topic Rizwan,Oh how I wish it was in Network Security

ASA 9.1 NAT configuration assistance

Jim Richards — Tue, 12 Mar 2019 05:33:09 GMT

Hello all,

I have a problem I am having trouble solving with a NAT . The scenario goes that I have two ASAs connected via a site-to-site VPN that has a single subnet on the branch side that contains both data and voice devices that needs to talk to both the inside (data) and DMZ (voice) subnets at the main location. This part I have working. The phones are up and I am able to talk both data and phones. The problem being is I do not manage the voice system, a different contractor does and they now have lost remote access to the voice . I removed the following which I think was a leftover from a 8.2 to 9.2 upgrade. That is what got the data and phones working

object network Phone_System

(voice,outside) static 74.x.x.108

What I am having issue with is the NAT to replace this and to allow access from the outside interface to the DMZ interface without causing problems with the site-to-site.

interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.x.x.105 255.255.255.224
!
interface Vlan200
no forward interface Vlan1
nameif voice
security-level 10
ip address 172.16.200.1 255.255.255.0

object network Phone_System
host 172.16.200.10

object network Phone_System_External
host 74.x.x.108

object network LAN-G
subnet 172.16.110.0 255.255.255.0

object network LAN-S
subnet 172.16.100.0 255.255.255.0
object network VOICE_S
subnet 172.16.200.0 255.255.255.0

object-group network Local_S
network-object object VOICE_S
network-object object LAN-S

object-group network Remote_G
network-object object LAN-G

object-group network S
network-object object LAN-S

object-group service Phone_Service tcp
port-object eq 3389
port-object eq citrix-ica
port-object eq 2598

object-group service Phone_Service_udp udp
port-object eq 1604

access-list outside_access_in extended permit tcp any object Phone_System_External object-group Phone_Service
access-list outside_access_in extended permit udp any object Phone_System_External object-group Phone_Service_udp

nat (inside,outside) source static Local_S Local_S destination static Remote_G Remote_G no-proxy-arp route-lookup

nat (voice,outside) source static Phone_System Phone_System destination static Phone_System_External Phone_System_External

Hi Jim, Try these line please

rizwanr74 — Tue, 24 Feb 2015 19:07:17 GMT

Hi Jim,

Try these line please.

Remove these two lines.

no access-list outside_access_in extended permit tcp any object Phone_System_External object-group Phone_Service
no access-list outside_access_in extended permit udp any object Phone_System_External object-group Phone_Service_udp

Apply these two lines instead.

access-list outside_access_in extended permit tcp any object Phone_System object-group Phone_Service
access-list outside_access_in extended permit udp any object Phone_System object-group Phone_Service_udp

Hope this helps.

Thanks

Rizwan Rafeek

Rizwan,Oh how I wish it was

Jim Richards — Tue, 24 Feb 2015 19:50:38 GMT

Rizwan,

Oh how I wish it was that easy. I had tried that ACLs in different forms before posting. I did try what you asked and still I cannot ping or RDP to the server from the outside..

I assume your host: 172.16

rizwanr74 — Tue, 24 Feb 2015 20:08:15 GMT

I assume your host: 172.16.200.10 is located in the voice-dmz interface, if not you want to change to inside as "nat (inside,outside) static 74.x.x.108"

You must go under the parent object: "object network Phone_System" and they apply the nat statement.

object network Phone_System
host 172.16.200.10
nat (voice,outside) static 74.x.x.108

Can you post your whole config.

Hope that helps.

thanks

And that is where the problem

Jim Richards — Tue, 24 Feb 2015 20:54:57 GMT

And that is where the problem is.

When I add that static NAT to the object.

object network Phone_System
host 172.16.200.10
nat (voice,outside) static 74.x.x.108

I can ping it from the outside but I cannot ping 172.16.200.10 from the branch router so all phones loose registration because they can no longer reach the 172.16.200.10. The 172.16.200.10 is in the DMZ or should I say 3rd VLAN. The ASA code does not licensed to trunk so it was set up as different VLANs on different interfaces. AKA DMZ.

I figured it out.. the

Jim Richards — Tue, 24 Feb 2015 21:05:25 GMT

I figured it out.. the return traffic was being natted back..

Added

object network VOICE_S
subnet 172.16.200.0 255.255.255.0

nat (voice,outside) source static VOICE_Silverkey VOICE_Silverkey destination static Remote_G Remote_G no-proxy-arp route-lookup

I can now ping from the tunnel and the outside.