Nat not working -config attached

GRANT3779 · ‎11-14-2013

I've configured a basic setup on a 5512 for 2 VLANs and their matching subnet. DHCP etc.. all setup on the ASA and clients get IP address and can ping their DG (sub int on the ASA).

I'm trying to get these clients Internet Access but seem to be missing something. From the ASA I can ping outside externally. From a client though I cannot.

Anything obvious standing out? Config attached

Jouni Forss · ‎11-14-2013

Hi,

Regarding ICMP alone you have not configured ICMP inspection though it seems that you have attached the same ACL to each interface (which should enable ICMP Echo reply without inspections). I would suggest making the "outside" interface its own ACL.

You could enable ICMP Inspections. I dont know why they are not enabled by default

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

If you want to try another type of Dynamic PAT configuration you could use

object-group network DYNAMIC-PAT-SOURCE

network-object 192.168.127.0 255.255.255.0

network-object 192.168.128.0 255.255.255.0

nat (any,outside) after-auto source dynamic DYNAMIC-PAT-SOURCE interface

You could also initially try "packet-tracer" though I don't see anything that should block connectivity

packet-tracer input vlan128 tcp 192.168.128.100 12345 8.8.8.8 80

Is the IP address used in the PAT some other IP address than the "outside" interface IP address? It seems so though my above example uses the "outside" interface IP address using the parameter "interface".

- Jouni

jumora · ‎11-14-2013

In some cases the issue is caused because you are replacing a device for the firewall and the ARP table at the ISP points to the previous MAC address of the previous hardware device. ASA for PAT or NAT unless it is the interface IP address does proxy ARP for its translations.

Example of proxy ARP:

Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface.

Put if the table on the ISP router already has an ARP entry it will not query for that address, meaning it will never route to the ASA unless it clears its ARP table and needs to ask again for that address.

Value our effort and rate the assistance!

GRANT3779 · ‎11-15-2013

Hi Jouni,

I went down this route -

object-group network DYNAMIC-PAT-SOURCE

network-object 192.168.127.0 255.255.255.0

network-object 192.168.128.0 255.255.255.0

nat (any,outside) after-auto source dynamic DYNAMIC-PAT-SOURCE interface

and it worked! What is this part of the command actually doing - after-auto source dynamic ? Also at the end of the command there is the interface word. How does this know to use the Outside interface?

Thanks

Jouni Forss · ‎11-15-2013

Hi,

I guess the problem must have been with the public IP address used.

The above configuration I suggested simply condenced the same Dynamic PAT you had (except for the public IP address used perhaps, since we dont see the actual IP addresses used) to only one "nat" command.

The parameter "after-auto" simply means that this NAT configurations is supposed to be After Auto NAT configuration (also called Network Object NAT). This would make the NAT rule Section 3 while Auto NAT is Section 2. Without the "after-auto" parameter the rule would be Section 1. The reason for me to suggest that is simply because I tend to do normal Dynamic PAT configurations on lowest priority on the ASA which would be Section 3.

The "source dynamic" simply refers that we are configuring source parameters for the NAT and its a Dynamic type of NAT.

It knows to use the "outside" interface because its the destination target/destination interface for the "nat" configuration. If we reversed the interfaces in the beginning of the command (which wouldnt make sense but for examples sake) then the NAT would use the "inside" interface IP address.

- Jouni