08-12-2013 07:52 AM - edited 03-11-2019 07:24 PM
Good morning. I am having some trouble setting up a new ASA 5505. I finished the config and before I put the ASA into production I decided to run the packet tracer on the ASDM. the test packets seemed to pass fine through my ACLs however keep getting dropped by NAT. An error along the lines of no matching nat rule availalbe for the connection. I need certain traffic to pass from the DMZ to the INSIDE and I have some static mappings that open some things on the DMZ up to the internet as well as from the internet to the inside network. According to the packet tracer no traffic will flow any where. I have no specific ACL for going from the INSIDE to the DMZ because I expect the implied allow from higer security to lower security to take care of that. I still get a NAT deny on this traffic too and there should be no nat between the INSIDE and DMZ. I know I have missed something silly with the nat but I can't see it. Here is my nat config.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (perimter) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Exchange-Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Exchange-Server https netmask 255.255.255.255
static (inside,outside) tcp interface 4020 Access-Server 4020 netmask 255.255.255.255
static (perimter,outside) 66.76.12.183 Web-Server netmask 255.255.255.255
and my ACLs too
access-group outside_access_in_1 in interface outside
access-group perimter_access_in in interface perimter
access-list perimter_access_in extended permit tcp host Web-Server host Access-Server eq 1433
access-list perimter_access_in extended permit udp host Web-Server host Access-Server eq 1434
access-list perimter_access_in extended permit tcp host Web-Server host Domain-Controller eq domain
access-list perimter_access_in extended permit udp host Web-Server host Domain-Controller eq domain
access-list perimter_access_in extended permit tcp host Web-Server host Exchange-Server eq smtp
access-list perimter_access_in extended permit udp host Web-Server host Exchange-Server eq 465
access-list perimter_access_in extended permit tcp host Web-Server host Exchange-Server eq 50389
access-list perimter_access_in extended permit udp host Web-Server host Exchange-Server eq 50389
access-list outside_access_in_1 extended permit tcp any host Web-Server eq www
access-list outside_access_in_1 extended permit tcp any host Web-Server eq https
access-list outside_access_in_1 extended permit tcp any host Web-Server eq smtp
access-list outside_access_in_1 extended permit tcp any host Web-Server eq 465
access-list outside_access_in_1 extended permit tcp any host Web-Server eq 135
access-list outside_access_in_1 extended permit tcp any host Exchange-Server eq www
access-list outside_access_in_1 extended permit tcp any host Exchange-Server eq https
access-list outside_access_in_1 extended permit tcp any host Access-Server eq 4020
Solved! Go to Solution.
08-12-2013 07:58 AM
Hi,
Generally in this case you would configure Static Identity NAT
Format is as follows
static (inside,perimter)
So for example if you "inside" would have network 10.10.10.0/24 you would add
static (inside,perimter) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
For multiple networks you add multiple similiar statements.
This should enable the networks connectivity.
I am not however sure what your "security-level" values are. You first mention connection going from DMZ to INSIDE and later INSIDE to DMZ. Naturally only one of those directions is possible without ACL. Unless ofcourse you have "same-security-traffic permit inter-interface" configured and the "security-level" values identical on both interfaces.
Hope this helps
- Jouni
08-12-2013 07:58 AM
Hi,
Generally in this case you would configure Static Identity NAT
Format is as follows
static (inside,perimter)
So for example if you "inside" would have network 10.10.10.0/24 you would add
static (inside,perimter) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
For multiple networks you add multiple similiar statements.
This should enable the networks connectivity.
I am not however sure what your "security-level" values are. You first mention connection going from DMZ to INSIDE and later INSIDE to DMZ. Naturally only one of those directions is possible without ACL. Unless ofcourse you have "same-security-traffic permit inter-interface" configured and the "security-level" values identical on both interfaces.
Hope this helps
- Jouni
08-12-2013 08:17 AM
Jouni, thanks I will give that nat statement a try. Adding this nat statement (with the proper IP addresses) i assune will allow traffic that is allowed by acl to flow either way from the DMZ-to-INSIDE and INSIDE-to-DMZ un-nated? or will I need to put a similar nat statement in for the DMZ interface.
My security interfaces are set with security levels as follows.
Inside 100
perimter 50 (which is the DMZ)
outside 0
I have ACLs that allow traffic to flow from the DMZ to the INSIDE segments as well os the ones needed from the internet.
08-12-2013 08:58 AM
Hi,
I don't think you should need any additional "static" command.
Naturally after you have issue the needed commands you can confirm functionality and also use "packet-tracer" to do the same.
You could also probably achieve this with NAT0 / NAT Exempt configuration if you wanted.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide