topic Re: ASA5505- PAT in Network Security

ASA5505- PAT

sykesemea — Mon, 11 Mar 2019 15:15:13 GMT

Hi,

We are replacing PIX 501 with ASA 5505. We are able to get the L2L VPN up but not the Internet access. When we try to add the NAT (Inside) x statement firewall gives warning message saying missing outside command. But If we add the Outside command to end of NAT statement we loose L2L vpns but Internet access works. Below is the config ..

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Below are the Warning messeges

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

*** Output from config line 94, "nat (inside) 1 0.0.0.0 0...

We have tried 2 diffrent IOS

Cisco Adaptive Security Appliance Software Version 8.0(4) and Version 7.2.4.9

thanks in advance for the help.

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 07:53:52 GMT

Check to make sure that the physical interface that is your outside interface is actually configured with "nameif outside"

HTH>

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 08:03:17 GMT

Hello there,

Yes, We have configured this correctly and here is the config. I guess.. no issue with that as my Site to Site VPNs are working.

interface Vlan1

description Inside

nameif inside

security-level 0

ip address 172.x.x.x 255.255.255.0

interface Vlan2

description outside

nameif outside

security-level 100

ip address 195.x.x.x 255.255.255.248

interface Ethernet0/0

description outside

switchport access vlan 2

interface Ethernet0/1

description inside

speed 100

duplex full

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 08:05:31 GMT

OK try the below:-

global (outside) 2 195.x.x.x (next unused IP address)

nat (inside) 2 172.x.x.x 255.255.255.0

then clear xlate

HTH>

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 08:15:35 GMT

we have only 1 IP for this connnection and wont be able to try this.

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 08:30:38 GMT

your initial config shows:-

ip address 195.x.x.x 255.255.255.248

You have 1 IP for the interface

1 IP for the next hop routing device?

you have 4 other IP addresses?

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 08:43:07 GMT

Hi Andrew,

Sorry for confusion, this is a xDSL link and we have only Static IP.

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 09:03:11 GMT

how many static IP's do you have?

What is the license on the ASA - post the output of show ver

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 09:06:40 GMT

We already have PIX501 working with is setup and i am not sure ASA not workin with the GLobal (Outside)1 Interace

Here is sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders

System image file is "disk0:/asa804-k8.bin"

Config file at boot was "startup-config"

defraasa01 up 2 days 18 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is 0024.97b1.e40a, irq 11

1: Ext: Ethernet0/0 : address is 0024.97b1.e402, irq 255

2: Ext: Ethernet0/1 : address is 0024.97b1.e403, irq 255

3: Ext: Ethernet0/2 : address is 0024.97b1.e404, irq 255

4: Ext: Ethernet0/3 : address is 0024.97b1.e405, irq 255

5: Ext: Ethernet0/4 : address is 0024.97b1.e406, irq 255

6: Ext: Ethernet0/5 : address is 0024.97b1.e407, irq 255

7: Ext: Ethernet0/6 : address is 0024.97b1.e408, irq 255

8: Ext: Ethernet0/7 : address is 0024.97b1.e409, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has a Base license.

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 09:14:34 GMT

post the output of a show arp?

You only have a license to 10 inside hosts, and remote IP addresses over a VPN count as an inside host.

How many computers do you have behind the ASA?

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 09:35:54 GMT

Hi,

I dont have this ASA in production right now as we had this issue. During the testing , we have only 2 hosts in network. When Licenses get over, traselation wont happen?

FYI.. our currnt pix is also has only 10 host license and all working.

Does pix and ASA work diffrenlty in terms of licesnse?

We have orderd 50 hosts license for this and will be getting it soon.

Regards,

Venky

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 10:04:23 GMT

Post your current config for review - remove any sensitive information.

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 10:30:41 GMT

Also, you got any documents on how the Cisco ASA Licensing works?

Re: ASA5505- PAT

andrew.prince — Mon, 06 Apr 2009 10:44:41 GMT

Below is the ASA license matrix:-

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Are you sure your outside Ip addresses don't allow for my suggestion? You have a default gateway pointing to .241 which is the first IP address in the /248 subnet? What Ip address are you using for the outside?

Re: ASA5505- PAT

UCcomp2007 — Mon, 06 Apr 2009 10:47:49 GMT

Unless you made an error when pasted config into this forum, you need to set your security-level for outside interface to 0 and inside security-level to 100. Your above message showed outside at 100 and inside at 0.

Re: ASA5505- PAT

sykesemea — Mon, 06 Apr 2009 10:54:36 GMT

Its issue with Security Level and Tks for the help