topic Re: ASA behind a router performing NAT... in Network Security

ASA behind a router performing NAT...

d.donnelly — Mon, 11 Mar 2019 12:12:47 GMT

Hi,

I'm not sure if this would be more suited in the R&S forums but I figure some

security people must have worked on something similar....

I have an ASA sitting behind a 2800 router with 2 Internet circuits. I'm trying to

NAT everthing from the ASA inbound & outbound.

I can't ping from the DMZ to the inside of the router, icmp is allowed. I can't

see any deny's on the logs either, yet I can see an e-mail appliance (192.168.10.9)

getting NAT'd and I know it's receiving updates:

tcp 83.x.x.69:80 192.168.10.9:80 217.198.148.6:52782 217.198.148.6:52782

I was trying to do the NAT on the ASA but I've wiped that so now there's just a

172.16.90.2 address on the outside interface as well as the Inside (10.1.10.0/24)

and DMZ (192.168.10.0/24) interfaces.

interface GigabitEthernet0/0

description Link to Outside Interface of ASA

ip address 172.16.90.1 255.255.255.0

ip nat inside

interface GigabitEthernet0/1

description Primary Circuit

ip address 83.x.x.66 255.255.255.248

ip nat outside

interface FastEthernet0/0/0

description Backup Circuit

ip address 89.x.x.159 255.255.255.254

ip nat outside

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

ip route 83.x.x.64 255.255.255.248 GigabitEthernet0/0

ip route 89.x.x.159 255.255.255.255 GigabitEthernet0/0

ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0

ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0

ip nat pool NAT_INT 83.x.x.67 83.x.x.69 prefix-length 29

ip nat inside source list 11 pool NAT_INT overload

access-list 11 permit any

access-list 11 permit 192.168.10.0 0.0.0.255

access-list 11 permit 10.1.1.0 0.0.0.255

access-list 11 permit 172.16.90.0 0.0.0.255

I'm trying to figure out where things are going wrong, the packet-tracer on the ASA

suggests everything is fine there, and there doesn't seem to be a whole lot going on

with the NAT...maybe something on the routing...

Anybody got any ideas?!

Thanks,

Denis

Re: ASA behind a router performing NAT...

srue — Wed, 05 Mar 2008 20:11:00 GMT

the asa/pix platform denies ICMP by default. the easiest way around this is to enable icmp ispection.

assuming you're running the default global inspection policy, enter the following:

policy-map global_policy

class inspection_default

inspect icmp

------------

besides that, what else was wrong?

for communications between networks that reside on different interfaces of the ASA, additional configuration will be required, depending on the security-levels of each interface.

Re: ASA behind a router performing NAT...

d.donnelly — Wed, 05 Mar 2008 20:36:20 GMT

Yup, I enabled that for icmp alright. I'm happy enough with how things are working on the ASA. The problem just seems to be when I try to get out past the router, so I thought there's a problem with how the statics are configured for the internal networks.

I'm stretching my understanding a bit here but if I can provide any more information please let me know.

Re: ASA behind a router performing NAT...

sundar.palaniappan — Wed, 05 Mar 2008 21:08:37 GMT

Dennis,

Can you reconfigure the static route;

Remove:

ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0

Add:

ip route 192.168.10.0 255.255.255.0 172.16.90.2

If that doesn't help can you share a sanitized copy of the ASA configuration.

HTH

Sundar

Re: ASA behind a router performing NAT...

d.donnelly — Thu, 06 Mar 2008 15:11:14 GMT

Ok, so somehow I resolved this...

I changed the ip routes as you mentioned above but it didn't have any effect. I also changed the NAT configuration to the the following:

ip nat inside source list 10 interface GigabitEthernet0/1 overload

ip nat inside source static 172.16.90.2 83.x.x.70

...this didn't seem to have any effect either.

I gave the redundant circuit a higher metric and messed about with the DNS servers and then things started working...

Not sure what happened but it works now so it'll do!

Thanks for your input guys,

Denis