ASA 5508-x Block of 5 public ip's and nat

Marley Brown · ‎04-19-2016

HI I have an ASA 5508-x and have setup the outside interface with the last of the usable IP from my block of 5. I have setup NAT/PAT for different services using the configured address of the outside interface. My problem is that when I try to use any other of the addresses it doesn't work.

Here is the output from sh xlate and the nat commands, only the outside124 don't work meaning I can't reach the internal source and I don't see a hit on the access rules.

UDP PAT from any:10.4.1.22 8554-8554 to outside:x.x.x.124 8554-8554
    flags sr idle 0:00:53 timeout 0:00:00
TCP PAT from any:10.4.1.22 8000-8000 to outside:x.x.x.124 8000-8000
    flags sr idle 0:00:33 timeout 0:00:00
TCP PAT from any:173.165.198.120/29 80-80 to outside:x.x.x.124 80-80
    flags sr idle 0:00:33 timeout 0:00:00

object network obj_any
nat (LAN,outside) dynamic interface
object network SECVideo8554
nat (any,outside) static outside124 service udp 8554 8554
object network Mail
nat (any,outside) static interface service tcp smtp smtp
object network webserver
nat (any,outside) static interface service tcp www www
object network websecure
nat (any,outside) static interface service tcp https https
object network sldap
nat (any,outside) static interface service tcp ldaps ldaps
object network SECvideo
nat (any,outside) static outside124 service tcp 8000 8000
object network video
nat (any,outside) static outside124 service tcp www www

One question I have, does it matter I am using the last usable IP vs the first? In our old cisco router it was not a problem.

Any help would be great!

Thanks,

Marley

Marius Gunnerud · ‎04-19-2016

No it doesn't matter that you are using the last Ip in your allocated subnet.

Have you configured an ACL entry allowing the traffic?

Please run a packet tracer and see where it gets stopped. paste the output here if you require help.

packet-tracer input outside tcp 4.2.2.2 12345 <outside124 IP> 80 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marley Brown · ‎04-19-2016

Thanks for your reply. I have run it and it shows the packet going thru. That is why I am puzzled and not sure what to do.

Thanks,

Marley

Marius Gunnerud · ‎04-19-2016

if you issue the command "show nat object outside124" you will see if it is being matched or not. Check the translate hits and untranslate hits counters.

another thing you could do is do packet captures.

capture capout interface outside match ip host <outside test PC IP> host <outside124 IP>

capture capin interface inside match ip host <outside124 private IP> host <outside test PC IP>

show cap capout

show cap capin

If you do not have a test PC on the outside then you can use the "any" keyword.

Once you have this configured run a test to see if you see traffic i both directions.

If you see traffic going to the inside server on both the outside and inside interfaces but nothing coming back in on the inside interface, then there is either an ACL dropping the return traffic or there is some other routing issue on the inside or return traffic is being dropped somewhere else on the inside.

If you never see any traffic hitting the outside interface then possibly it is being dropped by the outside interface ACL or your ISP has not routed the pubic IPs to correctly...but this is very unlikely.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marley Brown · ‎04-20-2016

I have ran packet trace and show that packets are supposed to go thru. I did not see any traffic from the packet capture. I have done a trace route on the configured ip on the interface and the other ip's and all go to the modem and only the ip configured on the outside interface hits all the way to the asa.

When I do a ping only the ip on the outside interface responds.

Thanks

Marley Brown · ‎04-20-2016

The asa is ver 9.5(2) so it does nat then acl and the only hits I see on the acl are from the packet trace. I have called the ISP and they have elevated to tier 2 but I don't expect much. Any thing else I might have missed?

Kornelia Gutierrez · ‎04-21-2016

Hello Marley

Can you test to ping from the ASA firewall the outside124? That is to check that the ip is not being in used by anything else on the outside

Another test you can run is to cofigure the outsidd interface with the outside124 ip address check if you have Internet and change back the ip address of the outside interface to its original ip, this is to send a gratuitous arp and refresh the arp cache of the ISP.

Hope this helps...

Marley Brown · ‎04-26-2016

Hi I did this and was able to get to get to the internet.

Marley Brown · ‎04-26-2016

So if change the nat configuration to use the outside interface it all works ok but the moment I change to the outside124 ip it goes away packet tracer says it should go thru.

Not sure what is going. Do I need a routing statement aside from default route? To me it just seems like the ASA is not allowing packets in unless the ip is assigned to an interface.

Marley

Marley Brown · ‎04-27-2016

I can anyone is wandering I have found the solution. Not sure how this command got issued no sysopt noproxyarp outside but once it got removed everything started working.

Thanks to everyone for trying to help.

Marley

Marley Brown · ‎04-21-2016

I did not mean to sound like I was done trying to troubleshoot my problem any other avenues to look at would greatly appreciated!

Thanks,

Marley

Marius Gunnerud · ‎04-21-2016

I am assuming that the public IP being used is in the same subnet as that of the outside interface?

Has the server been configured with the correct subnet mask?

run the command show nat <outside124 IP> do you see any translate / untranslate hits?

If you test from the PC that is using outside124 IP do you see packets in the packet capture?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marley Brown · ‎04-26-2016

Hi sorry for the long delay but I have not been able to get back to this.

Yes the public IP is on the same subnet as the one on the outside interface.

When I do the sh nat x.x.x.124 I get No matching NAT policy found. I get the same response when I use ip of the outside interface and I have port forwarding working on it.

Here is theconfig portion related to nat again to see you see some wrong

object network obj_any
subnet 10.4.1.0 255.255.255.0

object network outside124
host x.x.x.124
object network NETWORK_OBJ_10.4.1.0_24
subnet 10.4.1.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_27
subnet 10.10.10.0 255.255.255.224
object network SECVideo8554
host 10.4.1.22
object network outside123
host x.x.x.123
object network PBX
host 10.4.1.20
object service TFTP
service udp destination eq tftp
object service SIP
service udp destination eq sip
object service Port_8000
service tcp destination eq 8000
object service Port_8554
service tcp destination eq 8554
object network SECvideo
host 10.4.1.22
object network Public_network
subnet x.x.x.120 255.255.255.248
object service 8554
service udp destination eq 8554
object network video
host 10.4.1.22
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rtps tcp-udp
port-object eq 8554
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
access-list VPN_Client extended permit ip object NETWORK_OBJ_10.10.10.0_27 10.4.1.0 255.255.255.0
access-list fiber_access_in extended permit ip any object NETWORK_OBJ_10.4.1.0_24
access-list ansbacher_splitTunnelAcl standard permit 10.4.1.0 255.255.255.0
access-list ansbacher1_splitTunnelAcl standard permit 10.4.1.0 255.255.255.0
access-list outside_access_in extended permit tcp object mail_filter object dc1 eq ldaps
access-list outside_access_in extended permit tcp object mail_filter object dc1 eq smtp
access-list outside_access_in extended permit tcp any object dc1 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp object Mail_Filter2 object dc1 eq ldaps
access-list outside_access_in extended permit tcp object Mail_Filter2 object dc1 eq smtp
access-list outside_access_in extended permit object Port_8000 any object SECvideo
access-list outside_access_in extended permit object 8554 any object SECVideo8554
access-list outside_access_in extended permit tcp any object video eq www
access-list outside_access_in extended permit ip any object PBX
access-list LAN_access_in extended permit ip any any

arp timeout 14400
arp permit-nonconnected
nat (LAN,outside) source static NETWORK_OBJ_10.4.1.0_24 NETWORK_OBJ_10.4.1.0_24 destination static NETWORK_OBJ_10.10.10.0_27 NETWORK_OBJ_10.10.10.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (LAN,outside) dynamic interface
object network SECVideo8554
nat (any,outside) static outside124 service udp 8554 8554
object network PBX
nat (any,outside) static outside123 service tcp https https
object network Mail
nat (any,outside) static interface service tcp smtp smtp
object network webserver
nat (any,outside) static interface service tcp www www
object network websecure
nat (any,outside) static interface service tcp https https
object network sldap
nat (any,outside) static interface service tcp ldaps ldaps
object network SECvideo
nat (any,outside) static outside124 service tcp 8000 8000
object network video
nat (any,any) static outside124 service tcp www www

Marley Brown · ‎04-27-2016

I can anyone is wandering I have found the solution. Not sure how this command got issued no sysopt noproxyarp outside but once it got removed everything started working.

Thanks to everyone for trying to help.

Marley