topic Re: ASA-5510: Adding another static nat issue. in Network Security

ASA-5510: Adding another static nat issue.

calvinz21 — Mon, 11 Mar 2019 14:07:14 GMT

I'm trying to add another static nat translation onto the ASA. There's already one static nat to another host. Wouldn't I just copy the same static and change the IP's? Tried it and it gave me a error. Not sure what else I'm suppose to add. Kinda lost.

error: router(config)# static (inside,backup) 214.24.29.114 10.20.1.20 netmask 255.255.255.255 0 0

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

Re: ASA-5510: Adding another static nat issue.

calvinz21 — Mon, 03 Nov 2008 16:34:45 GMT

here's the current config file.

ASA Version 8.0(3)

hostname asa510-01

domain-name corp.com

enable password xxxxxxxxxxxx encrypted

names

interface Ethernet0/0

nameif outside

security-level 0

ip address 214.x.x.114 255.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.1.254 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name corp.com

access-list outside_1_cryptomap extended permit ip 10.20.1.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside_access_in remark allow public to http

access-list outside_access_in extended permit tcp any host 214.24.29.115 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.1.xx.xx

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,outside) 214.24.29.115 10.20.1.10 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 214.24.29.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server LIST1 protocol tacacs+

key xxxxxxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console LIST1

http server enable

http 10.20.10.0 255.255.255.0 inside

http 207.40.115.253 255.255.255.255 outside

snmp-server host inside 10.1.11.45 community 1232344

snmp-server location xxxxxxxx

no snmp-server contact

snmp-server community 123cabaf3a

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 207.40.115.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

console timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics

tunnel-group 207.40.115.1 type ipsec-l2l

tunnel-group 207.40.115.1 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

inspect icmp

inspect snmp

service-policy global_policy global

prompt hostname context

Re: ASA-5510: Adding another static nat issue.

acomiskey — Mon, 03 Nov 2008 16:37:34 GMT

Don't see a "backup" interface in the config. It wants you to use the "interface" keyword instead of the ip address. For example...

static (inside,outside) interface 10.20.1.20 netmask 255.255.255.255

...because 214.24.29.114 is the ip address of the interface.

Re: ASA-5510: Adding another static nat issue.

francisco_1 — Mon, 03 Nov 2008 16:51:44 GMT

calvinz,

also according to your config, the device hostname you are trying to do NAT is "router" while the hostname for your ASA is "asa510-01". make sure you are working on the correct device. NAT commands work differently on ASA/Routers.

Francisco.

Re: ASA-5510: Adding another static nat issue.

calvinz21 — Mon, 03 Nov 2008 17:08:59 GMT

Sorry, here's the right config and it does have backup as a interface.

here's the current config file.

ASA Version 8.0(3)

hostname asa510-01

domain-name corp.com

enable password xxxxxxxxxxxx encrypted

names

interface Ethernet0/0

nameif backup

security-level 0

ip address 214.x.x.114 255.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.1.254 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name corp.com

access-list outside_1_cryptomap extended permit ip 10.20.1.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside_access_in remark allow public to http

access-list outside_access_in extended permit tcp any host 214.24.29.115 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.1.xx.xx

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

arp timeout 14400

global (backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,backup) 214.24.29.115 10.20.1.10 netmask 255.255.255.255

access-group outside_access_in in interface backup

route backup 0.0.0.0 0.0.0.0 214.24.29.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server LIST1 protocol tacacs+

key xxxxxxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console LIST1

http server enable

http 10.20.10.0 255.255.255.0 inside

http 207.40.115.253 255.255.255.255 backup

snmp-server host inside 10.1.11.45 community 1232344

snmp-server location xxxxxxxx

no snmp-server contact

snmp-server community 123cabaf3a

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 207.40.115.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface backup

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

console timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics

tunnel-group 207.40.115.1 type ipsec-l2l

tunnel-group 207.40.115.1 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

inspect icmp

inspect snmp

service-policy global_policy global

prompt hostname context

Re: ASA-5510: Adding another static nat issue.

calvinz21 — Mon, 03 Nov 2008 17:11:18 GMT

I'm in the correct router. I just forgot what I named the router.

I tried using backup as a interface and got this error:

asa510-01(config)# static (inside,backup) interface 10.20.0.20 netmask 255.255.255.255

WARNING: static redirecting all traffics at backup interface;

WARNING: all services terminating at backup interface are disabled.

So it seems like I might have to create a new interface or something?

Re: ASA-5510: Adding another static nat issue.

francisco_1 — Mon, 03 Nov 2008 17:13:25 GMT

then what adam suggested will work for you. have you tried it? does it work?

Francisco.

Re: ASA-5510: Adding another static nat issue.

francisco_1 — Mon, 03 Nov 2008 17:17:23 GMT

i think the reason why you have this problem is because you already have "global (backup) 1 interface". (Translating already using the outside interface for 10.20.1.0 255.255.255.0. try using another public ip for one-one static translation.

Re: ASA-5510: Adding another static nat issue.

calvinz21 — Mon, 03 Nov 2008 17:26:12 GMT

Is there anyway around it w/o having to have another public IP?

Re: ASA-5510: Adding another static nat issue.

francisco_1 — Mon, 03 Nov 2008 17:33:56 GMT

unless you use static with PAT.

Example below shows how to configure static PAT for an internal web server located at 192.168.10.10 The web client on the public network will connect to the server using the public IP address of the security appliance using the default web (TCP port 80)

static (inside,outside) tcp interface www 192.168.10.10 www netmask 255.255.255.255

Re: ASA-5510: Adding another static nat issue.

francisco_1 — Mon, 03 Nov 2008 17:35:40 GMT

try static (inside,backup) tcp interface www 10.20.1.20 www netmask 255.255.255.255. change the port to whatever you would like to allow.

Re: ASA-5510: Adding another static nat issue.

calvinz21 — Mon, 03 Nov 2008 18:01:31 GMT

thanks, i'll give that try. it seems like i'm talking to someone here that doesn't understand what they are asking. I'll check with the 3rd party on what they want. will keep you posted. thanks for the help..

Re: ASA-5510: Adding another static nat issue.

calvinz21 — Tue, 04 Nov 2008 15:57:29 GMT

i was able to put in a static nat with another public IP. thanks for your help.

I'm having a access issue. wonder if you guys can see if its being block somewhere else. i already wrote up a ACL for the access but it's still being denied. same router.

access-list outside_access_in line 11 extended permit tcp any 214.16.68.192 255.255.255.192 eq 3389 (hitcnt=0)

access-list outside_access_in line 12 extended permit tcp any 214.16.68.192 255.255.255.192 (hitcnt=0)

Deny tcp src backup:214.16.68.246/4225 dst inside:214.24.29.115/3389 by access-group "outside_access_in" [0x0, 0x0]

Re: ASA-5510: Adding another static nat issue.

francisco_1 — Tue, 04 Nov 2008 16:54:47 GMT

try

access-list outside_access_in extended permit tcp any host 214.16.68.192 eq 3389

Francsico