topic Re: ASA 5505 NAT Issue in Network Security

ASA 5505 NAT Issue

Catriona Macmillan — Mon, 11 Mar 2019 17:29:23 GMT

Hello there,

I am hoping somebody up\out there can save my sanity. I am setting up a new ASA 5505 with multiple interfaces, infact we are using 5 of them. The internal network is on the 192.168.168.x and has web access to the outside. That is working without any issues but i am sure that is were the problem lies. I am trying to get traffic to pass from the CNES interface to the Inside interface and vice versa. I have configured the ACL's using Cisco Security Manager so i know they are working. I use the packet trace app in ASDM and that fails with a NAT issue but for the life of me i cant work out what i have done wrong. The syslog message its throwing up is:

08:22:20 305005 192.168.168.3 No translation group found for icmp src CNES:187.187.10.90 dst inside:192.168.168.3 (type 8, code 0)

Here is our running config:

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname secure-access
domain-name ************.co.uk
enable password *********** encrypted
passwd ************ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BT
ip address 217.36.*.* 255.255.255.255 pppoe
!
interface Vlan12
nameif DMZ
security-level 50
ip address 192.168.169.1 255.255.255.0
!
interface Vlan22
nameif Wireless_HHP
security-level 100
ip address 172.16.36.1 255.255.254.0
!
interface Vlan32
nameif CNES
security-level 100
ip address 187.187.168.1 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 22
!
interface Ethernet0/4
switchport access vlan 32
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns domain-lookup Wireless_HHP
dns domain-lookup CNES
dns server-group DefaultDNS
domain-name hebrideanhousing.co.uk
same-security-traffic permit inter-interface
object-group network NET-cnes_HHP-Sty
network-object 172.20.224.0 255.255.240.0
object-group network NET-cnes_HHP-Balivanich
network-object 172.20.192.0 255.255.240.0
object-group network Oak-DC1
network-object 192.168.168.2 255.255.255.255
object-group network Maple-DC2
network-object 192.168.168.3 255.255.255.255
object-group network HHP_Domain_Controllers
group-object Oak-DC1
group-object Maple-DC2
object-group network PC-Support
network-object 187.187.60.1 255.255.255.255
network-object 187.187.60.2 255.255.255.254
network-object 187.187.60.4 255.255.255.254
network-object 187.187.60.6 255.255.255.255
object-group network ELM-ActiveH
network-object 192.168.168.6 255.255.255.255
object-group network Pine-GP
network-object 192.168.168.12 255.255.255.255
object-group network HHP_Application_Servers
group-object ELM-ActiveH
group-object Pine-GP
object-group network Fern-TS1
network-object 192.168.168.4 255.255.255.255
object-group network Fir-TS2
network-object 192.168.168.5 255.255.255.255
object-group network HHP_Terminal_Servers
group-object Fern-TS1
group-object Fir-TS2
object-group service Global_Catalog_LDAP
description (Generated by Cisco SM from Object "Global Catalog LDAP")
service-object tcp eq 3268
object-group service Global_Catalog_LDAP_SSL
description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")
service-object tcp eq 3269
object-group service UDP-389
description UDP port for LDAP
service-object udp eq 389
object-group service TCP-88
description TCP Port 88
service-object tcp eq 88
object-group service TCP-445
description SMB
service-object tcp eq 445
object-group network John_-_Laptop
description John's Laptop
network-object 187.187.10.65 255.255.255.255
object-group network Graham_-_PC
description Graham Morrison's PC
network-object 187.187.10.90 255.255.255.255
object-group network john_test
network-object 187.187.40.7 255.255.255.255
object-group network Iain_PC
description Iain Macaulay IT
network-object 187.187.10.19 255.255.255.255
object-group network John_-_PC
description John MacPhail's PC
network-object 187.187.10.7 255.255.255.255
object-group network it-alahen-lap
network-object 187.187.10.230 255.255.255.255
object-group network Catriona_-_Laptop
description Catriona's Laptop
network-object 187.187.10.60 255.255.255.255
object-group network Graham_-_Laptop
network-object 187.186.10.120 255.255.255.255
object-group network it-innive-xp
description Innes MacIver's PC
network-object 187.187.10.14 255.255.255.255
object-group network it-alahen-xp
description Desktop
network-object 187.187.10.229 255.255.255.255
object-group network Cat_-_PC
description Catriona Macmillan's PC
network-object 187.187.10.4 255.255.255.255
object-group network it-davdon-xp
description Desktop
network-object 187.187.10.7 255.255.255.255
object-group network cat-laptop
description Catriona's Laptop addresses
network-object 187.187.77.81 255.255.255.255
network-object 187.187.77.82 255.255.255.255
object-group network Catriona_old_pc
network-object 187.187.10.44 255.255.255.255
object-group network cat-tablet
description Catriona's Tablet ip address's
network-object 187.187.77.78 255.255.255.254
object-group network PC_Support
group-object John_-_Laptop
group-object Graham_-_PC
group-object john_test
group-object Iain_PC
group-object John_-_PC
group-object it-alahen-lap
group-object Catriona_-_Laptop
group-object Graham_-_Laptop
group-object it-innive-xp
group-object it-alahen-xp
group-object Cat_-_PC
group-object it-davdon-xp
group-object cat-laptop
group-object Catriona_old_pc
group-object cat-tablet
access-list outside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq ldap
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq 88
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq ldaps
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq netbios-dgm
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq netbios-ns
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq netbios-ssn
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq ntp
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers eq 135
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group Global_Catalog_LDAP object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group Global_Catalog_LDAP_SSL object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group UDP-389 object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group TCP-88 object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group TCP-445 object-group NET-cnes_HHP-Sty object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq ldap
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq 88
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq ldaps
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq netbios-dgm
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq netbios-ns
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq netbios-ssn
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq ntp
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers eq 135
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group Global_Catalog_LDAP object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group Global_Catalog_LDAP_SSL object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group UDP-389 object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group TCP-88 object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group TCP-445 object-group NET-cnes_HHP-Balivanich object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_inside extended permit ip 192.168.168.0 255.255.255.0 any
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Application_Servers
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Domain_Controllers
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Terminal_Servers
access-list CSM_nat0_CNES extended permit ip any object-group HHP_Application_Servers
access-list CSM_nat0_CNES extended permit ip any object-group HHP_Domain_Controllers
access-list CSM_nat0_CNES extended permit ip any object-group HHP_Terminal_Servers
access-list CSM_nat0_inside extended permit ip any object-group PC-Support
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu DMZ 1500
mtu Wireless_HHP 1500
mtu CNES 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list CSM_nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (CNES) 0 access-list CSM_nat0_CNES
static (CNES,inside) 187.187.10.90 187.187.10.90 netmask 255.255.255.255
access-group CSM_FW_ACL_inside in interface inside
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP
access-group CSM_FW_ACL_CNES in interface CNES
route outside 0.0.0.0 0.0.0.0 81.148.0.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HHP protocol ldap
aaa-server HHP (inside) host 187.187.1.213
timeout 5
server-type auto-detect
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.168.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 194.83.245.242 255.255.255.255 outside
http 187.187.1.72 255.255.255.255 CNES
http 187.187.10.90 255.255.255.255 CNES
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=secure-access.hebrideanhousing.co.uk,O=Hebridean Housing Partnership Limited,C=GB,St=Scotland,L=Isle of Lewis
keypair SSL_Certificate
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 0100000000012790a5c005
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
quit
crypto ca certificate chain ASDM_TrustPoint1
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
******************************************************
quit
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 194.83.245.242 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group BT request dialout pppoe
vpdn group BT localname c460484@hg28.btclick.com
vpdn group BT ppp authentication chap
vpdn username c460484@hg28.btclick.com password *********
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
group-policy HHP internal
group-policy HHP attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
webvpn
url-list value Severs
customization value DfltCustomization
username gramor password ne829U0rGFVEedhY encrypted privilege 15
username gramor attributes
webvpn
url-list value Severs
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
default-group-policy HHP
!
!
prompt hostname context
Cryptochecksum:eb69b6d6dbcf50f8bc87e8b971bc3299
: end

Re: ASA 5505 NAT Issue

Collin Clark — Tue, 06 Apr 2010 13:58:20 GMT

You have a couple of different options. Check this link for more information. If you still need help, just continue this post.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#Same

Re: ASA 5505 NAT Issue

Catriona Macmillan — Tue, 06 Apr 2010 14:21:13 GMT

Thanks for the info....i have read through it and i think the NAT rule i have from Inside to Outside is overruling all the other NAT rules i have. I think its the main one i have to change but i dont know what too.

Re: ASA 5505 NAT Issue

Collin Clark — Tue, 06 Apr 2010 15:14:29 GMT

Since you have multiple interfaces with the same security level, one thing you need to decide is whether or not you want your directly connected subnets to have the ability to talk to one another without NAT. If that is OK, you can enter the same-security-traffic permit intra-interface command. Access will still be restricted by the ACL, but you will no longer need to NAT between interfaces. If you do not want to do that, I would create a NAT 0 like you have, but keep it simple.

nat (CNES) 0 access-list CSM_nat0_CNES

access-list CSM_nat0_CNES extended permit ip 187.187.168.1 255.255.0.0 192.168.168.1 255.255.255.0

Re: ASA 5505 NAT Issue

Catriona Macmillan — Tue, 06 Apr 2010 17:29:28 GMT

Colin,

I follwed your advice and now traffic is allowed to flow between interafces with the same security level. I run a packet tracer from asdm to see if it was now allowed through but it failed on the a NAT check. I have attached the screen shot. Here is the output from my SH NAT:

secure-access# sh nat

NAT policies on Interface inside:
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
    dynamic translation to pool 1 (217.36.32.222 [Interface PAT])
    translate_hits = 15, untranslate_hits = 0
match ip inside any DMZ any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any Wireless_HHP any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any CNES any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 48, untranslate_hits = 0
match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
    no translation group, implicit deny
    policy_hits = 0
match ip inside any DMZ any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface DMZ:
match ip DMZ any outside any
no translation group, implicit deny
policy_hits = 0

NAT policies on Interface Wireless_HHP:
match ip Wireless_HHP any outside any
    no translation group, implicit deny
    policy_hits = 0
match ip Wireless_HHP any DMZ any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface CNES:
match ip CNES any outside any
    no translation group, implicit deny
    policy_hits = 0
match ip CNES any DMZ any
    no translation group, implicit deny
    policy_hits = 0

Re: ASA 5505 NAT Issue

Collin Clark — Tue, 06 Apr 2010 21:03:52 GMT

Could you post the syslog message instead of the screenshot?

Re: ASA 5505 NAT Issue

Catriona Macmillan — Wed, 07 Apr 2010 10:09:52 GMT

Colin,

the messages we are getting are:

portmap translation creation failed for tcp src inside:192.168.168.100/52666 dst CNES:187.187.1.62/8192

Re: ASA 5505 NAT Issue

Jennifer Halim — Wed, 07 Apr 2010 11:41:48 GMT

You can configure the following:

static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

That should resolve the problem.

Re: ASA 5505 NAT Issue

Kureli Sankar — Wed, 07 Apr 2010 12:06:56 GMT

There is no reason for this static pls. remove that.

static (CNES,inside) 187.187.10.90 187.187.10.90 netmask 255.255.255.255

That syslog that you are talking about says that egress translation is missing.

you have

nat (inside) 1 0.0.0.0 0.0.0.0

This will get you off the inside interface but to enter the CNES interface there is no matching global. You can provide that by either

global (CNES) 1 interface

or via the

static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

that Halijenn provided you.

If you choose to add the global (CNES) 1 interface then you can only initiate traffic from the inside to the CNES but, if you use the static 1-1 line then both inside and CNES can initiate traffic to the other side.

-KS

Re: ASA 5505 NAT Issue

Catriona Macmillan — Wed, 07 Apr 2010 12:07:36 GMT

Halijen,

Thanks for that! It has god rid of the messages. I take it i will need to configure static routes for the other interfaces as well.

Re: ASA 5505 NAT Issue

Jennifer Halim — Wed, 07 Apr 2010 12:16:06 GMT

Static NAT is bidirectional, so once you configure "static (inside,CNES)", access from inside towards CNES and vice versa would work.

If you need to access Wireless_HHP subnet from inside and vice versa, you can configure:

static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

Between inside and dmz interface, it would be:

static (inside,dmz) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

Hope that helps.