cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
316
Views
0
Helpful
1
Replies

NAT problems with ASA5505

enrique.jara
Level 1
Level 1

Hello,

I think I have misconfigured NAT, I can not make internet ping from the LAN, or connections such as a Telnet

Can anyone help??

thanks

: Saved

:

ASA Version 8.4(3)

!

hostname ASA

enable password

passwd

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 172.26.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.2.2 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network obj-172.26.0.0

subnet 172.26.0.0 255.255.255.0

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.224

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_172.26.0.0_24

subnet 172.26.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_27

subnet 192.168.1.0 255.255.255.224

object network AS400

host 172.26.0.250

object network Puerto8001tcp

host 172.26.0.249

description Administración cámaras puerto 8001 tcp

object network Puerto8001udp

host 172.26.0.249

description Administración cámaras puerto 8001 udp

object network puerto8000tcp

host 172.26.0.249

description Aministración camaras puerto 8000 tcp

object network puerto8000udp

host 172.26.0.249

description Administración camaras puerto 8000 udp

object-group service DM_INLINE_TCPUDP_1 tcp-udp

port-object eq 8000

port-object eq 8001

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list TRABAJADORESVPN_splitTunnelAcl standard permit 172.26.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 192.168.1.0 255.255.255.224

access-list inside_access_in extended permit ip any any

access-list TRABAJADOREXTERNO_splitTunnelAcl standard permit host 172.26.0.250

access-list outside_access_in extended permit object-group TCPUDP any any object-group DM_INLINE_TCPUDP_1

access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn_pool 192.168.1.10-192.168.1.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat (inside,any) source static obj-172.26.0.0 obj-172.26.0.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp

nat (inside,outside) source static NETWORK_OBJ_172.26.0.0_24 NETWORK_OBJ_172.26.0.0_24 destination static NETWORK_OBJ_192.168.1.0_27 NETWORK_OBJ_192.168.1.0_27 no-proxy-arp route-lookup

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network Puerto8001tcp

nat (inside,outside) static interface service tcp 8001 8001

object network Puerto8001udp

nat (inside,outside) static interface service udp 8001 8001

object network puerto8000tcp

nat (inside,outside) static interface service tcp 8000 8000

object network puerto8000udp

nat (inside,outside) static interface service udp 8000 8000

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.26.0.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.26.0.33-172.26.0.100 inside

dhcpd dns 80.58.61.250 80.58.61.254 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy TRABAJADOREXTERNO internal

group-policy TRABAJADOREXTERNO attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TRABAJADOREXTERNO_splitTunnelAcl

group-policy TRABAJADORESVPN internal

group-policy TRABAJADORESVPN attributes

dns-server value 8.8.8.8 80.58.61.250

vpn-tunnel-protocol ikev1

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TRABAJADORESVPN_splitTunnelAcl

user-authentication-idle-timeout none

username

username

username

tunnel-group TRABAJADOR type remote-access

tunnel-group TRABAJADOR general-attributes

address-pool vpn_pool

default-group-policy TRABAJADOR

tunnel-group TRABAJADORESVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group TRABAJADOREXTERNO type remote-access

tunnel-group TRABAJADOREXTERNO general-attributes

address-pool vpn_pool

default-group-policy TRABAJADOREXTERNO

tunnel-group TRABAJADOREXTERNO ipsec-attributes

ikev1 pre-shared-key *****

!

!

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Do you mean you can't connect to anything on the WAN from the LAN?

I don't see any NAT configuration that should stop that.

To me it seems though that from the external network the connections for your configured Static PAT (Port Forward) will fail because of the below configuration

no nat (inside,outside) source dynamic any interface

You could remove it since you already have this that does the same thing without causing problems

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

You can test the connectivity from "inside" to "outside" with "packet-tracer" command

packet-tracer input inside tcp 172.26.0.100 12345 8.8.8.8 80

The output should tell us if there is any problems. But at the moment I can't see anything else wrong than what I mentioned.

You can also modify the above command to simulate the connections that dont work at the moment. Version of ICMP would be

packet-tracer input inside icmp 172.26.0.100 8 0 8.8.8.8

You could naturally make sure you have ICMP Inspection enabled

You could issue commands like

fixup protocol icmp

fixup protocol icmp error

As I cant see your "policy-map" configurations I can't tell if they are already configured.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: