topic NAT ASA5512 8.6(1)2 in and out in Network Security

NAT ASA5512 8.6(1)2 in and out

jadragna1 — Tue, 12 Mar 2019 02:01:47 GMT

Hello Everyone,

This is my first post so please forgive me if I miss something. I have an ASA5512 running 8.6(1)2 that I am trying to NAT a public IP address from my ISP to multiple phone systems on the inside of my network. One of these phone systems is at the same site as the ASA5512 and I have no problems getting this one to work with my current config. The problem comes when I apply the same type of NAT rule that works at the main site to allow NAT to the other sites. These sites are connected via a point-to-point system from our ISP. The point-to-point does not seem to be an issue as I can ping any device at our other sites and I can RDP into computers and servers at the others sites. I can also call internally between sites but when I try to call the other sites from my cell I cant get through. Also when I forward one of the extensions at the others sites to my cell and then call internally I do not get an outside line.

In the config below you can see that Ive applied the same NAT and ACL rules to the adminphonesystem and the deltaphonesystem objects. The adminphonesystem can make calls and recieve them with no issues. The deltaphonesystem cannot make or recieve calls from outside our network. Only internal calls are working for the deltaphonesystem. Ive done packet traces in every which way and corrected any issues that I have found with no fix to the problem. So I cleaned up my config and posted it here. Really hope someone can give me a few pointers in getting this problem solved.

On another note I have a Cisco ASA5505 with smartnet support. So i throw it in place of the 5512 and call cisco support. A tech calls me back and we get everything working perfectly on the 5505 with a few simple rules. I say thank you and have a nice. Then I throw the 5512 back in and replicate the rules from the 5505 that were working. Both of these units are using the new NAT setup that was released after 8.3. To my surprise the 5512 doesnt work even though I have the same rules as the 5505. If anyone can answer that side question please do.

ASA Version 8.6(1)2

hostname AdminASA

domain-name

enable password encrypted

passwd encrypted

names

interface GigabitEthernet0/0

shutdown

no nameif

security-level 0

no ip address

interface GigabitEthernet0/1

nameif Outside

security-level 0

ip address 76.320.333.43 255.255.255.224

interface GigabitEthernet0/2

nameif Inside

security-level 100

ip address 10.1.99.1 255.255.255.0

interface GigabitEthernet0/3

nameif P2P

security-level 100

ip address 10.2.99.2 255.255.255.0

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

domain-name corp.centermh.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network DeltaNetwork

subnet 10.1.96.0 255.255.255.0

object network GunnisonNetwork

subnet 10.1.97.0 255.255.255.0

object network MiamiNetwork

subnet 10.1.98.0 255.255.255.0

object network NuclaNetwork

subnet 10.1.93.0 255.255.255.0

object network TellurideNetwork

subnet 10.1.94.0 255.255.255.0

object network AdminPhoneSystem

host 10.1.99.225

description Inside IP Address of Admin Phone System

object network DeltaPhoneSystem

host 10.1.96.225

description Internal IP Address of Delta Phone System

object network AdminPhonePublic

host 76.320.333.48

description Public IP Address of Admin Phone System

object network FastTrackPhone

host 234.213.124.81

description FastTrack SIP Trunk Authtication IP Address

object network FastTrackMonitor

host 290.230.195.8

description FastTrack Monitoring server

object network DeltaPhonePublic

host 76.320.333.51

description Public IP Address of Delta Phone System

object-group icmp-type ICMP-All

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object alternate-address

icmp-object conversion-error

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list global_access extended permit icmp object FastTrackMonitor any object-group ICMP-All

access-list Local_access_in extended permit ip any any

access-list MPLS_access_in extended permit ip any any

access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object DeltaPhoneSystem eq sip

access-list CTN_access_in extended permit icmp object FastTrackPhone object DeltaPhoneSystem object-group ICMP-All

access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object AdminPhoneSystem eq sip

access-list CTN_access_in extended permit icmp object FastTrackPhone object AdminPhoneSystem object-group ICMP-All

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu P2P 1500

mtu management 1500

ip local pool vpnUsers 10.1.99.200-10.1.99.210 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp

nat (Inside,Outside) source static AdminPhoneSystem AdminPhonePublic no-proxy-arp

nat (P2P,Outside) after-auto source dynamic any interface

nat (Inside,Outside) after-auto source dynamic any interface

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

access-group P2P_access_in in interface P2P

access-group global_access global

route Outside 0.0.0.0 0.0.0.0 76.320.333.42 6

route P2P 10.1.93.0 255.255.255.0 10.2.99.1 1

route P2P 10.1.94.0 255.255.255.0 10.2.99.1 1

route P2P 10.1.95.0 255.255.255.0 10.2.99.1 1

route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1

route P2P 10.1.97.0 255.255.255.0 10.2.99.1 1

route P2P 10.1.98.0 255.255.255.0 10.2.99.1 1

route P2P 10.2.93.0 255.255.255.0 10.2.99.1 2

route P2P 10.2.94.0 255.255.255.0 10.2.99.1 2

route P2P 10.2.95.0 255.255.255.0 10.2.99.1 2

route P2P 10.2.96.0 255.255.255.0 10.2.99.1 2

route P2P 10.2.97.0 255.255.255.0 10.2.99.1 2

route P2P 10.2.98.0 255.255.255.0 10.2.99.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.99.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.1.99.0 255.255.255.0 Inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 128.138.140.44 prefer

webvpn

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

username privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

contact-email-addr

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 8

subscribe-to-alert-group configuration periodic monthly 8

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:

: end

NAT ASA5512 8.6(1)2 in and out

Jouni Forss — Sun, 23 Jun 2013 06:04:12 GMT

Hi,

If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command

You have this

nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp

Yet you have this "object network" and "route"

object network DeltaPhoneSystem

host 10.1.96.225

route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1

So seems to me that your NAT configuration should be

nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp

Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this

object network DeltaPhoneSystem

host 10.1.96.225

nat (P2P,Outside) static 76.320.333.51

object network AdminPhoneSystem

host 10.1.99.225

nat (Inside,Outside) static 76.320.333.48

Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.

If the ISP has configured one public subnet between its gateway device and your ASA and routed the other subnet(s) towards the ASAs "Outside" interface IP address then there is no problem.
If the ISP has configured both (or all) public subnets on their gateway interface (others as "secondary" subnets) then you will (to my understanding) run into a problem with ARP with nonconnected networks on the ASA.
- To correct this you would require you to either change the setup to the first option with the ISP or update your ASA software to 9.0(2) or possibly 9.1(2) to get access to the command "arp permit-nonconnected"

Here is the section from the patch notes that also explains the commands purpose

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

•Secondary subnets.

•Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

Also available in 8.4(5).

If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link

https://supportforums.cisco.com/docs/DOC-31116

Hopefully the above helps with your problem

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni