topic Hi,You need to create an in Network Security

Dynamic NAT configuration on Cisco ASA 5520

ramatoulaye.hane1 — Tue, 12 Mar 2019 05:52:36 GMT

Dear Support,

I want to setup a dynamic NAT on my firewall Cisco ASA 5520. I make the configuration below, but I cannot access to internet. Can you help me please.

object network LTY_NAT
subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
subnet 192.168.140.0 255.255.255.0

object-group network ESN_NAT
network-object object LTY_NAT
network-object object HQ_NAT
network-object object CAD_NAT

nat (any,outside) source dynamic ESN_NAT interface

My Cisco ASA is connected to the Inside interface(192.168.180.228) with this network 192.168.176.0 255.255.248.0 .

Thank in advance!

Dear Support, When I try to

ramatoulaye.hane1 — Sun, 03 May 2015 16:02:36 GMT

Dear Support,

When I try to ping internet I get this error message from Real Time log viewer

May 03 2015

15:53:41

302020

192.168.182.45

8.8.8.8

Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.182.45/1 laddr 192.168.182.45/1

It seems NAT is not working

Pranay Prasoon — Sun, 03 May 2015 17:42:00 GMT

It seems NAT is not working correctly. The syslog 302020 says

Connection was built when you tried to ping 8.8.8.8 from 192.168.182.45.

faddr= Foreign address

gaddr (Global address)=NAT address of 192.168.182.45///This should have been the interlace IP address of ASA

laddr (Local address) of 192.168.181.45

Please try below step:-

1) Run packet tracer and see if NAT is being hit.

2) If packet-tracer shows NAT being hit try to do a "clear xlate" and then check.

Thanks

Pranay

ladd

Hi Pranay,Thanks for your

ramatoulaye.hane1 — Sun, 03 May 2015 18:55:36 GMT

Hi Pranay,

Thanks for your reply.

Below the results of packet tracer:

vpnserver# packet-tracer input outside rawip 192.168.180.100 ?

<0-255> Enter the ip protocol id/next header
vpnserver# packet-tracer input outside rawip 192.168.180.100 25
ERROR: % Incomplete command
vpnserver# packet-tracer input outside rawip 192.168.180.100 25 ?

A.B.C.D Enter the destination ipv4 address
vpnserver# packet-tracer input outside rawip 192.168.180.100 25 8.8.8.8

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (any,outside) source dynamic ESN_NAT interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

vpnserver#

Hi,The Packet Trace which you

Vibhor Amrodia — Mon, 04 May 2015 03:39:07 GMT

Hi,

The Packet Trace which you executed is incorrect.

As per the NAT statement , you need to use the LAN interface(inside) interface as the ingress interface for the traffic.

Use option "tcp" instead of "rawip" and then you would be able to see the source and destination ports.

Use this for reference:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,Thank for

ramatoulaye.hane1 — Mon, 04 May 2015 10:28:46 GMT

Hi Vibhor Amrodia,

Thank for your reply.

Below the results. But the NAT and access list chosen by the command packet-tracer is not that I have created for the NAT.

My NAT configuration is:

object network LTY_NAT
subnet 192.168.176.0 255.255.248.0
object network HQ_NAT
subnet 192.168.190.0 255.255.255.0
object network CAD_NAT
subnet 192.168.140.0 255.255.255.0

object-group network ESN_NAT
network-object object LTY_NAT
network-object object HQ_NAT
network-object object CAD_NAT

nat (any,outside) source dynamic ESN_NAT interface

vpnserver# packet-tracer input inside tcp 192.168.180.100 53 8.8.8.8 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 103 in interface inside
access-list 103 extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN
Additional Information:
Static translate 192.168.180.100/53 to 192.168.180.100/53

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 177738, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

vpnserver#

Hi,This is the issue. If you

Vibhor Amrodia — Mon, 04 May 2015 10:42:36 GMT

Hi,

This is the issue. If you check the NAT phase:- 6 , it is using a different NAT statement.

The problem is i suspect the Remote_LAN is containing Subnet which is also causing all the traffic to the internet IP addresses to be using this NAT which is acting like a NONAT or not translating the IP addresses to the interface.

Can you post the output of this Object:- Remote_LAN

Thanks and Regards,

Vibhor Amrodia

nat (inside,outside) source static Local_LAN Local_LAN destination static Remote
_LAN Remote_LAN - See more at: https://supportforums.cisco.com/discussion/12497401/dynamic-nat-configuration-cisco-asa-5520#sthash.lhjx4X6z.dpuf

Hi Vibhor Amrodia,Thanks!The

ramatoulaye.hane1 — Mon, 04 May 2015 11:15:59 GMT

Hi Vibhor Amrodia,

Thanks!

The object Remote_LAN contains only this subnetwork:

object network Remote_LAN
subnet 0.0.0.0 0.0.0.0

Ramatoulaye HANE

Hi,This is the issue. This

Vibhor Amrodia — Mon, 04 May 2015 11:24:14 GMT

Hi,

This is the issue. This NAT is probably for the VPN traffic and to prevent it from being natted.

If you are using VPN , use specific Remote Subnets or if you are not using VPN , remove this NAT.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,I use these

ramatoulaye.hane1 — Mon, 04 May 2015 11:43:04 GMT

Hi Vibhor Amrodia,

I use these NAT for SSL VPN

object-group network Local_LAN
network-object 192.168.140.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.190.0 255.255.255.0
network-object 10.71.121.0 255.255.255.0
network-object 10.71.124.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.170.0 255.255.255.0
network-object 192.168.176.0 255.255.248.0
network-object 10.71.0.0 255.255.0.0
network-object 172.28.11.0 255.255.255.0
network-object 172.28.13.0 255.255.255.0

object network Remote_LAN
subnet 0.0.0.0 0.0.0.0

So, which network I can specify for this object network Remote_LAN?

Ramatoulaye HANE

Hi,You need to create an

Vibhor Amrodia — Mon, 04 May 2015 12:06:40 GMT

Hi,

You need to create an object-group with all these networks in it and replace the 0.0.0.0 from the object.

You would not be able to use object for multiple subnets and hence us object group and call it using the NAT statement.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,Can you

ramatoulaye.hane1 — Mon, 04 May 2015 12:12:39 GMT

Hi Vibhor Amrodia,

Can you give me an example, because I don't understand what you say. Or I must create local network and remote network with the same network objects.

Hi,So , to be clear , answer

Vibhor Amrodia — Mon, 04 May 2015 12:17:08 GMT

Hi,

So , to be clear , answer this query for me:-

Local Subnets:-

Ip local Pool for the SSL VPN:-

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,Local

ramatoulaye.hane1 — Mon, 04 May 2015 12:32:53 GMT

Hi Vibhor Amrodia,

Local Subnets: 192.168.176.0/21, 192.168.190.0/24, 192.168.140.0/24, 192.168.170.0/24

Ip local Pool for the SSL VPN: ip local pool esn 192.168.182.150-192.168.182.199 mask 255.255.248.0

Thanks!

Ramatoulaye HANE

Hi,In this case , you would

Vibhor Amrodia — Mon, 04 May 2015 12:45:06 GMT

Hi,

In this case , you would need this configuration:-

object-group network LOCAL-SUBNETS

network-object 192.168.176.0 255.255.224.0

network-object 192.168.190..0 255.255.255.0

network-object 192.168.140.0 255.255.255.0

network-object 192.168.170.0 255.255.255.0

Object network Anyconnect

subnet 192.168.182.0 255.255.248.0

nat (inside.outside) source static LOCAL-SUBNETS LOCAL-SUBNETS destination static Anyconnect Anyconnect

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,Thanks!I

ramatoulaye.hane1 — Mon, 04 May 2015 13:38:46 GMT

Hi Vibhor Amrodia,

Thanks!

I modified the remote network. Now Local_LAn and Anyconnect are below:

Object network Anyconnect
subnet 192.168.176.0 255.255.248.0

nat (inside,outside) source static Local_LAN Local_LAN destination static Anyconnect Anyconnect

Now, what is the next step?

Thank in advance!

Hi,Now , I think the traffic

Vibhor Amrodia — Mon, 04 May 2015 13:57:20 GMT

Hi,

Now , I think the traffic should be allowed for the Outbound internet.

Check it with the packet tracer again.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor Amrodia,It works

ramatoulaye.hane1 — Mon, 04 May 2015 16:14:51 GMT

Hi Vibhor Amrodia,

It works now.

Thank for your support!

Hi Vibhor Amrodia,The dynamic

ramatoulaye.hane1 — Tue, 05 May 2015 10:04:22 GMT

Hi Vibhor Amrodia,

The dynamic NAT is working fine following your guide, but the VPN site to site with my peer is disconnected and I can't access to peer side. What I can do to have dynamic NAT et VPN site to site UP.

Thank in advance!

Hi,Now , you need to check

Vibhor Amrodia — Tue, 05 May 2015 12:20:08 GMT

Hi,

Now , you need to check the NONAT statement is working for the Site-To-Site VPN tunnel or not. I think this NAT broke that for you.

You need this NAT statement:-

nat (inside,outside) source static <Local Subnets> <Local Subnets> destination static <Remote Subnets> <Remote Subnets>

Thanks and Regards,

Vibhor Amrodia