topic NAT Configuration Troubleshooting in Network Security

NAT Configuration Troubleshooting

chiguy123 — Fri, 06 Dec 2024 21:47:39 GMT

Hi can someone please help troubleshoot our NAT configuration. I am able to ping Google directly from our ASA, however I cannot ping Google from a host located on the INSIDE2 interface (security level 100). We need to be able to reach smtp.office365.com. Please advise, the config is located below.

object network VPN_POOL
subnet 192.168.1.0 255.255.255.0

object network inside

subnet 172.31.0.0 255.255.0.0

access-list OUTSIDE_TO_IN extended permit ip object VPN_POOL any
access-list OUTSIDE_TO_IN extended permit tcp object VPN_POOL any

nat (INSIDE2,outside) source static any any destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup
!
object network VPN_POOL
nat (outside,outside) dynamic interface

object network inside.
nat (inside,outside) dynamic interface
access-group OUTSIDE_TO_IN in interface outside

Re: NAT Configuration Troubleshooting

Flavio Miranda — Fri, 06 Dec 2024 21:56:39 GMT

@chiguy123

Best way to track down the problem on this case is running Packet-tracer. It will give you if NAT or ACL is the problem.

packet-tracer input outside tcp <INSIDE2 > 1234 <smtp.office365.com> 25

Re: NAT Configuration Troubleshooting

MHM Cisco World — Sat, 07 Dec 2024 01:40:45 GMT

nat (inside2,outside) dynamic interface

That only what you need

MHM

Re: NAT Configuration Troubleshooting

chiguy123 — Mon, 09 Dec 2024 19:54:15 GMT

I have other NAT statements listed below configured. If I add the NAT statement as you suggested will it effect/override the other NAT statement that are currently being translated/untranslated?

KYD-EDI-asa1# sh run nat
nat (inside2,outside) source static any any destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup
!
object network VPN_POOL
nat (outside,outside) dynamic interface
object network inside
nat (inside,outside) dynamic interface

Re: NAT Configuration Troubleshooting

chiguy123 — Mon, 09 Dec 2024 19:57:50 GMT

Here are the results I couldn't use the FQDN so I used one of Microsoft's public IP's, do you think that could cause an issue not being able to use the FQDN?

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Re: NAT Configuration Troubleshooting

MHM Cisco World — Tue, 10 Dec 2024 07:19:34 GMT

To make Me take review of your network

nat (inside2,outside) source static any any destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup <<- this for VPN traffic?
!
object network VPN_POOL
nat (outside,outside) dynamic interface <<- this for RA VPN to access Internet ?
object network inside
nat (inside,outside) dynamic interface <<- this for Internal Host connect to inside interface of ASA ?

so what I suggest

object network inside2
nat (inside2,outside) dynamic interface <<- if above is correct then this NAT will not effect your traffic at all

for FQDN, internal Host connect to inside2 get IP from ASA (ASA work as local dhcp?)

if Yes what is the DNS host use ?

1- if DNS is 8.8.8.8 or 8.8.4.4 then you need to allow DNS traffic to pass via ASA
2- if DNS is ASA itself then you need to run dns domain-lookup

MHM

Re: NAT Configuration Troubleshooting

chiguy123 — Tue, 10 Dec 2024 15:52:01 GMT

Yes we do have RA VPN which is setup and working, however the other NAT is configured but not enabled. The VPN pool object subnet is in the same subnet as the server that needs SMTP communication with the new NAT rule. Will this cause a conflict or should I put the server into another subnet or just create a new object with the same server subnet/host configuration?

Re: NAT Configuration Troubleshooting

MHM Cisco World — Wed, 11 Dec 2024 06:34:32 GMT

Yes it will overlapping, why you config VPN Pool same subent as server connect to inside2 ?

MHM