Hello there,

JouniForss thanks for your reply.

Yes it looks like the NAT configuration was incorrect. I have set static NAT with following command:

static (inside,outside) My_PC-NAT My_PC netmask 255.255.255.255

but it looks like this is the wrong direction because as soon as I change this to

static (outside,inside) My_PC My_PC-NAT netmask 255.255.255.255

the router replies for the ping requests.

You right, still I can't ping the outside router interface but that is fine, don't need to.

Also the outside connections is not actually going to the ISP, it's connected to one of our netwroks (172.X.X.X address).

The questions which I have now:

How the NAT actually works?? Why my first command didn't work?? What has to be NATed what not?

I thought when I coming from inside -> outside I should create a NAT static(inside,outside) so my inside address is NATed to the outoiside address but it looks like this is not the case.

Also I can not telnet to the router, I can only ping it.

Is that mean I need to add "inspect telnet" command to the firewall configuration as well??

Thanks,

Dom

Hi,

Please share the complete configuration and remove any sensitive information so we can get a clear picture of the current configurations and setup.

The first Static NAT command format seems to be right as it does a NAT from "inside" to "outside". The first IP address in the command is the NAT IP address and the second one the local IP address. This Static NAT naturally works in both directions. It enabled connectivity to the internal host with the NAT IP address and also views the internal host to the destination networks with the NAT IP address when it forms connections.

You dont typically do Static NAT from "outside" to "inside".

- Jouni

Jouni,

I have removed the sensitive info by replacing it with XXX where XXX in one command is not the same address/name on the other.

XXX# sh run

: Saved

:

ASA Version 7.1(2)

!

hostname XXX

domain-name XXX

enable password XXX encrypted

names

name...

.

.

.

name...

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.25.32.225 255.255.255.252

!

interface Ethernet0/1

speed 100

duplex full

nameif outside

security-level 0

ip address 172.16.227.5 255.255.255.252

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd XXX encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name XXX

access-list outisde_access_in ...

.

.

.

access-list outisde_access_in ...

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit icmp any any log

pager lines 24

logging enable

logging buffered alerts

logging asdm informational

mtu inside 1500

mtu outisde 1500

mtu management 1500

icmp permit any outside

icmp permit any echo-reply outside

icmp permit any traceroute outside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

static (inside,outisde) XXX-NAT XXX netmask 255.255.255.255

.

.

.

static (inside,outisde) XXX-NAT XXX netmask 255.255.255.255

static (outisde,inside) XXX-NAT XXX netmask 255.255.255.255

.

.

.

static (outisde,inside) XXX-NAT XXX netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route inside XXX 255.255.255.255 XXX 1

.

.

.

route inside XXX 255.255.255.255 XXX 1

route outisde XXX 255.255.255.255 XXX 1

.

.

.

route outisde XXX 255.255.255.255 XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username XXX password XXX encrypted

aaa authentication telnet console LOCAL

http server enable

http XXX 255.255.255.255 inside

http XXX 255.255.255.255 inside

http XXX 255.255.255.255 inside

http XXX 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet XXX 255.255.255.255 inside

telnet XXX 255.255.255.255 inside

telnet XXX 255.255.255.255 inside

telnet XXX 255.255.255.255 inside

telnet XXX 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

tftp-server inside XXX XXX

Cryptochecksum:XXX

: end

Is there sominht like dual NAT on the ASA firewalls? For example when I send ping from inside to outside I need static (inside,outisde) command. Fot the ping reply to come back to me do I need another NAT static(outside,inside)??

Hi Dom,

You need a NAT to translate and an ACL as you have an access-roup binded to inside interface.

I do see both of them configured and should allow the traffic

You wont need a Twice NAT as the static NAT rules are bi directional.

Please get the output of following to troubleshoot further:

packet-tracer input inside tcp (SOURCE IP) 1034 (DESTINATION IP THAT YOU WANT TO TELNET) 21 detailed

If this shows traffic allowed, please apply captures on ingress and egress interface and share the outputs.

You can use the following to apply captures:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Cheers,

Naveen

Hi,

If you are translating your source address that is behind the "inside" interface you only need the command

static (inside,outside) netmask 255.255.255.255

In a normal setup you shouldnt need to translate any address located behind the "outside" interface so you would NOT need the commands with "static (outside,inside)"

According to the above configuration you are missing the default route?

route outside 0.0.0.0 0.0.0.0

- Jouni

Also,

I cant see a Dynamic PAT configuration that you would need for all the users to connect through the firewall. Atleast typically you need this as the ASA is usually connected directly to the external/public network. In your case seems there is something in between.

Also your "route" configurations for "inside" interface are all with a host mask of 255.255.255.255 ? Should you be routing complete networks to some device behind the "inside" interface?

Is the device in front of ASA doing the Dynamic PAT for the user networks? If not then you would have to add

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Seems to me if the above is the configuration of your device then you most likely have problems with the routing and NAT with the ASA as I have pointed above.

- Jouni

Hi Jouni,

The firewall has bee configured by 3rd company and it works without any issues.

I'm just trying to enable telnet to one of the devices which sits behind the firewall and that is not working,

1. Yes - all my "route" configuration are with mask /32 and we have to add new route command every time when whe would like to allow new host thru the firewall

2. The device in front of ASA is not doing any Dynamic PAT. We have everything done on the ASA itself so I believe we will need double NAT static(inside,outside) and static (outside,inside).

Is that mean my firewall is configured with statuc NAT rather thatn NAT control?

Hi,

I dont think "route" commands should really be used for the purpose of defining what is allowed and what is not. You should use "access-list" for that. NAT should not be used to control traffic either.

I am not sure what this firewall is used for if it doesnt have a default route. It would seem to me that it cant be used for internet connectivity atleast since it doesnt have a default route.

I would suggest the same as earlier above that you use the "packet-tracer" to simulate the Telnet traffic

packet-tracer input inside tcp 12345 23

Is the router you are trying Telnet to the next hop for the ASA on the "outside" interface? If so, does the router have a router to the users IP address towards the ASA? This naturally depends is the users source IP address NATed or not.

I can't really tell what the situaton is as I dont know any of the IP addresses of this setup or the router configuration infront of the ASA.

- Jouni

Hi Jouni,

The firewall is not being used for Internet connectivity at all.

It just sits bitween two our LANs (10.0.0.0/8 and 172.16.0.0/16).

I think it has been configured in that way for extra security. If you have placed the ACL entry by mistake the host wont be able to access the network because the is no default route nor static route for the subnet where the host sits nor static route for the host itself.

Also because there is not default NAT/PAT in place you will have to remember to configure it every single time you allowing new host through the firewall.

Don't ask me why it has been configured in tha way...

is the packet-tracer a command build in into the ASA IOS??

I can see it...

Hi,

Seems your software is too old for that command

It was released in the software level 7.2 which also is a very old software.

- Jouni

Looks like it...

Well it looks like my telnet should work as the ping works which confirms that there is no issues with NAT or routing. The only place I could be blocked is ACL but I can see ip any any is permited which inlcludes tcp telnet so it has to be the router which doesn't accept the connection.

Anyway Jouni thatnk a lot for your help.

May need to get one ASA to play with it so I can understand it better