NAT rules for incomming traffix

josephCarmon74721 — Sun, 20 Oct 2019 18:18:55 GMT

I am having an issue with incoming rules. Here is my running config.

: Saved

:
: Serial Number: JAD21290D2D
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(1)
!
hostname ciscoasa
enable password $sha512$5000$3ReiS6mEZI8Ylkm0Wc0nGg==$1cK03Z/MNTwOXtq7HLVmbw== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address X.X.X.146 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description DMZ for Carmon Network
shutdown
nameif DMZ
security-level 50
ip address 172.80.0.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network epsilonix
host 192.168.1.8
object network VPNServer
host 192.168.1.3
description VPN Server
object network VPNServerUDP
host 192.168.1.3
object network vpnserver-943
host 192.168.1.3
object network outside
host X.X.X.146
object service https
service tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object VPNServer
access-list outside_access_in extended permit udp any object VPNServer
access-list outside_access_in extended permit ip any object epsilonix
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (any,outside) dynamic interface
object network epsilonix
nat (outside,inside) static X.X.X.146
!
nat (DMZ,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.145 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 0956985c
308202ce 308201b6 a0030201 02020409 56985c30 0d06092a 864886f7 0d01010b
05003029 3111300f 06035504 03130863 6973636f 61736131 14301206 03550403
130b3139 322e3136 382e312e 31301e17 0d313930 36303330 35333435 365a170d
32393035 33313035 33343536 5a302931 11300f06 03550403 13086369 73636f61
73613114 30120603 55040313 0b313932 2e313638 2e312e31 30820122 300d0609
2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00b995af dc86405a
7202ef9b aa58bf47 cf82f894 8e45f793 667c0a52 04aceae2 fbd706f6 fc73cd71
8103bf6c cafcd8f2 378b7c8e b50ebf7b 15095d9d 077922f0 ecdac538 f7e8a615
deefde8e 6584686a 4fcd0cbb 1f075df9 8c5d561b aef7bf28 3425aee8 abc1bff4
f80447d6 042ca727 cfce198c affa1497 f9aba5a2 74a14aff f82e7580 c7369ca5
19f9146d 6c288964 eafb66aa 7a423272 334fac93 6e14cd22 d3fe00ed 52e25093
b2f9c671 e2c59b1e e3962e38 920015cd 656927cc f413fbdf 33c53279 fc2a2aa3
602c6b9e 4e170edb faa63b8a bebd1580 7af5ecd0 6dad1dc0 34c1e902 bd2175fe
b706ef26 19362b4c c24105ac 74d2ef49 69003074 624df2b7 7b020301 0001300d
06092a86 4886f70d 01010b05 00038201 01003808 f65b2d64 4f085130 062774b9
7c36558f 046763f7 5823b6cb da565ffa 73e07e6c b984b0a8 7277ae6c a88b7cce
432ebcb3 c69e9088 3a001eec 35af6204 3977c9e7 05bded43 f572de2a 82dc35f7
d6832d62 915c8124 284560ef 2db2a225 915a5263 64ae3b07 33078c8f e5d2205b
8886e2d9 aa2d89c9 29fdfd22 6446d842 64834249 a46629e7 8eb4604b 5b9a439a
c9a33615 0caf1cf0 ed7601c1 9222854a 9ac3cc77 c18d31ee 161b9eb2 3b071142
d86cc3cf f1b575ab bda80e54 4f902a76 3bca2404 8fbadaaf bda64b9b 47dbcd64
1dd16678 08c5baa2 b6ddf8ad ab8d5b86 e6ffcc22 047a605b 45a0b533 ea4d934b
e6275db3 990b2765 70c9de0b 5cb2af38 1006
quit
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.1.3 71.10.216.1
dhcpd auto_config outside
!
dhcpd address 192.168.1.30-192.168.1.254 inside
dhcpd dns 192.168.1.3 209.18.47.61 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
enable outside
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
webvpn
url-list value asdm
dynamic-access-policy-record DfltAccessPolicy
username joe password $sha512$5000$T3LTRsDb9Fc1Kd2pl7NhJg==$K7NyYNiO24p8j8qSOIthuA== pbkdf2 privilege 0
username joe attributes
vpn-group-policy DfltGrpPolicy
tunnel-group web type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9e1c595f0cdcb4e6431bba4bcae8b280
: end
no asdm history enable

Incoming traffic is denied by implicit rule. Not sure what I am doing wrong in my NAT rule and ACL.

Re: NAT rules for incomming traffix

Marius Gunnerud — Sun, 20 Oct 2019 18:29:01 GMT

You need to define the inside interface as the source in the NAT statement, not the outside interface.

object network epsilonix
nat (outside,inside) static X.X.X.146 <-- change to the following: nat (inside,outside) static X.X.X.146

topic Re: NAT rules for incomming traffix in Network Security

NAT rules for incomming traffix

Re: NAT rules for incomming traffix