Multiple NAT to network

apmcomp — Tue, 12 Mar 2019 03:25:29 GMT

I am trying to do the following on an ASA 5505 with Security Plus licensing.

public IP ASA private IP ASA

199.185.3.25 <-------192.168.1.254

|--------192.168.2.254

|-------- 192.168.3.254

I want the 192.168.1.0/24 and 192.168.2.0/24 to NAT to the internet.

I can get the first subnet to work. I can get hosts on each of the two subnets ping each other. However, if I try to ping an external site 4.2.2.2., the first subnet works, the second one does not.

I am enclosing the running-configuration from IOS 8.4. Any insights as to what I'm missing to get the second network to be able to send and receive packets to an internet connection?

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.01.05 21:03:36 =~=~=~=~=~=~=~=~=~=~=~=

sh run

: Saved

ASA Version 8.4(6)

hostname INFOASA01

names

interface Ethernet0/0

interface Ethernet0/1

switchport access vlan 4

interface Ethernet0/2

switchport access vlan 5

interface Ethernet0/3

switchport access vlan 2

interface Ethernet0/4

switchport access vlan 2

interface Ethernet0/5

switchport access vlan 2

interface Ethernet0/6

switchport access vlan 2

interface Ethernet0/7

switchport access vlan 2

interface Vlan1

nameif outside

security-level 25

pppoe client vpdn group PPP

ip address pppoe setroute

interface Vlan2

nameif inside

security-level 75

ip address 192.168.1.254 255.255.255.0

interface Vlan3

description Wireless

shutdown

no nameif

no security-level

no ip address

interface Vlan4

description home-network

nameif inside-46

security-level 50

ip address 192.168.3.224 255.255.255.0

interface Vlan5

nameif inside5

security-level 75

ip address 192.168.2.254 255.255.255.0

interface Vlan98

description VPN client

no nameif

security-level 90

ip address 192.168.98.254 255.255.255.0

interface Vlan99

no nameif

no security-level

no ip address

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_25

host 192.168.1.249

object network obj_143

host 192.168.1.249

object network obj_1677

host 192.168.1.249

object network obj_444

host 192.168.1.249

object network obj_443

host 192.168.1.246

object network obj_22

host 192.168.1.249

object network obj_21

host 192.168.1.247

object network obj_8009

host 192.168.1.249

object network obj_39833

host 192.168.1.88

access-list smtp extended permit tcp any host 66.18.210.142 eq smtp

access-list smtp extended permit tcp any host 192.168.1.249 eq smtp

access-list smtp extended permit tcp any host 192.168.1.249 eq imap4

access-list smtp extended permit tcp any host 192.168.1.249 eq 1677

access-list smtp extended permit tcp any host 192.168.1.249 eq https

access-list smtp extended permit tcp any host 192.168.1.246 eq https

access-list smtp extended permit tcp any host 192.168.1.247 eq ftp

access-list smtp extended permit tcp any host 192.168.1.249 eq ssh

access-list smtp extended permit tcp any host 192.168.1.249 eq 8009

access-list smtp extended permit tcp any host 192.168.1.88 eq 3389

no pager

logging asdm informational

mtu outside 1460

mtu inside 1500

mtu inside-46 1500

mtu inside5 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj_any

nat (inside,outside) dynamic interface

object network obj_25

nat (inside,outside) static interface service tcp smtp smtp

object network obj_143

nat (inside,outside) static interface service tcp imap4 imap4

object network obj_1677

nat (inside,outside) static interface service tcp 1677 1677

object network obj_444

nat (inside,outside) static interface service tcp https 444

object network obj_443

nat (inside,outside) static interface service tcp https https

object network obj_22

nat (inside,outside) static interface service tcp ssh 40022

object network obj_21

nat (inside,outside) static interface service tcp ftp ftp

object network obj_8009

nat (inside,outside) static interface service tcp 8009 8009

object network obj_39833

nat (inside,outside) static interface service tcp 3389 39833

access-group smtp in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

snmp-server location Home1

snmp-server contact network admin

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 3

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 15

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group PPP request dialout pppoe

vpdn group PPP localname **********************

vpdn group PPP ppp authentication chap

vpdn username *********.com password ***** store-local

dhcpd auto_config inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username ***** password ******* encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d2e31f51f0af551900f9fb8b5dd3ea72

: end

INFOASA01(config)# packet-tracer input inside5 tcp 192.168.2.200 12345 4.2.2.2 12345

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5605, packet dispatched to next module

Result:

input-interface: inside5

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

INFOASA01(config)#packet-tracer input inside5 tcp 192.168.1.200 12345 4.2.2.2 12345

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.1.200/12345 to 199.185.3.25/12345

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5633, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

INFOASA01(config)# icmp debug icmp tra

debug icmp trace enabled at level 1

INFOASA01(config)# ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=0 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=1 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=2 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=3 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=4 len=56

b ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=140 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=140 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=141 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=141 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=142 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=142 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=143 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=143 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

no debug icmp tra

debug icmp trace disabled.

INFOASA01(config)#

Multiple NAT to network

Julio Carvajal — Tue, 07 Jan 2014 01:14:08 GMT

Hello Paul,

Yes, there is a order within the NAT on 8.3 and higher

1) Manual Nat or Twice Nat

2) Object Nat (the one being used here)

3) After-Auto Nat

Inside the Object-Nat the order will be done automatically by the firewall taking place the static entries and more specific.

So if you enter that command you will be translating only the subnet within the obj_any 5 from the inside5 to the outside.

Hope I was clear hehe

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

topic Multiple NAT to network in Network Security

Multiple NAT to network

Multiple NAT to network

Multiple NAT to network

Multiple NAT to network