Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7340
Views
18
Helpful
16
Replies

ASA 5505 - No Internet Using Static NAT Rules

moises.ruiz
Level 1
Level 1

‎01-29-2012 06:14 PM - edited ‎03-11-2019 03:20 PM

I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.

Here's my Cisco ASA configuration:

ASA Version 7.2(3)

!

hostname domain

domain-name domain.ca

enable password M6aAV/2UhVYeSYwL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.126 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.xx.xx.60 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.226.226 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd M6aAV/2UhVYeSYwL encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name domain.ca

access-list crypto_acl_10 extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.99.0 255.255.255.224

access-list inbound extended permit tcp any host 69.xx.xx.61 eq www

access-list inbound extended permit tcp any host 69.xx.xx.61 eq https

access-list inbound extended permit tcp any host 69.xx.xx.61 eq smtp

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pop3

access-list inbound extended permit gre any host 69.xx.xx.61

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pptp

access-list inbound extended permit tcp any host 69.xx.xx.58 eq 8080

access-list inbound extended permit tcp any host 69.xx.xx.61 eq ftp

access-list inbound extended permit tcp any host 69.xx.xx.63 eq www

access-list inbound extended permit tcp any host 69.xx.xx.63 eq https

access-list inbound extended permit tcp any host 69.xx.xx.63 eq smtp

access-list inbound extended permit icmp any host 69.xx.xx.63

access-list vpnclient_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

access-list guest_access_in extended deny ip 192.168.226.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

access-list guest_access_in extended permit ip any any inactive

access-list guest_access_in extended permit tcp any host 192.168.226.4

access-list guest_access_in extended permit tcp any eq smtp host 192.168.226.4 eq smtp

access-list guest_access_out extended permit ip host 192.168.226.2 host 69.70.178.122

access-list outside_access_out extended permit ip host 69.xx.xx.63 host 69.70.178.122

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool remotevpn 192.168.99.10-192.168.99.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any guest

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0 dns

static (inside,outside) 69.xx.xx.61 192.168.123.4 netmask 255.255.255.255 dns

static (inside,outside) 69.xx.xx.58 192.168.123.200 netmask 255.255.255.255

static (inside,outside) 69.xx.xx.63 192.168.123.58 netmask 255.255.255.255

access-group inbound in interface outside

access-group guest_access_in in interface guest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 64.254.232.224 255.255.255.224 outside

http 69.70.4.112 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address crypto_acl_10

crypto map outside_map 10 set peer 64.254.232.248

crypto map outside_map 10 set transform-set ESP-AES-MD5 ESP-AES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 64.254.232.224 255.255.255.224 outside

ssh 69.70.4.112 255.255.255.248 outside

ssh 69.70.178.122 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.226.4-192.168.226.100 guest

dhcpd dns 24.200.241.37 interface guest

dhcpd enable guest

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

ntp server 199.212.17.21 source outside

ntp server 199.212.17.22 source outside

ntp server 209.87.233.53 source outside

ntp server 132.246.168.148 source outside

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 192.168.123.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value domain.local

split-dns value domain.local

username mmintzberg password 8fAM98BTuTuY/jU2 encrypted

username fross password Ykti5THH7ftFZeWp encrypted

username jsilver password 0VSZ094cAtFEZuxW encrypted

username mgadmin password 3Nrrh9/fcmJrMiH2 encrypted privilege 15

username smintzberg password .RPWyyJt7YbCb94T encrypted

username smintzberg attributes

vpn-framed-ip-address 192.168.99.22 255.255.255.0

username mruiz password j8Scwuudo9vNlzVa encrypted privilege 15

tunnel-group 64.254.232.248 type ipsec-l2l

tunnel-group 64.254.232.248 ipsec-attributes

pre-shared-key *

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool remotevpn

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:ca6a95011ce78d4d850a5127af0d245c

: end

Message was edited by: Moises Ruiz Updated ASA running configuration

1 person had this problem
Labels:
0 Helpful
16 Replies 16

jyothydas
Level 1
Level 1
In response to moises.ruiz

‎02-06-2012 01:40 AM

You mean your command was

static (inside,outside)  69.70.71.72 192.168.123.100 netmask 255.255.255.255 and it did not work?

And you should have similar ACL which should allow http/dns commn. (Or did I miss to see it in your config)

access-list inbound extended permit tcp any any eq www

access-list inbound extended permit tcp any any eq domain

moises.ruiz
Level 1
Level 1
In response to jyothydas

‎02-06-2012 06:24 AM

I actually just removed: "Translate the DNS replies that match the translation rule" from the NAT Options in the ASDM and that didn't make a difference.

I do have:

access-list inbound extended permit tcp any host 69.xx.xx.63 eq www

(since my 192.168.123.100 NAT rule points to 69.xx.xx.63)

But I don't have:

access-list inbound extended permit tcp any any eq domain

What is that one for?

I apologize again but I'm not savy with Cisco's configuration and commands, I was not the one who configured this environment, and since it's a production environment I don't want to change stuff if I don't full understand what is doing so I appreciate your patience.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card