Re: 1 to 1 Nat not working.

treycarr33 · ‎03-30-2010

All I am tryin to setup a 1 to 1 NAT on an ASA, I am rather new to ASA's and need to get this setup for a client.. I am tryin to setup an IP phone with an external of 70.X.X.4 and want to route telnet and www to an internal of 10.130.0.10.

Any help would be appreciated.

Here is my config.

hostname Jewett
domain-name Florida.awsworld.com
enable password ZGWCjGhiSOp89oSm encrypted
passwd ZGWCjGhiSOp89oSm encrypted
names
name 10.130.16.0 A-10.130.16.0 description Jewett VPN Pool
name 70.X.X.4 SERVER_EXT description Phone Switch
name 10.130.0.10 SERVER_INT description Phone Switch Internal
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.130.0.254 255.255.240.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 70.X.X.2 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login **** Unauthorized Access to this device or the attached network is prohibited without express written permission. Violators will be prosecuted to the fullest extent of both civil and criminal law.****
banner motd **** Unauthorized Access to this device or the attached network is prohibited without express written permission. Violators will be prosecuted to the fullest extent of both civil and criminal law.****
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.130.0.210
 name-server 10.130.0.209
 domain-name Florida.awsworld.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 remark **Layne Christensen VPN **
access-list 100 extended permit ip 10.130.0.0 255.255.240.0 10.1.0.0 255.255.0.0 
access-list 100 extended permit ip 10.130.0.0 255.255.240.0 10.2.0.0 255.255.0.0 
access-list 123 remark **Reynolds VPN **
access-list 123 extended permit ip 10.130.0.0 255.255.240.0 host 192.168.10.20 
access-list 123 extended permit ip 10.130.0.0 255.255.240.0 192.168.20.0 255.255.255.0 
access-list 123 extended permit ip 10.130.0.0 255.255.240.0 192.100.1.0 255.255.255.0 
access-list 123 extended permit ip A-10.130.16.0 255.255.255.0 192.100.1.0 255.255.255.0 
access-list 115 remark **NONAT Access-list**
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 192.100.1.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.189.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.182.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.187.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.184.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.177.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.181.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.180.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.191.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 192.168.120.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.190.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 10.2.0.0 255.255.0.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 10.1.0.0 255.255.0.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 host 192.168.10.20 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 192.168.20.0 255.255.255.0 
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 172.29.178.0 255.255.255.0 
access-list 115 remark **JEWETT VPN**
access-list 115 extended permit ip 10.130.0.0 255.255.240.0 A-10.130.16.0 255.255.255.0 
access-list 115 extended permit ip A-10.130.16.0 255.255.255.0 192.100.1.0 255.255.255.0 
access-list 124 remark **Longwood VPN **
access-list 124 extended permit ip 10.130.0.0 255.255.240.0 172.29.189.0 255.255.255.0 
access-list 190 remark **VPN Client Access**
access-list 190 extended permit ip 10.130.0.0 255.255.240.0 172.29.190.0 255.255.255.0 
access-list 126 remark **Sanford VPN **
access-list 126 extended permit ip 10.130.0.0 255.255.240.0 172.29.182.0 255.255.255.0 
access-list 127 remark **Clearwater VPN **
access-list 127 extended permit ip 10.130.0.0 255.255.240.0 172.29.187.0 255.255.255.0 
access-list 129 remark **Phoenix VPN **
access-list 129 extended permit ip 10.130.0.0 255.255.240.0 172.29.184.0 255.255.255.0 
access-list 128 extended permit ip 10.130.0.0 255.255.240.0 172.29.177.0 255.255.255.0 
access-list 128 remark **FT Lauderdale VPN **
access-list 130 remark **  **
access-list 130 extended permit ip 10.130.0.0 255.255.240.0 172.29.181.0 255.255.255.0 
access-list 131 remark **Charlotte VPN **
access-list 131 extended permit ip 10.130.0.0 255.255.240.0 172.29.180.0 255.255.255.0 
access-list 132 remark **Hilliard VPN **
access-list 132 extended permit ip 10.130.0.0 255.255.240.0 192.168.120.0 255.255.255.0 
access-list 133 remark **Fairfield VPN **
access-list 133 extended permit ip 10.130.0.0 255.255.240.0 172.29.191.0 255.255.255.0 
access-list 120 remark **Outside Access-list**
access-list 120 extended permit ip 10.0.0.0 255.0.0.0 10.130.0.0 255.255.240.0 
access-list 120 extended permit tcp 64.216.150.0 255.255.255.0 any eq telnet 
access-list 120 extended permit tcp 64.216.150.0 255.255.255.0 any eq ssh 
access-list 120 extended permit tcp 64.216.150.0 255.255.255.0 any log 
access-list 120 extended permit tcp 64.218.192.0 255.255.255.0 any eq telnet 
access-list 120 extended permit tcp 64.218.192.0 255.255.255.0 any eq ssh 
access-list 120 extended permit tcp 64.218.192.0 255.255.255.0 any log 
access-list 120 extended permit icmp any any 
access-list 101 extended permit ip 10.130.0.0 255.255.240.0 172.29.178.0 255.255.255.0 
access-list 101 remark **Lake Mary VPN**
access-list split_tunnel_list remark Jewett Split VPN
access-list split_tunnel_list standard permit 10.130.0.0 255.255.240.0 
access-list split_tunnel_list standard permit 192.100.1.0 255.255.255.0
access-list Outside-Inbound Remark **Phone Management** 
access-list Outside-Inbound extended permit tcp any host SERVER_EXT eq www 
access-list Outside-Inbound extended permit tcp any host SERVER_EXT eq telnet 
pager lines 24
logging enable
logging history emergencies
logging asdm informational
logging class auth history emergencies 
logging class session history emergencies 
logging class vpn history emergencies 
mtu inside 1500
mtu outside 1500
ip local pool ippool 10.130.16.20-10.130.16.80 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 2 70.X.X.3-70.X.X.6 netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list 115
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) SERVER_EXT SERVER_INT netmask 255.255.255.255 
access-group Outside-Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 70.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask enable default svc
aaa-server WindowsNPS protocol radius
aaa-server WindowsNPS (inside) host 10.130.0.206
 key P@$$w0rd1
 radius-common-pw P@$$w0rd1
eou clientless username test
eou clientless password password
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
http server enable
http 10.130.0.0 255.255.240.0 inside
http 192.100.1.0 255.255.255.0 inside
http 12.96.65.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 172.29.178.22 community Public
snmp-server location Jewett
snmp-server contact IT Department
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map atlanta 10 set transform-set chevelle 3DES-MD5
crypto map transam 1 match address 123
crypto map transam 1 set peer 12.X.X.2 
crypto map transam 1 set transform-set 3DES-MD5
crypto map transam 2 match address 100
crypto map transam 2 set peer 64.X.X.1 
crypto map transam 2 set transform-set 3DES-MD5
crypto map transam 3 match address 124
crypto map transam 3 set peer 24.X.X.74 
crypto map transam 3 set transform-set 3DES-MD5
crypto map transam 4 match address 127
crypto map transam 4 set peer 24.X.X.138 
crypto map transam 4 set transform-set 3DES-MD5
crypto map transam 5 match address 129
crypto map transam 5 set peer 70.X.X.146 
crypto map transam 5 set transform-set 3DES-MD5
crypto map transam 6 match address 128
crypto map transam 6 set peer 68.X.X.138 
crypto map transam 6 set transform-set 3DES-MD5
crypto map transam 7 match address 130
crypto map transam 7 set peer 24.X.X.242 
crypto map transam 7 set transform-set 3DES-MD5
crypto map transam 8 match address 131
crypto map transam 8 set peer 65.x.X.154 
crypto map transam 8 set transform-set 3DES-MD5
crypto map transam 9 match address 132
crypto map transam 9 set peer 208.X.X.90 
crypto map transam 9 set transform-set 3DES-MD5
crypto map transam 10 match address 133
crypto map transam 10 set peer 208.X.X.202 
crypto map transam 10 set transform-set 3DES-MD5
crypto map transam 11 match address 101
crypto map transam 11 set peer 24.X.X.18 
crypto map transam 11 set transform-set 3DES-MD5
crypto map transam 100 ipsec-isakmp dynamic atlanta
crypto map transam interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 14400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-2.4.0154-k9-BETA.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.130.0.210 10.130.0.209
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 ipsec-udp enable
 split-tunnel-network-list value split_tunnel_list
 default-domain value florida.awsworld.com
 address-pools value ippool
 webvpn
  svc ask enable
group-policy JewettVPN internal
group-policy JewettVPN attributes
 dns-server value 10.130.0.210 10.130.0.209
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_list
 default-domain value florida.awsworld.com
username admin password HM9nuQIqHdgEybAl encrypted privilege 15
username inliner password W8jzqjanp7MbZc54 encrypted privilege 15
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias Jewett disable
tunnel-group 12.X.X.2 type ipsec-l2l
tunnel-group 12.X.X.2 ipsec-attributes
 pre-shared-key *
tunnel-group 64.X.X.1 type ipsec-l2l
tunnel-group 64.X.X.1 ipsec-attributes
 pre-shared-key *
tunnel-group 24.X.X.74 type ipsec-l2l
tunnel-group 24.X.X.74 ipsec-attributes
 pre-shared-key *
tunnel-group 24.X.X.138 type ipsec-l2l
tunnel-group 24.X.X.138 ipsec-attributes
 pre-shared-key *
tunnel-group 70.X.X.146 type ipsec-l2l
tunnel-group 70.x.X.146 ipsec-attributes
 pre-shared-key *
tunnel-group 68.X.X.138 type ipsec-l2l
tunnel-group 68.X.X.138 ipsec-attributes
 pre-shared-key *
tunnel-group 24.X.X.242 type ipsec-l2l
tunnel-group 24.X.X.242 ipsec-attributes
 pre-shared-key *
tunnel-group 65.X.X.154 type ipsec-l2l
tunnel-group 65.X.X.154 ipsec-attributes
 pre-shared-key *
tunnel-group 208.X.X.202 type ipsec-l2l
tunnel-group 208.X.X.202 ipsec-attributes
 pre-shared-key *
tunnel-group 24.X.X.18 type ipsec-l2l
tunnel-group 24.X.X.18 ipsec-attributes
 pre-shared-key *
tunnel-group JewettVPN type remote-access
tunnel-group JewettVPN general-attributes
 address-pool ippool
 authentication-server-group WindowsNPS
 default-group-policy JewettVPN
 password-management password-expire-in-days 2
tunnel-group JewettVPN webvpn-attributes
 group-alias jewett enable
 group-url https://70.X.X.2/jewett enable
tunnel-group JewettVPN ipsec-attributes
 pre-shared-key *

Federico Coto Fajardo · ‎03-30-2010

Hi,

To set a 1-to-1 NAT for a device, you use the command:

static (in,out) 70.x.x.4 10.130.0.10

Assuming, 70.x.x.4 is the NATed IP and 10.130.0.10 is the real IP of the IP Phone.

This will allow the ASA to send all traffic that it receives on 70.x.x.4 to 10.130.0.10 and vice versa.

To permit the inbound traffic, there should be an ACL.

Looking at your configuration, you have the correct rules:

static (inside,outside) SERVER_EXT SERVER_INT netmask 255.255.255.255
access-list Outside-Inbound extended permit tcp any host SERVER_EXT eq www
access-list Outside-Inbound extended permit tcp any host SERVER_EXT eq telnet
access-group Outside-Inbound in interface outside

name 70.X.X.4 SERVER_EXT description Phone Switch
name 10.130.0.10 SERVER_INT description Phone Switch Internalname 70.X.X.4

But, you're allowing telnet and www to the IP Phone?
The 10.130.0.10 is an IP Phone?
What exactly is not working?

Federico.

treycarr33 · ‎03-30-2010

Lets start off by saying, I have a block of IP addresses 70.x.x.2 - 70.x.x.6. I attempted to assign the IP addresses to the external interface by using the command

global (outside) 2 70.X.X.3-70.X.X.6 netmask 255.0.0.0

However,  I can not access www or telnet from the outside via 70.x.x.4.

Jon Marshall · ‎03-30-2010

treycarr33 wrote:

Lets start off by saying, I have a block of IP addresses 70.x.x.2 - 70.x.x.6. I attempted to assign the IP addresses to the external interface by using the command

global (outside) 2 70.X.X.3-70.X.X.6 netmask 255.0.0.0

However,  I can not access www or telnet from the outside via 70.x.x.4.

As Federico says, the config below is what will allow http/telnet to your IP phone -

static (inside,outside) SERVER_EXT SERVER_INT netmask 255.255.255.255
access-list Outside-Inbound extended permit tcp any host SERVER_EXT eq www
access-list Outside-Inbound extended permit tcp any host SERVER_EXT eq telnet
access-group Outside-Inbound in interface outside

name 70.X.X.4 SERVER_EXT description Phone Switch
name 10.130.0.10 SERVER_INT description Phone Switch Internalname 70.X.X.4

Your global (outside) 2 70.x.x.3-70.x.x.6 netmask 255.0.0.0 has nothing to do with providing access to the IP phone. In fact you probably don't want this statement because you have an overlap ie. you are using .4 in the static statement.

Can you modify the global config to not include the .4 address. Then do a "clear xlate global 70.x.x.4"

Apart from that, does the IP Phone have the inside IP of the ASA as it's default-gateway ?

Are you seeing any hits on the Outside-Inbound access-list.

Jon