01-05-2014 08:35 PM - edited 03-11-2019 08:25 PM
I am trying to do the following on an ASA 5505 with Security Plus licensing.
public IP ASA private IP ASA
199.185.3.25 <-------192.168.1.254
^
|--------192.168.2.254
^
|-------- 192.168.3.254
I want the 192.168.1.0/24 and 192.168.2.0/24 to NAT to the internet.
I can get the first subnet to work. I can get hosts on each of the two subnets ping each other. However, if I try to ping an external site 4.2.2.2., the first subnet works, the second one does not.
I am enclosing the running-configuration from IOS 8.4. Any insights as to what I'm missing to get the second network to be able to send and receive packets to an internet connection?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.01.05 21:03:36 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.4(6)
!
hostname INFOASA01
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 25
pppoe client vpdn group PPP
ip address pppoe setroute
!
interface Vlan2
nameif inside
security-level 75
ip address 192.168.1.254 255.255.255.0
!
interface Vlan3
description Wireless
shutdown
no nameif
no security-level
no ip address
!
interface Vlan4
description home-network
nameif inside-46
security-level 50
ip address 192.168.3.224 255.255.255.0
!
interface Vlan5
nameif inside5
security-level 75
ip address 192.168.2.254 255.255.255.0
!
interface Vlan98
description VPN client
no nameif
security-level 90
ip address 192.168.98.254 255.255.255.0
!
interface Vlan99
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_25
host 192.168.1.249
object network obj_143
host 192.168.1.249
object network obj_1677
host 192.168.1.249
object network obj_444
host 192.168.1.249
object network obj_443
host 192.168.1.246
object network obj_22
host 192.168.1.249
object network obj_21
host 192.168.1.247
object network obj_8009
host 192.168.1.249
object network obj_39833
host 192.168.1.88
access-list smtp extended permit tcp any host 66.18.210.142 eq smtp
access-list smtp extended permit tcp any host 192.168.1.249 eq smtp
access-list smtp extended permit tcp any host 192.168.1.249 eq imap4
access-list smtp extended permit tcp any host 192.168.1.249 eq 1677
access-list smtp extended permit tcp any host 192.168.1.249 eq https
access-list smtp extended permit tcp any host 192.168.1.246 eq https
access-list smtp extended permit tcp any host 192.168.1.247 eq ftp
access-list smtp extended permit tcp any host 192.168.1.249 eq ssh
access-list smtp extended permit tcp any host 192.168.1.249 eq 8009
access-list smtp extended permit tcp any host 192.168.1.88 eq 3389
no pager
logging asdm informational
mtu outside 1460
mtu inside 1500
mtu inside-46 1500
mtu inside5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj_25
nat (inside,outside) static interface service tcp smtp smtp
object network obj_143
nat (inside,outside) static interface service tcp imap4 imap4
object network obj_1677
nat (inside,outside) static interface service tcp 1677 1677
object network obj_444
nat (inside,outside) static interface service tcp https 444
object network obj_443
nat (inside,outside) static interface service tcp https https
object network obj_22
nat (inside,outside) static interface service tcp ssh 40022
object network obj_21
nat (inside,outside) static interface service tcp ftp ftp
object network obj_8009
nat (inside,outside) static interface service tcp 8009 8009
object network obj_39833
nat (inside,outside) static interface service tcp 3389 39833
access-group smtp in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
snmp-server location Home1
snmp-server contact network admin
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 3
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group PPP request dialout pppoe
vpdn group PPP localname **********************
vpdn group PPP ppp authentication chap
vpdn username *********.com password ***** store-local
dhcpd auto_config inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ***** password ******* encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d2e31f51f0af551900f9fb8b5dd3ea72
: end
INFOASA01(config)# packet-tracer input inside5 tcp 192.168.2.200 12345 4.2.2.2 12345
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5605, packet dispatched to next module
Result:
input-interface: inside5
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
INFOASA01(config)#packet-tracer input inside5 tcp 192.168.1.200 12345 4.2.2.2 12345
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.200/12345 to 199.185.3.25/12345
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5633, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
INFOASA01(config)# icmp debug icmp tra
debug icmp trace enabled at level 1
INFOASA01(config)# ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=0 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=1 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=2 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=3 len=56
ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=4 len=56
b ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=140 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=140 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=141 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=141 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=142 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=142 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=143 len=32
ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=143 len=32
ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
no debug icmp tra
debug icmp trace disabled.
INFOASA01(config)#
Solved! Go to Solution.
01-06-2014 03:12 AM
You need to add dynamic NAT statements for the other two networks. Currently you only have a dynamic NAT statement for the network connected to the inside interface (192.168.1.0/24).
object network obj_any
nat (inside,outside) dynamic interface
You could try to change this statement to the following
object network obj_any
nat (any,outside) dynamic interface
Otherwise you would need to create separate NAT statements for each network.
--
Please remember to rate and select a correct answer
01-06-2014 03:12 AM
You need to add dynamic NAT statements for the other two networks. Currently you only have a dynamic NAT statement for the network connected to the inside interface (192.168.1.0/24).
object network obj_any
nat (inside,outside) dynamic interface
You could try to change this statement to the following
object network obj_any
nat (any,outside) dynamic interface
Otherwise you would need to create separate NAT statements for each network.
--
Please remember to rate and select a correct answer
01-06-2014 11:39 AM
If I wanted to limit to just a second network, then something like:
object network obj_any5
nat(inside5,outside) dynamic interface
would work?
does it need to be in a particular order in the list of network objects? Lastly, is there a way to print the running configuration with the lines numbered?
Thanks for the suggestion and any follow up.
Regards,
Paul
01-06-2014 05:14 PM
Hello Paul,
Yes, there is a order within the NAT on 8.3 and higher
1) Manual Nat or Twice Nat
2) Object Nat (the one being used here)
3) After-Auto Nat
Inside the Object-Nat the order will be done automatically by the firewall taking place the static entries and more specific.
So if you enter that command you will be translating only the subnet within the obj_any 5 from the inside5 to the outside.
Hope I was clear hehe
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: