09-01-2011 01:56 AM - edited 03-11-2019 02:19 PM
Hi
we have an asa5505 firewall on version 8.2 it currently works fine we're going through the proces of migrating to a mew ip range, but when we change the NAT entries, the pings to the public address return the inside ip address!!! Help!!
the current config is
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.06.16 12:09:27 =~=~=~=~=~=~=~=~=~=~=~=
User Access Verification
Password:
Type help or '?' for a list of available commands.
mdspixfirewall> en
Password: ********
mdspixfirewall# sho run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YB.ux8bsS71TJocI encrypted
passwd FOrFfsaVs9oyvPYJ encrypted
hostname mdspixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
<--- More --->
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any host 192.168.220.241 echo
access-list outside_access_in permit icmp any host 192.168.220.241 unreachable
access-list outside_access_in permit icmp any host 192.168.220.241 time-exceeded
access-list outside_access_in permit icmp any host 192.168.220.242 echo
access-list outside_access_in permit icmp any host 192.168.220.242 unreachable
access-list outside_access_in permit icmp any host 192.168.220.242 time-exceeded
access-list outside_access_in permit tcp host 192.168.220.246 host 192.168.220.241 eq telnet
access-list outside_access_in permit tcp host 192.168.220.246 host 192.168.220.242 eq telnet
access-list outside_access_in deny ip any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any echo-reply
access-list inside_access_in permit icmp any any unreachable
access-list inside_access_in permit icmp any any time-exceeded
access-list inside_access_in permit icmp any any
pager lines 24
logging on
logging console debugging
logging monitor alerts
logging trap informational
logging history informational
logging host inside 192.168.222.15
logging host inside 192.168.222.19
mtu outside 1500
<--- More --->
mtu inside 1500
ip address outside 192.168.220.254 255.255.255.0
ip address inside 192.168.222.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 192.168.220.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.220.242 194.1.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.220.241 192.168.20.16 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 192.168.222.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
<--- More --->
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 192.168.222.19 trap
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.222.0 255.255.255.0 inside
telnet 172.18.1.0 255.255.255.0 inside
telnet 172.18.0.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.220.61-192.168.220.239 outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable outside
terminal width 80
Cryptochecksum:08b06398fb0e5297c902e135dbc03716
: end
<--- More --->
mdspixfirewall# exit
Logoff
om trying to change the mapping to show
static (inside,outside) 192.168.220.241 172.18.148.16 netmask 255.255.255.255 0 0
but any ping sent to 192.168.220.241 replies as the 172.18.148.16 address, and pings from the 172 machine get blocked at the firewall with
asymmetric nat rules matched for forward and reverse flows......
any ideas??
thanks
chris
09-01-2011 04:39 AM
Hi Chris,
Could you configure the following?
no static (inside,outside) 192.168.220.241 192.168.20.16 netmask 255.255.255.255 0 0
There are 2 static translation for the same host which is creating issues, when you ping from the 172 host.
Let me know.
Regards,
Anu
P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.
09-01-2011 05:44 AM
Hi
Sorry. We did take that out when we did the change. I've now setup a test network where I can replicate the issue. Had to back out the changes to out live environment.
Any other ideas?
Thanks
Chris
09-01-2011 05:47 AM
Hi Chris,
What version of ASA are you running? Could you post the output of "sh run" from the ASA? Also, how are you verifying that you get replies from the private IP address?
Let me know.
Regards,
Anu
09-01-2011 05:50 AM
Also, could you add "fixup protocol icmp" and see if it makes any difference?
Let me know.
09-01-2011 02:07 PM
Hi
It's a 5505 running version 8.2
The ping test was to ping 192.168.220.241. In the original config it replies as 192.168.220.241, but when we do the change and ping the same ip address, it replies as 172.18.148.16....
I'll try the other thing you recommend and see if it does anything.
I'll also post the entire setup of the network as it is a bit of an odd setup. Can't do it now as I'm on iPhone doing this.
Brief desc is that the firewall is there to segment and hide part of our network that has machines in it that we don't manage. The inside and outside ports on the firewall connect back into different vlans on the same switch. Vlan acls stop traffic moving between the two as vlan routing is enabled. We then have 2 connections into the router for the 2 vlans to route.
Thanks
09-12-2011 09:48 AM
You mentioned your ASA 5505 is running 8.2 but the config is from a PIX running 6.3? can you post the current config from the ASA?
regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide