ASA rpf-check

Wiadomość

misiol · #1

Jeden z klientów używających ASA 8.2 zgłosił mi taki problem.

Prosta topologia:

LAN---(inside)ASA(DMZ)-----server_10.62.205.59

Ruch inicjowany z sieci LAN na adres serwera w DMZ na porcie 80 dziala poprawnie. Teraz pojawiła się konieczność inicjacji ruchu z tego serwera do jednej ze stacji w sieci LAN. I tu pojawia się problem.

cfg

Kod: Zaznacz cały

interface GigabitEthernet0/1.62
 vlan 62
 nameif inside
 security-level 100
 ip address 10.62.199.100 255.255.254.0 standby 10.62.199.101

interface GigabitEthernet0/2.640
 vlan 640
 nameif dmz
 security-level 90
 ip address 10.62.205.1 255.255.255.0 standby 10.62.205.2

object-group service porty_lotus tcp
 port-object eq www
 port-object eq lotusnotes

access-list wyj extended permit tcp any host 10.62.241.110 object-group porty_lotus

access-list dmz51 extended permit icmp any any
access-list dmz51 extended permit ip any any


nat-control
static (dmz,inside) tcp 10.62.241.110 lotusnotes 10.62.205.59 15610 netmask 255.255.255.255
static (dmz,inside) tcp 10.62.241.110 www 10.62.205.59 15510 netmask 255.255.255.255
static (dmz,inside) 10.62.241.110 10.62.205.59 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface

access-group wyj in interface inside
access-group dmz51 in interface dmz

Output z packet tracera

Kod: Zaznacz cały

packet-tracer input dmz tcp 10.62.205.59 20000 10.31.113.75 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.16.0.0       255.240.0.0     inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz51 in interface dmz
access-list dmz51 extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x71d36998, priority=12, domain=permit, deny=false
        hits=3044011, user_data=0x6d3dff80, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x717a40b8, priority=0, domain=inspect-ip-options, deny=true
        hits=3908547, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x73ac1fe0, priority=70, domain=inspect-http, deny=false
        hits=19966, user_data=0x72776cf8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7278a1c0, priority=50, domain=ids, deny=false
        hits=3044898, user_data=0x72787430, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7279bb60, priority=50, domain=ssm-isvw, deny=false
        hits=3044898, user_data=0x7278b2d8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x727958c8, priority=49, domain=ssm-isvw-capable, deny=false
        hits=199759, user_data=0x1, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x71a1e998, priority=20, domain=lu, deny=false
        hits=2641220, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,inside) 10.62.241.110 10.62.205.59 netmask 255.255.255.255
nat-control
  match ip dmz host 10.62.205.59 inside any
    static translation to 10.62.241.110
    translate_hits = 7, untranslate_hits = 1
Additional Information:
Static translate 10.62.205.59/0 to 10.62.241.110/0 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0x72cdb558, priority=5, domain=nat, deny=false
        hits=7, user_data=0x7435a0e8, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.62.205.59, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,inside) tcp 10.62.241.110 lotusnotes 10.62.205.59 15610 netmask 255.255.255.255
nat-control
  match tcp dmz host 10.62.205.59 eq 15610 inside any
    static translation to 10.62.241.110/1352
    translate_hits = 0, untranslate_hits = 2
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x73a5ae40, priority=5, domain=host, deny=false
        hits=156, user_data=0x733d2f10, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.62.205.59, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7278cf88, priority=49, domain=ssm-isvw-capable, deny=false
        hits=422892, user_data=0x2, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 12
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any dmz any
    dynamic translation to pool 1 (10.62.205.1 [Interface PAT])
    translate_hits = 281, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x71aa2c98, priority=1, domain=nat-reverse, deny=false
        hits=494, user_data=0x71ad9ad8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Od razu dodam ze wylaczenie nat control nie wchodzi w gre. Czy problemem jest to ze jest zdefiniowany dynamic nat z inside do dmz oraz static nat jednoczesnie? Jak to sie ma do nat rfp-checka?

LukaszM · #2

problemem jest dynamiczny Nat z inside do dmz. Sprobuj dodać regule Nat exempt na inside lub utwórz statyczny Nat np. Static (inside,dmz) 10.31.113.75 10.31.113.75.

misiol · #3

Rozumiem. Ciekawi mnie natomiast jedna rzecz. Jaki jest order of operations w przypadku jak tutaj gdzie mamy static nat który jak rozumiem jest dwukierunkowy - ruch powinien się łapać na static niezależnie od miejsca inicjacji. Do tego z inside do dmz dochodzi dynamic nat czyli de facto mamy dwa naty, static i dynamic nat? Który jest brany przez ASA pod uwagę static, dynamic czy oba?

Jako osoba która większość życia spędziła przy SRXach jest to dla mnie trochę mało zrozumiałe. Prosiłbym o rozjaśnienie.

LukaszM · #4

Tak jak napisales w tym przypadku static nat jest brany pod uwage jako pierwszy:

Kod: Zaznacz cały

static (dmz,inside) tcp 10.62.241.110 lotusnotes 10.62.205.59 15610 netmask 255.255.255.255

Problemem jest jednak ruch powrotny ktory zgodnie z faza RPF check bedzie sie łapał w dynamiczny nat :

Kod: Zaznacz cały

nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface

Tak wiec pakiet SYN jest wysłany z 10.62.205.59 do 10.31.113.75 a odpowiedz SYN/ACK bedzie wysłana z 10.62.205.1 (nat na interfejs) i ASA pokazuje właśnie ten problem w dodatkowym checku RPF.