Route vs NAT (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message

davidwat -> Route vs NAT (10.Jun.2008 2:43:17 PM)

Hi Everyone,
I've come across something very odd in my lab setup.  I'm setting up a ASA frontend and ISA backend (using Back Firewall Template).  The setup looks like this:

             Internet
                |
                | NAT
                |
               ASA
                | 192.168.1.1
                |
    192.168.1.x | 
                |  
                | 192.168.1.100
               ISA
                | 192.168.2.1
                |
    192.168.2.x |
                |
                | 192.168.2.2
               PC
 
I've allowed HTTPS & HTTP to External from Internal, and going out via SecureNAT for now.  I set the PC for the ISA as the Default Gateway, and set ISA to ROUTE to ASA.  But for some reason that doesn't work.  So I tried NAT from ISA to ASA, and for some reason that works.  I thought if I'm going from Private to Private that I should ROUTE.

Did I set this up incorrectly?  Why does NAT work and ROUTE doesn't.  I just find it kind of weird doing a double NAT.

Thanks



gbarnas -> RE: Route vs NAT (10.Jun.2008 3:32:24 PM)

I just finished creating a front/back ISA config in my lab, with a private address perimeter. I'm using a Route relationship on the Back ISA, and NAT on the front. There's no (obvious) reason that it won't work.

Can you put a computer in the perimeter for testing?
Can you get from Perimeter to External via ASA from that system?
Can you ping the test system from the PC (enable a Ping rule on ISA) when you're in Route mode?

Oh - and - very important...
Is the ASA aware of the networks behind the ISA, and is it routing to them via the ISA??? In NAT mode, the ASA simply replies to the ISA, which is directly connected. In Route mode, the ASA needs to know that it must forward packets to the ISA for any host BEHIND the ISA.

Glenn



Jason Jones -> RE: Route vs NAT (10.Jun.2008 5:10:29 PM)

I agree with Glenn, the normal missing element is adding route statements to send internal traffic back through the ISA as the incoming gateway for ASA.

I don;t think there is anything wrong with double NAT-ing but with this configuration you will never see the "real" IP address behind ISA which can sometimes be handy for controlling outbound access at the ASA for unique internal hosts.

You may also need to add static NAT entries on the ASA to make sure traffic destined for the internet has a valid return route.

Cheers

JJ



davidwat -> RE: Route vs NAT (12.Jun.2008 5:45:33 PM)

Hi Glenn an JJ,
Thanks for your posts. 

Glenn,
After reading your posts, I did put a switch between ASA and ISA, and attached a test Linux box.  I allowed PING and TELNET from Internal to External on ISA.  When PING or TELNET the IP address of the Linux box, ROUTE for some reason doesn't work, but NAT does.  I don't know what I missed, but I know I'm not hitting the ASA to get to the Linux box.  Any ideas on this?

Just for my information as I'm really not quite sure how this works, but with ROUTE what needs to be configured on ISA and ASA (both incoming and outgoing) in order for PCs behind ISA to access the Internet and the DMZ segment on ASA, where I want to use web proxy or firewall client on ISA to control outgoing access to these networks.  Also, I want to have reverse-proxy to Exchange for OWA on ISA.  Will ROUTE still make this possible. 

Thanks



Jason Jones -> RE: Route vs NAT (12.Jun.2008 7:37:26 PM)

What gateway address does the Linux box have?

If it is not ISA, you will need static routes on the Linux box which route 192.168.2.x traffic back through the ISA external interface (192.168.1.100).

Route will work David, you just need to get routing correct. NAT avoids this requirement, but is not as elegant a solution to me...

Cheers

JJ




gbarnas -> RE: Route vs NAT (12.Jun.2008 11:17:33 PM)

Here's a few tests to perform to verify/validate your configuration. They assume that your test system is still in the perimeter. For the purpose of discussion, we'll refer to the Perimeter Host as "PH" with an IP address of 192.168.1.200. We'll also refer to an Iinternal Host as "IH" with an IP of 192.168.2.2. It also assumes that your ISA server is configured to permit Ping from anywhere to anywhere for this test.

From ASA:
Ping an Internet address - should succeed because the ASA's default route is to the internet.
Ping PH - should respond because the host is on a directly connected network, regardless of the DG setting in PH.
Ping ISA (1.100) - should respond for the same reason as above.
Ping IH. If it fails, it could be due to the fact that ASA is unaware of the 2.x network. You'll need a route statement similar to
route add 192.168.2.0 mask 255.255.255.0 192.168.1.100
This will tell the ASA to forward packets for the 2.0 network to the ISA interface. My IOS skills are rusty, so translate the route statement accordingly. ;)

From PH
PH should use the ASA as its Default Gateway. It will need the same route as above, so packets for the internal network are forwarded to the ISA directly. Without the route, packets will be forwarded to ASA, which should forward them based on its routing table to the ISA, resulting in an extra hop. Works, but inelegant.
Ping ASA and ISA (1.100) - both should succeed because they are directly connected.
Ping an internet addres - should succeed if ASA permits it and the gateway is correctly pointing to the ASA.
Ping IH - should succeed if the route is defined properly, otherwise will fail. NOTE  - if this test fails, check the ISA logs to be sure it is not blocking pings. If you see Denied messages in ISA, the routing is correct, and ISA rules are preventing the ping.

From ISA
Since ISA is directly connected to every network, and (I assume) uses the ASA as its default gateway, it should be able to ping ASA, PH, IH, and an internet host without issue.

From IH
Ping ISA (2.1) - succeeds because it is directly connected
Ping PH - should succeed because ISA is the DG for this host, and ISA is directly connected to PH's network.
Ping ASA - should succeed if the ASA knows the route back to the internal network.
Ping internet host - same expected result as above.

I'm pretty sure that the issue is simply that the ASA is not "aware" of the network on the other side of the ISA. Once you verify/add the route to the ASA to forward the 192.168.2.0 network to the ISA, you should be fine.

This is a classic "network behind network" issue discussed several times on this site.

Good luck!

Glenn



davidwat -> RE: Route vs NAT (17.Jun.2008 4:02:29 PM)

Hi Glenn,
What you provided makes sense.  Therefore, I created a static route like you said using "route add" for 192.168.1.0/24 192.168.2.1.  Do I create static route for 192.168.2.0/24 192.168.1.100 on the External Interface?

After creating the static route I finally see the traffic hitting the ISA firewall, but I'm getting denied PING to the LINUX box sitting on the 192.168.1.x network.  I do have a firewall rule that's allowing PING from Internal to External for All Users.  I remember seeing a post where someone was experiencing the same thing.  They didn't get a resolution.  Do you know what could be causing the problem?

Thanks



davidwat -> RE: Route vs NAT (18.Jun.2008 1:23:41 AM)

Hi Glenn,
Goal: PING 192.168.1.50 Linux box from the 192.168.2.2 PC for now.

Set the Cisco ASA with a Static Route for Internal NIC for 192.168.2.0/24 192.168.1.100.

I added 2 static routes using "route add":
Destination  Network Mask   Gateway       Interface      Metric
192.168.1.0  255.255.255.0  192.168.2.1   192.168.2.1    5
192.168.2.0  255.255.255.0  192.168.1.100 192.168.1.100  5

Created backend firewall using Back Firewall Template, set Internal using the Internal NIC (192.168.2.0-192.168.2.255), and set it using Block All.

Created an Access Policy Rule (PING - Int to Ext) to PING (PING, ICMP Information Request, ICMP Timestamp) from Internal to External for All Users, 24x7.

ISA can ping itself, the 192.168.2.2 PC, the 192.168.1.50 Linux box, and the ASA NIC (192.168.1.1).

Tried to PING from 192.168.2.2 PC to 192.168.1.50 Linux box, I get request time out.  I can PING the ISA External NIC 192.168.1.100 from the 192.168.2.2 PC, though.  The weird thing is that I can PING the Internal NIC of the ASA with a response.  Also, I can also PING the IP Address for Google.com (74.125.19.99), and I do get a response.

The Logging shows that the rule PING - Int to Ext has initiated the connection with Result Code 0x0 ERROR_SUCCESS, then later 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN.  Doesn't show any deny messages.

Any idea why I cannot PING the Linux box, but can PING ASA and the Internet?  Is this problem outside of ISA (e.g. routing tables)?  The Event Logs don't show anything.

Thanks



gbarnas -> RE: Route vs NAT (18.Jun.2008 8:00:38 AM)

None of your systems need two route statements. Your ASA needs one route statement to know to forward packets for the network behind the ISA to the ISA. The route to the 192.168.1 network is not needed (and is improperly defined) because the ASA is directly connected to that network.  The Linux system does not NEED a route if it uses the ASA as it's default gateway, however, it would be more efficient to make it aware of the back network as well - same route statement as the ASA. You should only see the difference in a traceroute. The ISA is directly connected to all subnets and does not need any static routes.

Please, for my sanity (especially in my pre-caffienated state), describe your tests as
"Ping HOST from HOST: pass/fail". Also, referencing the hosts by name lets us quickly identify where it is without having to keep referring to a chart of your network - "PHOST" tells me immediately that it's a perimeter host. :)

So - brass tacks..
  • Clear any static routes you added.
  • Add a route on the ASA:  192.168.2.0/24 192.168.1.100
  • Insure the PHOST uses ASA as its gateway - add a static route just like the one above so it reaches the internal network efficiently.
  • Run through the tests I outlined earlier and report the results of each ping test. Be sure to identify the source/destination so there's no ambiguity.

Glenn



pwindell -> RE: Route vs NAT (18.Jun.2008 10:30:09 AM)

Sorry, the thread go too long for me to try to dig through it all. So I am lookling only back at the original post.

The only thing that needs a Static Route is the ASA that tells it to use the 192.168.1.100 as the path to get to 192.168.2.0/24.  I don't see any need for any Static Route anywhere else.

If ISA used a NAT Relationship between it and the ASA then there would be no Static Route needed at all.  The NAT Relationship is what you should really be using anyway.



gbarnas -> RE: Route vs NAT (18.Jun.2008 10:39:46 AM)

That's what we've been saying all along. The purpose of the exercise being discussed was to illustrate to the O.P. how the routes work and to better understand fundamental troubleshooting process.

In the middle of all this was the addition of a computer in the perimeter. The second route could go on that machine so it doesn't have to bounce off of the ASA to go inside, but this isn't a strict requirement.

Glenn



pwindell -> RE: Route vs NAT (18.Jun.2008 5:42:10 PM)

Ok.
Thanks Glenn,



Jason Jones -> RE: Route vs NAT (19.Jun.2008 5:54:30 AM)

Why exactly should we be using NAT on ISA as opposed to routing?

By hiding everything behind ISA's external interface we lose any ability to configure ASA ACLs based upon original host source IP address.

IMHO a route relationship provides the most secure solution as it exposes control for both ISA *AND* ASA which means both tiers of the model are able to filter
traffic properly. A good example here is if the ASA is ever used for site-to-site VPN termination and we require ACLs for the VPN.

I am not sure we should be using NAT just because it is easier to configure...

Cheers

JJ



pwindell -> RE: Route vs NAT (19.Jun.2008 9:17:22 AM)

I admit I have never considered using a routing relationship on the back side of a back-to-back DMZ and would have always thought of it as a bad thing.  But what you are saying makes sense, I never thought of it like that.



Jason Jones -> RE: Route vs NAT (19.Jun.2008 11:22:49 AM)

Yeah, I like the approach [;)]

NAT was never designed as a security solution, although people often perceive it as "more secure".

In the overall security design, a route relatioship actually exposes better security control and "feels right" to me [:)]

Cheers

JJ



davidwat -> RE: Route vs NAT (19.Jun.2008 3:44:22 PM)

Hi Jason,
Good to see you again.  Although I would like that ROUTE approach too, for some reason I'm having a difficult time using it.  When the network set to NAT everything works.  I've setup the ISA and ASA according to what Glenn proposed, but I'm still having trouble pinging the Perimeter Host (PH - Linux box), and vice versa if ROUTE is supposed to be bidirectional. 

Maybe I have setup the Network wrong.  I changed the default Internet network rule from NAT to ROUTE for Internal/VPN Client/Quarantine to External.  Is this correct?  Should I have left this as NAT and created another Network rule to ROUTE to the perimeter?



Page: [1]