ASA version 9.2 NAT

Mohd Khairul Nizam — Tue, 12 Mar 2019 06:10:31 GMT

Hi,

I setup ASA 5515 to enable internet access.

From CLI console, i can ping to 8.8.8.8, and any other external IP

But internal user at PC not able to browse to Internet / http . I figure out must be NAT issue.

Can help to check below config.

----------------------------------------

object network VLAN200
 subnet 172.29.0.0 255.255.0.0
object network VLAN300
 subnet 172.19.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
 network-object object VLAN200
 network-object object VLAN300
access-list VPN extended permit ip object LocalVPN object RemoteVPN 
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any 
access-list outside_access_in extended deny ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LocalVPN LocalVPN destination static RemoteVPN RemoteVPN
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.x.x.25 1
route inside 172.29.0.0 255.255.0.0 172.29.100.254 1
route inside 172.59.0.0 255.255.0.0 172.59.100.254 10
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 management
http 172.29.0.0 255.255.0.0 inside
http 172.19.0.0 255.255.0.0 inside

Hi, Based on the access rules

Rishabh Seth — Wed, 24 Jun 2015 06:24:09 GMT

Hi,

Based on the access rules and network objects, i am assuming that you are trying to configure internet access for vlan200 and vlan300.

You can use object nat to perform dynamic interface based nat for outbound traffic.

Config:

asa#Object network <object-name>

asa(config-network-object)#nat (incoming_interface_name,outgoing_interface_name) dynamic interface.

eg for vlan200:

asa#Object network VLAN200

asa(config-network-object)#nat (inside,outside) dynamic interface.

Configure NAT for each network object.

and remove

nat (any,outside) after-auto source dynamic any interface

Hope it helps!!!

Hi, I figured it out too as

Mohd Khairul Nizam — Wed, 24 Jun 2015 14:52:48 GMT

Hi,

I figured it out too as below

object network obj_any

subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

topic Hi, Based on the access rules in Network Security

ASA version 9.2 NAT

Hi, Based on the access rules

Hi, I figured it out too as