topic ASA 5505 - No Internet Using Static NAT Rules in Network Security

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Mon, 11 Mar 2019 22:20:51 GMT

I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.

Here's my Cisco ASA configuration:

ASA Version 7.2(3)

hostname domain

domain-name domain.ca

enable password M6aAV/2UhVYeSYwL encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.126 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 69.xx.xx.60 255.255.255.248

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.226.226 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

switchport access vlan 3

interface Ethernet0/4

switchport access vlan 3

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd M6aAV/2UhVYeSYwL encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name domain.ca

access-list crypto_acl_10 extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.99.0 255.255.255.224

access-list inbound extended permit tcp any host 69.xx.xx.61 eq www

access-list inbound extended permit tcp any host 69.xx.xx.61 eq https

access-list inbound extended permit tcp any host 69.xx.xx.61 eq smtp

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pop3

access-list inbound extended permit gre any host 69.xx.xx.61

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pptp

access-list inbound extended permit tcp any host 69.xx.xx.58 eq 8080

access-list inbound extended permit tcp any host 69.xx.xx.61 eq ftp

access-list inbound extended permit tcp any host 69.xx.xx.63 eq www

access-list inbound extended permit tcp any host 69.xx.xx.63 eq https

access-list inbound extended permit tcp any host 69.xx.xx.63 eq smtp

access-list inbound extended permit icmp any host 69.xx.xx.63

access-list vpnclient_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

access-list guest_access_in extended deny ip 192.168.226.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

access-list guest_access_in extended permit ip any any inactive

access-list guest_access_in extended permit tcp any host 192.168.226.4

access-list guest_access_in extended permit tcp any eq smtp host 192.168.226.4 eq smtp

access-list guest_access_out extended permit ip host 192.168.226.2 host 69.70.178.122

access-list outside_access_out extended permit ip host 69.xx.xx.63 host 69.70.178.122

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool remotevpn 192.168.99.10-192.168.99.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any guest

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0 dns

static (inside,outside) 69.xx.xx.61 192.168.123.4 netmask 255.255.255.255 dns

static (inside,outside) 69.xx.xx.58 192.168.123.200 netmask 255.255.255.255

static (inside,outside) 69.xx.xx.63 192.168.123.58 netmask 255.255.255.255

access-group inbound in interface outside

access-group guest_access_in in interface guest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 64.254.232.224 255.255.255.224 outside

http 69.70.4.112 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address crypto_acl_10

crypto map outside_map 10 set peer 64.254.232.248

crypto map outside_map 10 set transform-set ESP-AES-MD5 ESP-AES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 64.254.232.224 255.255.255.224 outside

ssh 69.70.4.112 255.255.255.248 outside

ssh 69.70.178.122 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.226.4-192.168.226.100 guest

dhcpd dns 24.200.241.37 interface guest

dhcpd enable guest

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

ntp server 199.212.17.21 source outside

ntp server 199.212.17.22 source outside

ntp server 209.87.233.53 source outside

ntp server 132.246.168.148 source outside

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 192.168.123.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value domain.local

split-dns value domain.local

username mmintzberg password 8fAM98BTuTuY/jU2 encrypted

username fross password Ykti5THH7ftFZeWp encrypted

username jsilver password 0VSZ094cAtFEZuxW encrypted

username mgadmin password 3Nrrh9/fcmJrMiH2 encrypted privilege 15

username smintzberg password .RPWyyJt7YbCb94T encrypted

username smintzberg attributes

vpn-framed-ip-address 192.168.99.22 255.255.255.0

username mruiz password j8Scwuudo9vNlzVa encrypted privilege 15

tunnel-group 64.254.232.248 type ipsec-l2l

tunnel-group 64.254.232.248 ipsec-attributes

pre-shared-key *

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool remotevpn

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:ca6a95011ce78d4d850a5127af0d245c

: end

Message was edited by: Moises Ruiz Updated ASA running configuration

ASA 5505 - No Internet Using Static NAT Rules

rizwanr74 — Mon, 30 Jan 2012 16:03:01 GMT

the static nat you trying to add is the same public IP which is config on the outside interface?

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Thu, 02 Feb 2012 02:22:48 GMT

I'm sorry guys, I've been rushing with other stuff.

Right now I have a static NAT Rule set to 192.168.123.100 but there's no DHCP reservation for that IP, as soon as I set a DHCP reservation for the server in the Inside interface I will loose the internet.

I've updated the running configuration in my original message.

ASA 5505 - No Internet Using Static NAT Rules

mvsheik123 — Thu, 02 Feb 2012 02:35:36 GMT

Hello,

Iam not sure if this is normal behaviour, but you can try clearing the existing 'xlate' for this single ip (local or global) after setting up the reservation.

hth

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Thu, 02 Feb 2012 02:37:02 GMT

How will I do that?

ASA 5505 - No Internet Using Static NAT Rules

mvsheik123 — Thu, 02 Feb 2012 02:52:22 GMT

Here is the syntax...

clear xlate

To clear current translation and connection information, use the clear xlate command in privileged EXEC mode.

clear xlate [global ip1[-ip2] [netmask mask]] [local ip1[-ip2] [netmask mask]]
[gport port1[-port2]] [lport port1[-port2]] [interface if_name] [state state]

In your scenario, you can issue the command.. clear xlate local 192.168.123.200

Make sure the server still holds IP & DNS once you reserve the IP. From server end, you can release & renew IP config.

Thx

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Thu, 02 Feb 2012 23:59:55 GMT

Ok I forgot how to connect and run on the exec mode but on the ASDM I executed the command and nothing changed.

i'm newbie to Cisco appliances.

ASA 5505 - No Internet Using Static NAT Rules

lcambron — Fri, 03 Feb 2012 00:37:00 GMT

Moises,

I think this is an issue with DHCP instead of NAT.

You said the issue starts when you reserve the IP.

Just to confirm the ASA is not the DCHP server for the inside network.

If you clear the arp table (after you reserve the IP of the server) and then try to access the internet, do you see arp entries on the ASA? Or can you still ping the ASA?

Felipe.

ASA 5505 - No Internet Using Static NAT Rules

mvsheik123 — Fri, 03 Feb 2012 03:36:08 GMT

Thanks for the update Moises. But when you reserve the IP, have you checked if the server still holds IP & DNS ?

I beiieve you need to release & renew IP config on the server.

Thx

ASA 5505 - No Internet Using Static NAT Rules

jyothydas — Fri, 03 Feb 2012 10:42:08 GMT

static (inside,outside) 69.xx.xx.63 192.168.123.100 netmask 255.255.255.255 dns ?

Looks like wrong NAT config if you want to browse net.

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

!--- The "dns" keyword is added to instruct the security appliance to modify 
!--- DNS records related to this entry.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Fri, 03 Feb 2012 22:31:28 GMT

The issue starts when I add the NAT rule.

No, there's a different DHCP server on the inside network.

I cleared the ARP table, I can still ping the router and the ASA and I do see entries in the ARP table.

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Fri, 03 Feb 2012 22:32:12 GMT

The server still has the same IP & DNS.

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Fri, 03 Feb 2012 22:38:30 GMT

Not sure what I need to do lyothydas?

All I want is to be able to assign an static IP 9inside and outside) so that I can setup services that go to the outside world.

ASA 5505 - No Internet Using Static NAT Rules

lcambron — Fri, 03 Feb 2012 23:37:28 GMT

Can you try the NAT without the dns keywork.

Felipe.

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Sat, 04 Feb 2012 21:40:55 GMT

I tried removing the DNS in the NAT rule but didn't change anything.

ASA 5505 - No Internet Using Static NAT Rules

jyothydas — Mon, 06 Feb 2012 09:40:03 GMT

You mean your command was

static (inside,outside) 69.70.71.72 192.168.123.100 netmask 255.255.255.255 and it did not work?

And you should have similar ACL which should allow http/dns commn. (Or did I miss to see it in your config)

access-list inbound extended permit tcp any any eq www

access-list inbound extended permit tcp any any eq domain

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz — Mon, 06 Feb 2012 14:24:10 GMT

I actually just removed: "Translate the DNS replies that match the translation rule" from the NAT Options in the ASDM and that didn't make a difference.

I do have:

access-list inbound extended permit tcp any host 69.xx.xx.63 eq www

(since my 192.168.123.100 NAT rule points to 69.xx.xx.63)

But I don't have:

access-list inbound extended permit tcp any any eq domain

What is that one for?

I apologize again but I'm not savy with Cisco's configuration and commands, I was not the one who configured this environment, and since it's a production environment I don't want to change stuff if I don't full understand what is doing so I appreciate your patience.