topic Re: ASA nat issue urgent in Network Security

ASA nat issue urgent

rouzbehta — Mon, 11 Mar 2019 19:43:59 GMT

Hello all, Would someone please tell me if there is anything wrong with this configuration on ASA? For example I can ping 10.10.10.3 from ASA but can't ping from 10.10.10.3 to 66.128.95.241, this means nat is not working properly?? I need this be fixed very soon Thank you! global (outside) 1 66.128.95.241 netmask 255.255.255.252 global (DMZ) 1 66.128.95.241 nat (inside10) 1 10.10.10.0 255.255.255.0 nat (inside11) 1 10.10.11.0 255.255.255.0 nat (inside12) 1 10.10.12.0 255.255.255.0 nat (inside13) 1 10.10.13.0 255.255.255.0 nat (inside14) 1 10.10.14.0 255.255.255.0 nat (inside16) 1 10.10.16.0 255.255.255.0 nat (inside20) 1 10.10.20.0 255.255.255.0 nat (inside21) 1 10.10.21.0 255.255.255.0

Re: ASA nat issue urgent

rouzbehta — Thu, 03 Feb 2011 04:47:50 GMT

I attached txt file for if you can't read it properly in html , sorry abou this

Re: ASA nat issue urgent

andamani — Thu, 03 Feb 2011 12:39:41 GMT

Hi,

The nat configuration given by you is as follows:

nat (inside10) 1 10.10.10.0 255.255.255.0

global (outside) 1 66.128.95.241 netmask 255.255.255.252

So here you are patting the 10.10.10.0 network to 66.128.95.241 and 66.128.95.242. These ip address are used for natting. They are not physically assigned to a device.

So from ASA when you ping 10.10.10.3,

source ip -- the interface ip address of inside10

destination ip - 10.10.10.3

Reply to that ping

source ip - 10.10.10.3

Destination ip - the interface ip address of inside10

Ping will be successful as both are assigned to a physically present device or interface.

But when you ping the ip address 66.128.95.241 from the device with ip address 10.10.10.3,

source ip -- 10.10.10.3

destination ip -- 66.128.95.241.

Ip 66.128.95.241 is not physically assigned to a device. As it is a virtual ip no device or interface will respond back. Hence the pings will be unsuccessful.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered.

Re: ASA nat issue urgent

rouzbehta — Thu, 03 Feb 2011 13:16:13 GMT

Dear Anisha,

But I already assigned the 66.128.95.241 to gigethernet 0/0 and 66.128.95.242 is assigned to the next hop router interface and 0.0.0.0 0.0.0.0 66.128.95.242 is default rout on ASA to route all packets to the next hop router which is facing Internet.

Is this wrong? or should or physically asign to a device is a task I didn't do? Please let me know I can attach whole configuration if you need.

I really appreciate your answer,

Thanks,

-Rouzbeh

Re: ASA nat issue urgent

andamani — Thu, 03 Feb 2011 13:55:18 GMT

Hi,

Please change the Global statement to global(outside) 1 interface.

Also do the following:

policy-map global_policy
 class inspection_default

inspect icmp

Try and let me know if you are able to ping the outside interface.

Regards,

Anisha

Re: ASA nat issue urgent

rouzbehta — Thu, 03 Feb 2011 15:07:25 GMT

Dear Anisha,

I attached the entire configuration of both router and ASA, I explaibed in txt document that I can ping 10.10.10.1 which is sub interface of ASA from my router, also I can ping 66.128.95.241 from ASA, but still can't ping 66.128.95.241 from the router.

I also applied the changes you asked me to do, but still no success

Best Regards,

-Rouzbeh

Re: ASA nat issue urgent

m.kafka — Thu, 03 Feb 2011 15:50:28 GMT

Hi,

Just a few points for troubleshooting:

Do you see the same behaviour for other hosts on your vlan 10 (connect temporary e.g. a notebook if there are no other)?
You have a lot of unusual static routes configured e.g. duplicate 0.0.0.0/0 and statics for connected interfaces, what are they for?
You still don't have the inspect icmp.
Did you try packet-tracer? what does it tell you?
What does sh xlate detail tell you for the host 10.10.10.3?
You try to ping the ouside interface of the asa, same results for the default gateway 66.128.95.242 and other outside destinations?

Rgds, MiKa

Re: ASA nat issue urgent

andamani — Thu, 03 Feb 2011 16:10:16 GMT

Hi,

Why do you wish to ping the outside interface of the ASA?

i don't think you can ping to the box. you can ping through the box.

you need a inspect icmp for that though.

please try pinging any host on the outside of the ASA and see if it successful.

please paste the output of sh xlate as well

Regards,

Anisha

Re: ASA nat issue urgent

rouzbehta — Thu, 03 Feb 2011 16:40:47 GMT

Dear Mika,

I just did inspect icmp, again no success

I am only trying to ping the outside interace from the router, not attached any hosts to subntes yet , because I have to be sure that nat is working properly before make the network live.

sh xlate , shows 0 in use, 0 most used to me

these routes:

c 66.128.95.240 255.255.255.252 is directly connected, outside these c onnected routes are all sub interfaces on asa inteface gig1 which will be

c 10.10.10.0 255.255.255.0 is directly connected, inside10 connected to the switch

c 10.10.11.0 255.255.255.0 is directly connected inside 11

c 10.10.12.0 255.255.255.0 is directly connected inside 12

c 10.10.13.0 255.255.255.0 is directly connected inside13

c 10.10.14.0 255.255.255.0 is directly connected inside14

c 10.10.16.0 255.255.255.0 is directly connected inside16

c 10.10.20.0.255.255.255.0 is directly connected inside20

c 10.10.21.0 255.255.255.0 is directly connected inside21

S* 0.0.0.0 0.0.0.0 [1/0] via 66.128.95.242 outside this is next hop router interface address 66.128.95.242 and the statc route for that address

I can ping outside interface of asa, from asa

Regards,

-Rouzbeh

Re: ASA nat issue urgent

m.kafka — Thu, 03 Feb 2011 17:03:00 GMT

Just noticed: you don't have a default route on your router 10.10.10.10.3

If that doesn't help do what i have suggested, anything else is "looking into the crystal ball"

If you cannot go live you have to build a test bed, no way around that, which means connect something that can represent your productive environment.

rgds, MiKa

Message was edited by: m.kafka

Re: ASA nat issue urgent

rouzbehta — Thu, 03 Feb 2011 17:23:31 GMT

ohhhh iI made default route and workssssss

yahoooooooo , Thank you very much, I can't tell how much I appreciate your help

Best Regards,

-Rouzbeh