Solved: ASA 5505 NAT rules blocking inside traffic

sonitrollv · ‎01-08-2012

Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.

Embarq : Network xxx.xxx.180.104

Gateway: xxx.xxx.180.105

Subnet Mask: 255.255.255.248

Our Static IP's: xxx.xxx.180.106 to xxx.xxx.180.110

Cisco Pix for VPN tunnels : xxx.xxx.180.107 outside IP

used for DataBase Servers : 100.1.0.2 Inside IP/ Gateway 2

Cisco ASA 5505: xxx.xxx.180.106 outside IP

all other traffic : 100.1.0.1 Inside IP/ Gateway 1

Inside Network: 100.1.0.0/24

Application Server: 100.1.0.115 uses Gateway 1

BackUp AppSrvr: 100.1.0.116 uses Gateway 1

DataBase Server: 100.1.0.113 uses Gateway 2

BackUp DBSrvr: 100.1.0.114 uses Gateway 2

Cobox/Receiver: 100.1.0.140

BackUp Cobox: 100.1.0.150

Workstation 1: 100.1.0.112

Workstation 2: 100.1.0.111

Network Speaker1,2,3,4: 100.1.0.125 to 100.1.0.128

Future Workstations: 100.1.0.0/24

1. Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.

2. All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.

3. All Workstations/Network Speakers need to be able to communicate with all four servers, and the Cobox/Receiver.

4. The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login securely and edit their account info.

5. The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule created NAT'ing them to xxx.xxx.180.109.

A. The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside IP address.

B. The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.

6. The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108

A. The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000

B. The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.

7. Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.

8.

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 100.1.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.180.106 255.255.255.248

!

ftp mode passive

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object icmp

protocol-object udp

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object icmp

protocol-object udp

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any

access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0

access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any

access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any

access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0

access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140

access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

nat-control

global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static

static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static

static (inside,outside) xxx.xxx.180.109 access-list inside_nat_static_1

static (outside,inside) 100.1.0.115 access-list outside_nat_static_1

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 100.1.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 100.1.0.5-100.1.0.15 inside

dhcpd dns 71.0.1.211 67.235.59.242 interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

!

prompt hostname context

call-home reporting anonymous

Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55

: end

no asdm history enable

andrew.prince · ‎01-09-2012

OK - so how many devices on your LAN access the internet and send traffic out to the internet, this should included servers, routers hosts etc.

If the number you have is more than 10 - that's your issue. You are ONLY licensed for 10 inside hosts, you will need to upgrade your license.

HTH>

View solution in original post

andrew.prince · ‎01-09-2012

What license does the ASA5505 have?

sonitrollv · ‎01-09-2012

Thank you for your query. I just got into the office. I am going in to login to the ASA and double check the license.

sonitrollv · ‎01-09-2012

Ok. Our ASA has a "Base" license.

andrew.prince · ‎01-09-2012

How many inside hosts are you licensed for?

sonitrollv · ‎01-09-2012

andrew.prince · ‎01-09-2012

OK - so how many devices on your LAN access the internet and send traffic out to the internet, this should included servers, routers hosts etc.

If the number you have is more than 10 - that's your issue. You are ONLY licensed for 10 inside hosts, you will need to upgrade your license.

HTH>

sonitrollv · ‎01-09-2012

Ah-ha Ok I think I see. If we have more than 10 inside IP addresses, then the ASA is only routing traffic for 10 IP's, so....

any other traffic is potentially being ignored, or dropped.

Would this affect inside to inside traffic also?

andrew.prince · ‎01-09-2012

If the ASA is being used as a sort of router in/out the inside interface, then yes this would also be affected. To get around that particular issue would be to have a dedicated layer 3 routing device on your lan.

HTH>

sonitrollv · ‎01-09-2012

OK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.

In the meantime I will Close and Rate this post for now so others can get this info also.

If we have any further issues after the upgrade, then I will open a new post.

Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.

andrew.prince · ‎01-09-2012

no problem - glad to help.

Thank you for the rating.