05-08-2013 11:58 AM - edited 03-11-2019 06:40 PM
Hello all,
I am stumped.
Here is my scrubbed config. I hope I didn't leave out anything useful.
interface Vlan100
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
no shutdown
interface Vlan200
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0
no shutdown
interface Vlan300
nameif voip
security-level 50
ip address 192.168.0.1 255.255.255.0
no shutdown
interface Vlan400
nameif wlan
security-level 50
ip address 172.16.0.1 255.255.255.0
no shutdown
global (outside) 1 interface
global (outside) 2 1.2.3.9
global (outside) 3 1.2.3.10
global (outside) 4 interface
global (voip) 4 interface
global (wlan) 4 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.0.0 255.255.0.0
nat (voip) 2 192.168.0.0 255.255.255.0
nat (wlan) 3 172.16.0.0 255.255.255.0
nat (inside) 4 10.0.1.0 255.255.255.0
What I am after: I want voip and wlan to be on there own and only be able to go to internet (with their own external IP) and not talk to eachother or inside. The exception is that I want 10.0.1.0/24 (management range) to be able to talk to wlan and voip.
The problem: With the configuration as shown above, I acheive everything I need except for 10.0.1.0/24 reports "portmap translation creation failed for tcp src inside:10.0.1.13/1076 dst outside:1.2.2.2/443" when trying to move through the outside interface (the internet).
If I swap ID's 1 and 4 then 10.0.1.0/24 works perfectly, it can talk to all 3 segments, but the rest of the 10.0.0.0/16 range displays the portmap translation errors in the asdm real-time log viewer when trying to access the internet (outside interface).
I feel like I am very close to my desired configuration, but I can't figure out how to solve this problem.
ASA5505
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.3(1)
Thanks a bunch for stopping by.
Solved! Go to Solution.
05-08-2013 12:12 PM
Also,
I would personally recommend not configuring Dynamic PAT between your local interface. Mostly for the sake of having a simple NAT between your local networks.
I would leave the NAT configurations out completely or configure NAT0 between the networks and then use ACL to control what traffic is allow from each interface.
You could for example configure
access-list INSIDE-NAT0
access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 172.16.0.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
nat (voip) 0 access-list VOIP-NAT0
access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.0.0
nat (wlan) 0 access-list WLAN-NAT0
EDIT: Typos
- Jouni
05-08-2013 12:05 PM
Hi,
I am not 100% sure but I think if you are going to try to do Dynamic PAT using the "interface" IP address for 2 local networks then you should use the same ID
Current
global (outside) 1 interface
global (outside) 4 interface
nat (inside) 1 10.0.0.0 255.255.0.0
nat (inside) 4 10.0.1.0 255.255.255.0
New
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.0.0
nat (inside) 1 10.0.1.0 255.255.255.0
I mean changing the ID doesnt alter the situation at all since you were attempting to PAT the LAN networks to the same "interface" IP address anyway.
EDIT: Typo
- Jouni
05-08-2013 12:12 PM
Also,
I would personally recommend not configuring Dynamic PAT between your local interface. Mostly for the sake of having a simple NAT between your local networks.
I would leave the NAT configurations out completely or configure NAT0 between the networks and then use ACL to control what traffic is allow from each interface.
You could for example configure
access-list INSIDE-NAT0
access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.0.0 172.16.0.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list VOIP-NAT0 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
nat (voip) 0 access-list VOIP-NAT0
access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list WLAN-NAT0 permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.0.0
nat (wlan) 0 access-list WLAN-NAT0
EDIT: Typos
- Jouni
05-08-2013 12:18 PM
Actually,
It might even be enough to just remove the
global (outside) 4 interface
To enable Internet traffic / translation for the 10.0.1.0/24 network also
- Jouni
05-08-2013 01:47 PM
Jouni,
Thanks for the tips! Here is what I ended up doing and it seems to be working perfectly!
access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 1.2.3.9
global (outside) 3 1.2.3.10
nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.0.0 255.255.0.0
nat (voip) 2 192.168.0.0 255.255.255.0
nat (wlan) 3 172.16.0.0 255.255.255.0
Thanks for your assistance, I really appreciate it.
05-08-2013 01:51 PM
No problem,
Seem you actually made the NAT configuration simpler so that might actually be better than what I suggested.
I guess you dont really need NAT0 configurations on each interface as the operation should be birectional anyway. And since "inside" now has NAT0 configuration to the other networks it should be possible to connect in each direction (provided you want to even allow that on the ACLs)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide