck!

Glenn

(in reply to davidwat)
Post #: 6
RE: Route vs NAT - 17.Jun.2008 4:02:29 PM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline
Hi Glenn,
What you provided makes sense.  Therefore, I created a static route like you said using "route add" for 192.168.1.0/24 192.168.2.1.  Do I create static route for 192.168.2.0/24 192.168.1.100 on the External Interface?

After creating the static route I finally see the traffic hitting the ISA firewall, but I'm getting denied PING to the LINUX box sitting on the 192.168.1.x network.  I do have a firewall rule that's allowing PING from Internal to External for All Users.  I remember seeing a post where someone was experiencing the same thing.  They didn't get a resolution.  Do you know what could be causing the problem?

Thanks

(in reply to gbarnas)
Post #: 7
RE: Route vs NAT - 18.Jun.2008 1:23:41 AM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline
Hi Glenn,
Goal: PING 192.168.1.50 Linux box from the 192.168.2.2 PC for now.

Set the Cisco ASA with a Static Route for Internal NIC for 192.168.2.0/24 192.168.1.100.

I added 2 static routes using "route add":
Destination  Network Mask   Gateway       Interface      Metric
192.168.1.0  255.255.255.0  192.168.2.1   192.168.2.1    5
192.168.2.0  255.255.255.0  192.168.1.100 192.168.1.100  5

Created backend firewall using Back Firewall Template, set Internal using the Internal NIC (192.168.2.0-192.168.2.255), and set it using Block All.

Created an Access Policy Rule (PING - Int to Ext) to PING (PING, ICMP Information Request, ICMP Timestamp) from Internal to External for All Users, 24x7.

ISA can ping itself, the 192.168.2.2 PC, the 192.168.1.50 Linux box, and the ASA NIC (192.168.1.1).

Tried to PING from 192.168.2.2 PC to 192.168.1.50 Linux box, I get request time out.  I can PING the ISA External NIC 192.168.1.100 from the 192.168.2.2 PC, though.  The weird thing is that I can PING the Internal NIC of the ASA with a response.  Also, I can also PING the IP Address for Google.com (74.125.19.99), and I do get a response.

The Logging shows that the rule PING - Int to Ext has initiated the connection with Result Code 0x0 ERROR_SUCCESS, then later 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN.  Doesn't show any deny messages.

Any idea why I cannot PING the Linux box, but can PING ASA and the Internet?  Is this problem outside of ISA (e.g. routing tables)?  The Event Logs don't show anything.

Thanks

(in reply to gbarnas)
Post #: 8
RE: Route vs NAT - 18.Jun.2008 8:00:38 AM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
None of your systems need two route statements. Your ASA needs one route statement to know to forward packets for the network behind the ISA to the ISA. The route to the 192.168.1 network is not needed (and is improperly defined) because the ASA is directly connected to that network.  The Linux system does not NEED a route if it uses the ASA as it's default gateway, however, it would be more efficient to make it aware of the back network as well - same route statement as the ASA. You should only see the difference in a traceroute. The ISA is directly connected to all subnets and does not need any static routes.

Please, for my sanity (especially in my pre-caffienated state), describe your tests as
"Ping HOST from HOST: pass/fail". Also, referencing the hosts by name lets us quickly identify where it is without having to keep referring to a chart of your network - "PHOST" tells me immediately that it's a perimeter host. :)

So - brass tacks..
  • Clear any static routes you added.
  • Add a route on the ASA:  192.168.2.0/24 192.168.1.100
  • Insure the PHOST uses ASA as its gateway - add a static route just like the one above so it reaches the internal network efficiently.
  • Run through the tests I outlined earlier and report the results of each ping test. Be sure to identify the source/destination so there's no ambiguity.

Glenn

(in reply to davidwat)
Post #: 9
RE: Route vs NAT - 18.Jun.2008 10:30:09 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Sorry, the thread go too long for me to try to dig through it all. So I am lookling only back at the original post.

The only thing that needs a Static Route is the ASA that tells it to use the 192.168.1.100 as the path to get to 192.168.2.0/24.  I don't see any need for any Static Route anywhere else.

If ISA used a NAT Relationship between it and the ASA then there would be no Static Route needed at all.  The NAT Relationship is what you should really be using anyway.


_____________________________

Phillip Windell

(in reply to davidwat)
Post #: 10
RE: Route vs NAT - 18.Jun.2008 10:39:46 AM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
That's what we've been saying all along. The purpose of the exercise being discussed was to illustrate to the O.P. how the routes work and to better understand fundamental troubleshooting process.

In the middle of all this was the addition of a computer in the perimeter. The second route could go on that machine so it doesn't have to bounce off of the ASA to go inside, but this isn't a strict requirement.

Glenn

(in reply to pwindell)
Post #: 11
RE: Route vs NAT - 18.Jun.2008 5:42:10 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Ok.
Thanks Glenn,


_____________________________

Phillip Windell

(in reply to gbarnas)
Post #: 12
RE: Route vs NAT - 19.Jun.2008 5:54:30 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Why exactly should we be using NAT on ISA as opposed to routing?

By hiding everything behind ISA's external interface we lose any ability to configure ASA ACLs based upon original host source IP address.

IMHO a route relationship provides the most secure solution as it exposes control for both ISA *AND* ASA which means both tiers of the model are able to filter
traffic properly. A good example here is if the ASA is ever used for site-to-site VPN termination and we require ACLs for the VPN.

I am not sure we should be using NAT just because it is easier to configure...

Cheers

JJ

< Message edited by Jason Jones -- 19.Jun.2008 5:56:46 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 13
RE: Route vs NAT - 19.Jun.2008 9:17:22 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I admit I have never considered using a routing relationship on the back side of a back-to-back DMZ and would have always thought of it as a bad thing.  But what you are saying makes sense, I never thought of it like that.

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 14
RE: Route vs NAT - 19.Jun.2008 11:22:49 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yeah, I like the approach

NAT was never designed as a security solution, although people often perceive it as "more secure".

In the overall security design, a route relatioship actually exposes better security control and "feels right" to me

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 15
RE: Route vs NAT - 19.Jun.2008 3:44:22 PM   
davidwat

 

Posts: 12
Joined: 30.May2008
Status: offline
Hi Jason,
Good to see you again.  Although I would like that ROUTE approach too, for some reason I'm having a difficult time using it.  When the network set to NAT everything works.  I've setup the ISA and ASA according to what Glenn proposed, but I'm still having trouble pinging the Perimeter Host (PH - Linux box), and vice versa if ROUTE is supposed to be bidirectional. 

Maybe I have setup the Network wrong.  I changed the default Internet network rule from NAT to ROUTE for Internal/VPN Client/Quarantine to External.  Is this correct?  Should I have left this as NAT and created another Network rule to ROUTE to the perimeter?

(in reply to Jason Jones)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Route vs NAT Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts