Solved: Multiple NAT to network

apmcomp · ‎01-05-2014

I am trying to do the following on an ASA 5505 with Security Plus licensing.

public IP ASA private IP ASA

199.185.3.25 <-------192.168.1.254

^

|--------192.168.2.254

^

|-------- 192.168.3.254

I want the 192.168.1.0/24 and 192.168.2.0/24 to NAT to the internet.

I can get the first subnet to work. I can get hosts on each of the two subnets ping each other. However, if I try to ping an external site 4.2.2.2., the first subnet works, the second one does not.

I am enclosing the running-configuration from IOS 8.4. Any insights as to what I'm missing to get the second network to be able to send and receive packets to an internet connection?

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.01.05 21:03:36 =~=~=~=~=~=~=~=~=~=~=~=

sh run

: Saved

:

ASA Version 8.4(6)

!

hostname INFOASA01

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 4

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan1

nameif outside

security-level 25

pppoe client vpdn group PPP

ip address pppoe setroute

!

interface Vlan2

nameif inside

security-level 75

ip address 192.168.1.254 255.255.255.0

!

interface Vlan3

description Wireless

shutdown

no nameif

no security-level

no ip address

!

interface Vlan4

description home-network

nameif inside-46

security-level 50

ip address 192.168.3.224 255.255.255.0

!

interface Vlan5

nameif inside5

security-level 75

ip address 192.168.2.254 255.255.255.0

!

interface Vlan98

description VPN client

no nameif

security-level 90

ip address 192.168.98.254 255.255.255.0

!

interface Vlan99

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_25

host 192.168.1.249

object network obj_143

host 192.168.1.249

object network obj_1677

host 192.168.1.249

object network obj_444

host 192.168.1.249

object network obj_443

host 192.168.1.246

object network obj_22

host 192.168.1.249

object network obj_21

host 192.168.1.247

object network obj_8009

host 192.168.1.249

object network obj_39833

host 192.168.1.88

access-list smtp extended permit tcp any host 66.18.210.142 eq smtp

access-list smtp extended permit tcp any host 192.168.1.249 eq smtp

access-list smtp extended permit tcp any host 192.168.1.249 eq imap4

access-list smtp extended permit tcp any host 192.168.1.249 eq 1677

access-list smtp extended permit tcp any host 192.168.1.249 eq https

access-list smtp extended permit tcp any host 192.168.1.246 eq https

access-list smtp extended permit tcp any host 192.168.1.247 eq ftp

access-list smtp extended permit tcp any host 192.168.1.249 eq ssh

access-list smtp extended permit tcp any host 192.168.1.249 eq 8009

access-list smtp extended permit tcp any host 192.168.1.88 eq 3389

no pager

logging asdm informational

mtu outside 1460

mtu inside 1500

mtu inside-46 1500

mtu inside5 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj_25

nat (inside,outside) static interface service tcp smtp smtp

object network obj_143

nat (inside,outside) static interface service tcp imap4 imap4

object network obj_1677

nat (inside,outside) static interface service tcp 1677 1677

object network obj_444

nat (inside,outside) static interface service tcp https 444

object network obj_443

nat (inside,outside) static interface service tcp https https

object network obj_22

nat (inside,outside) static interface service tcp ssh 40022

object network obj_21

nat (inside,outside) static interface service tcp ftp ftp

object network obj_8009

nat (inside,outside) static interface service tcp 8009 8009

object network obj_39833

nat (inside,outside) static interface service tcp 3389 39833

access-group smtp in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

snmp-server location Home1

snmp-server contact network admin

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 3

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 15

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group PPP request dialout pppoe

vpdn group PPP localname **********************

vpdn group PPP ppp authentication chap

vpdn username *********.com password ***** store-local

dhcpd auto_config inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username ***** password ******* encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d2e31f51f0af551900f9fb8b5dd3ea72

: end

INFOASA01(config)# packet-tracer input inside5 tcp 192.168.2.200 12345 4.2.2.2 12345

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5605, packet dispatched to next module

Result:

input-interface: inside5

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

INFOASA01(config)#packet-tracer input inside5 tcp 192.168.1.200 12345 4.2.2.2 12345

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.1.200/12345 to 199.185.3.25/12345

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5633, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

INFOASA01(config)# icmp debug icmp tra

debug icmp trace enabled at level 1

INFOASA01(config)# ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=0 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=1 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=2 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=3 len=56

ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=4 len=56

b ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=140 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=140 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=141 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=141 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=142 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=142 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=143 len=32

ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25

ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=143 len=32

ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88

no debug icmp tra

debug icmp trace disabled.

INFOASA01(config)#

Marius Gunnerud · ‎01-06-2014

You need to add dynamic NAT statements for the other two networks. Currently you only have a dynamic NAT statement for the network connected to the inside interface (192.168.1.0/24).


object network obj_any
 nat (inside,outside) dynamic interface

You could try to change this statement to the following

object network obj_any

nat (any,outside) dynamic interface

Otherwise you would need to create separate NAT statements for each network.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎01-06-2014

You need to add dynamic NAT statements for the other two networks. Currently you only have a dynamic NAT statement for the network connected to the inside interface (192.168.1.0/24).


object network obj_any
 nat (inside,outside) dynamic interface

You could try to change this statement to the following

object network obj_any

nat (any,outside) dynamic interface

Otherwise you would need to create separate NAT statements for each network.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

apmcomp · ‎01-06-2014

If I wanted to limit to just a second network, then something like:

object network obj_any5

nat(inside5,outside) dynamic interface

would work?

does it need to be in a particular order in the list of network objects? Lastly, is there a way to print the running configuration with the lines numbered?

Thanks for the suggestion and any follow up.

Regards,

Paul

Julio Carvajal · ‎01-06-2014

Hello Paul,

Yes, there is a order within the NAT on 8.3 and higher

1) Manual Nat or Twice Nat

2) Object Nat (the one being used here)

3) After-Auto Nat

Inside the Object-Nat the order will be done automatically by the firewall taking place the static entries and more specific.

So if you enter that command you will be translating only the subnet within the obj_any 5 from the inside5 to the outside.

Hope I was clear hehe

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC