Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
0
Helpful
6
Replies

ASA 5505 changes breaking NAT

macmillan1
Level 1
Level 1

‎09-01-2011 01:56 AM - edited ‎03-11-2019 02:19 PM

Hi

we have an asa5505 firewall on version 8.2  it currently works fine  we're going through the proces of migrating to a mew ip range, but when we change the NAT entries, the pings to the public address return the inside ip address!!! Help!!

the current config is

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.06.16 12:09:27 =~=~=~=~=~=~=~=~=~=~=~=

User Access Verification

Password:

Type help or '?' for a list of available commands.

mdspixfirewall> en

Password: ********

mdspixfirewall# sho run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password YB.ux8bsS71TJocI encrypted

passwd FOrFfsaVs9oyvPYJ encrypted

hostname mdspixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

<--- More --->

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any host 192.168.220.241 echo

access-list outside_access_in permit icmp any host 192.168.220.241 unreachable

access-list outside_access_in permit icmp any host 192.168.220.241 time-exceeded

access-list outside_access_in permit icmp any host 192.168.220.242 echo

access-list outside_access_in permit icmp any host 192.168.220.242 unreachable

access-list outside_access_in permit icmp any host 192.168.220.242 time-exceeded

access-list outside_access_in permit tcp host 192.168.220.246 host 192.168.220.241 eq telnet

access-list outside_access_in permit tcp host 192.168.220.246 host 192.168.220.242 eq telnet

access-list outside_access_in deny ip any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit icmp any any echo-reply

access-list inside_access_in permit icmp any any unreachable

access-list inside_access_in permit icmp any any time-exceeded

access-list inside_access_in permit icmp any any

pager lines 24

logging on

logging console debugging

logging monitor alerts

logging trap informational

logging history informational

logging host inside 192.168.222.15

logging host inside 192.168.222.19

mtu outside 1500

<--- More --->

mtu inside 1500

ip address outside 192.168.220.254 255.255.255.0

ip address inside 192.168.222.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 192.168.220.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.220.242 194.1.1.10 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.220.241 192.168.20.16 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 192.168.222.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

<--- More --->

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

snmp-server host inside 192.168.222.19 trap

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

telnet 192.168.20.0 255.255.255.0 inside

telnet 192.168.222.0 255.255.255.0 inside

telnet 172.18.1.0 255.255.255.0 inside

telnet 172.18.0.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

dhcpd address 192.168.220.61-192.168.220.239 outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable outside

terminal width 80

Cryptochecksum:08b06398fb0e5297c902e135dbc03716

: end

<--- More --->

mdspixfirewall#  exit

Logoff

om trying to change the mapping to show

static (inside,outside) 192.168.220.241 172.18.148.16 netmask 255.255.255.255 0 0

but any ping sent to 192.168.220.241 replies as the 172.18.148.16 address, and pings from the 172 machine get blocked at the firewall with

asymmetric nat rules matched for forward and reverse flows......

any ideas??

thanks

chris

Labels:
0 Helpful
6 Replies 6

Anu M Chacko
Cisco Employee
Cisco Employee

‎09-01-2011 04:39 AM

Hi Chris,

Could you configure the following?

no static (inside,outside) 192.168.220.241 192.168.20.16 netmask 255.255.255.255 0 0

There are 2 static translation for the same host which is creating issues, when you ping from the 172 host.

Let me know.

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.

0 Helpful

macmillan1
Level 1
Level 1
In response to Anu M Chacko

‎09-01-2011 05:44 AM

Hi

Sorry. We did take that out when we did the change. I've now setup a test network where I can replicate the issue. Had to back out the changes to out live environment.

Any other ideas?

Thanks

Chris

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to macmillan1

‎09-01-2011 05:47 AM

Hi Chris,

What version of ASA are you running? Could you post the output of "sh run" from the ASA? Also, how are you verifying that you get replies from the private IP address?

Let me know.

Regards,

Anu

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to Anu M Chacko

‎09-01-2011 05:50 AM

Also, could you add "fixup protocol icmp" and see if it makes any difference?

Let me know.

0 Helpful

macmillan1
Level 1
Level 1
In response to Anu M Chacko

‎09-01-2011 02:07 PM

Hi

It's a 5505 running version 8.2

The ping test was to ping 192.168.220.241. In the original config it replies as 192.168.220.241, but when we do the change and ping the same ip address, it replies as 172.18.148.16....

I'll try the other thing you recommend and see if it does anything.

I'll also post the entire setup of the network as it is a bit of an odd setup. Can't do it now as I'm on iPhone doing this.

Brief desc is that the firewall is there to segment and hide part of our network that has machines in it that we don't manage. The inside and outside ports on the firewall connect back into different vlans on the same switch. Vlan acls stop traffic moving between the two as vlan routing is enabled. We then have 2 connections into the router for the 2 vlans to route.

Thanks

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to macmillan1

‎09-12-2011 09:48 AM

You mentioned your ASA 5505 is running 8.2 but the config is from a PIX running 6.3? can you post the current config from the ASA?

regards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card