topic ASA 5505 changes breaking NAT in Network Security

ASA 5505 changes breaking NAT

macmillan1 — Mon, 11 Mar 2019 21:19:30 GMT

we have an asa5505 firewall on version 8.2 it currently works fine we're going through the proces of migrating to a mew ip range, but when we change the NAT entries, the pings to the public address return the inside ip address!!! Help!!

the current config is

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.06.16 12:09:27 =~=~=~=~=~=~=~=~=~=~=~=

User Access Verification

Password:

Type help or '?' for a list of available commands.

mdspixfirewall> en

Password: ********

mdspixfirewall# sho run

: Saved

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password YB.ux8bsS71TJocI encrypted

passwd FOrFfsaVs9oyvPYJ encrypted

hostname mdspixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

<--- More --->

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any host 192.168.220.241 echo

access-list outside_access_in permit icmp any host 192.168.220.241 unreachable

access-list outside_access_in permit icmp any host 192.168.220.241 time-exceeded

access-list outside_access_in permit icmp any host 192.168.220.242 echo

access-list outside_access_in permit icmp any host 192.168.220.242 unreachable

access-list outside_access_in permit icmp any host 192.168.220.242 time-exceeded

access-list outside_access_in permit tcp host 192.168.220.246 host 192.168.220.241 eq telnet

access-list outside_access_in permit tcp host 192.168.220.246 host 192.168.220.242 eq telnet

access-list outside_access_in deny ip any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any

pager lines 24

logging on

logging console debugging

logging monitor alerts

logging trap informational

logging history informational

logging host inside 192.168.222.15

logging host inside 192.168.222.19

mtu outside 1500

<--- More --->

mtu inside 1500

ip address outside 192.168.220.254 255.255.255.0

ip address inside 192.168.222.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 192.168.220.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.220.242 194.1.1.10 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.220.241 192.168.20.16 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 192.168.222.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

<--- More --->

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

snmp-server host inside 192.168.222.19 trap

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

telnet 192.168.20.0 255.255.255.0 inside

telnet 192.168.222.0 255.255.255.0 inside

telnet 172.18.1.0 255.255.255.0 inside

telnet 172.18.0.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

dhcpd address 192.168.220.61-192.168.220.239 outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable outside

terminal width 80

Cryptochecksum:08b06398fb0e5297c902e135dbc03716

: end

<--- More --->

mdspixfirewall# exit

Logoff

om trying to change the mapping to show

static (inside,outside) 192.168.220.241 172.18.148.16 netmask 255.255.255.255 0 0

but any ping sent to 192.168.220.241 replies as the 172.18.148.16 address, and pings from the 172 machine get blocked at the firewall with

asymmetric nat rules matched for forward and reverse flows......

any ideas??

thanks

chris

ASA 5505 changes breaking NAT

Anu M Chacko — Thu, 01 Sep 2011 11:39:34 GMT

Hi Chris,

Could you configure the following?

no static (inside,outside) 192.168.220.241 192.168.20.16 netmask 255.255.255.255 0 0

There are 2 static translation for the same host which is creating issues, when you ping from the 172 host.

Let me know.

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.

ASA 5505 changes breaking NAT

macmillan1 — Thu, 01 Sep 2011 12:44:11 GMT

Sorry. We did take that out when we did the change. I've now setup a test network where I can replicate the issue. Had to back out the changes to out live environment.

Any other ideas?

Thanks

Chris

ASA 5505 changes breaking NAT

Anu M Chacko — Thu, 01 Sep 2011 12:47:17 GMT

Hi Chris,

What version of ASA are you running? Could you post the output of "sh run" from the ASA? Also, how are you verifying that you get replies from the private IP address?

Let me know.

Regards,

Anu

ASA 5505 changes breaking NAT

Anu M Chacko — Thu, 01 Sep 2011 12:50:37 GMT

Also, could you add "fixup protocol icmp" and see if it makes any difference?

Let me know.

ASA 5505 changes breaking NAT

macmillan1 — Thu, 01 Sep 2011 21:07:02 GMT

It's a 5505 running version 8.2

The ping test was to ping 192.168.220.241. In the original config it replies as 192.168.220.241, but when we do the change and ping the same ip address, it replies as 172.18.148.16....

I'll try the other thing you recommend and see if it does anything.

I'll also post the entire setup of the network as it is a bit of an odd setup. Can't do it now as I'm on iPhone doing this.

Brief desc is that the firewall is there to segment and hide part of our network that has machines in it that we don't manage. The inside and outside ports on the firewall connect back into different vlans on the same switch. Vlan acls stop traffic moving between the two as vlan routing is enabled. We then have 2 connections into the router for the 2 vlans to route.

Thanks

ASA 5505 changes breaking NAT

praprama — Mon, 12 Sep 2011 16:48:12 GMT

You mentioned your ASA 5505 is running 8.2 but the config is from a PIX running 6.3? can you post the current config from the ASA?

regards,

Prapanch