topic I am testing in a "lab" in Network Security

ASA 5506 cannot get inside PCs to access the Internet

fcampbell — Tue, 12 Mar 2019 08:06:04 GMT

I have a PIX 5506 version 9.5(1) out of the box configured using the ADSM Startup Wizard.

Per documentation this configuration is supposed to allow any PC to access the Internet

When I run a packet trace on the the inside (1 implicit incomming rule) to allow access for PCs from behind the firewall to the Internet I get a (nat-xlate-failed) NAT failed error.

What configuration step am I missing? Do I need to add an access list to allow traffic out?

The current configuration is listed below. Any help greatly appreciated

ciscoasa# wr t
: Saved

:
: Serial Number: JAD194800DH
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8b712a9090c458bd79e28403b205dffc
: end
[OK]
ciscoasa#

Without having gone to deep

Bobby Stojceski — Sun, 07 Aug 2016 22:53:23 GMT

Without having gone to deep into this yet, I notice your outside and inside interfaces are both private IP ranges. So the question has to be asked about whether you need NAT at all? Are you wanting all traffic from the 192.168.1.0/24 subnet to be seen as coming from 192.168.2.10 ?

I am testing in a "lab"

fcampbell — Mon, 08 Aug 2016 00:30:53 GMT

I am testing in a "lab" environment in my home network. When I get the flows correct I will change the outside address to a legitimate, routable IP address.

Hi,

Aditya Ganjoo — Mon, 08 Aug 2016 00:38:12 GMT

Hi,

Could you please remove the any,outside statement and be more specific:

nat (any,outside) dynamic interface

Please change it to nat (inside,outside) dynamic interface and then test.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I made the change you

fcampbell — Mon, 08 Aug 2016 01:05:44 GMT

I made the change you suggested. No change in test results. Thank you for the suggestion.

Hi,

Aditya Ganjoo — Mon, 08 Aug 2016 01:07:50 GMT

Hi,

Can you share the packet tracer results ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

can you post for ACL's ? I'm

august70 — Mon, 08 Aug 2016 19:13:51 GMT

can you post for ACL's ? I'm not seeing any listed here.

I finally have a working

fcampbell — Tue, 09 Aug 2016 00:54:59 GMT

I finally have a working configuration. Thank you all for your help! Comments and ideas greatly appreciated.

From the out of the box default I added/changed

object network obj_any
nat (inside,outside) dynamic interface (default was (any,outside) Thank you Aditya!

object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic any interface (this may not be needed given the other nat declaration; comments appreciated)

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

dhcpd dns 4.2.2.2 interface inside (for DNS lookups)

access-list from_outside extended permit icmp any any echo (allow inside to ping)

inspect icmp (in policy-map global_policy-->class inspection_default)

Here is the entire configuration

ciscoasa#
ciscoasa# wr t
: Saved

:
: Serial Number: JAD194800DH
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
access-list from_outside extended permit icmp any any echo
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:73451e2363b0be6416cccc805bdfffc8
: end
[OK]
ciscoasa#

That's a good news.

Aditya Ganjoo — Tue, 09 Aug 2016 01:57:10 GMT

That's a good news.

Glad to assist.

i would request if you can close the post.

Regards,

Aditya

Please rate helpful posts and mark correct answers.