04-24-2015 06:57 AM - edited 03-11-2019 10:50 PM
All,
I've recently started to configure a NAT'ing policy for a cisco ASA 5515 (using FirePower) and I have run into some seriously odd issues. Here's the basic scope.
Physical Config:
single upstream (1 Public in a /26) link on ASA rest are downstream
I have multiple Public IPs statically being NAT'd to Multiple private IPs within the network. They exist in the /26 but do not exists in the configuration of any interfaces.
I want to specifically NAT all outgoing traffic to a single IP as the primary internet drain. (again inside the /26 but no on the outgoing interface)
There are two weird things happening :
1. My basic intrinsic NAT for internet drain does not function unless I modify the global_access access list which is not something I want to do.
2. I have my basic NAT set as a static not a dynamic yet it still functions as a dynamic PAT on a single IP.
The 9.4 NAT documentation seems rather confused on how to proper attain this. Does anyone have any suggestions. I'm rather stumped. As based on the Documentation my config should not even work.
Thank you,
NOTE I can provide a heavily obfuscated Config.
Just wondering if people have Seen this issue. The documentation is rife with contradictions and false leads as to what my issue is.
Thank you,
04-24-2015 03:14 PM
Post the config please?
04-27-2015 08:22 AM
Please NOTE Heavily Obfuscated : All public turned to 10.255.
NOTES :
All Internet Traffic unless it's in a static NAT should be translated to
10.255.37.60
Primary Out Interface uses 10.255.37.61
Here is the config
Connected:@ 2015.04.24 - 08:41 - User Levi Pederson
Type help or '?' for a list of available commands.
saasa> en
Password: ********
saasa# show run
: Saved
:
: Serial Number:
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
hostname saasa
domain-name domain.name
enable password encrypted
password encrypted
names
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif emaildmz
security-level 10
ip address 10.10.3.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description "DMZ -2"
nameif asa-dmz
security-level 0
no ip address
!
interface GigabitEthernet0/4
nameif mnetworks-outside
security-level 0
ip address dhcp
!
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 10.255.37.61 255.255.255.192
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.50.0.10 255.255.255.0
!
boot system disk0:/asa941-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.0.4
name-server 10.2.0.4
name-server 10.1.0.55
domain-name domain.name
same-security-traffic permit intra-interface
object network mailgate
host 10.10.3.2
object network HPLJ4300
host 10.2.2.140
object network HPColor-Printer
host 10.2.2.139
object network svpdpc86
host 10.2.2.155
object network svpdpc83
host 10.2.2.156
object network svpdpc84
host 10.2.2.163
object network svpdpc60
host 10.2.2.166
object network pdoff08
host 10.2.0.190
object network svpdpc79
host 10.2.2.118
object network svpdlt25
host 10.2.2.172
object network svpdpc74
host 10.2.2.173
object network svpdpc67
host 10.2.2.174
object network svpdpc27
host 10.2.2.178
object network svpdpc81
host 10.2.2.157
object network HPLJ1320
host 10.2.2.233
object network CableCast
host 10.1.2.124
object network svpdpc78
host 10.2.2.119
object network HPLJ4350
host 10.2.2.191
object network DNSSrv
host 10.1.0.55
object network LaserFiechSrv
host 10.1.0.198
object network emaildmz
host 10.0.1.18
object network glacius
host 10.1.0.165
object network svpdpc45
host 10.2.2.217
object network pdoff06
host 10.2.2.115
object network pdoff01
host 10.2.2.110
object network pdoff03
host 10.2.2.112
object network pdoff02
host 10.2.2.111
object network pdoff05
host 10.2.2.114
object network pdoff04
host 10.2.2.113
object network svpdpc53
host 10.2.2.225
object network ViewSecSrv
host 10.9.0.7
object network svpdpc68
host 10.2.2.228
object network WebTracSrv
host 10.3.0.13
object network WebServer
host 10.1.0.38
object network HPLJ1300n
host 10.2.2.126
object network svpdpc75
host 10.2.2.243
object network HPLJ1320b
host 10.2.0.203
object network svpdpc87
host 10.2.2.167
object network HelpDeskSrv
host 10.1.0.49
object network svpdpc80
host 10.2.2.246
object network svpdpc56
host 10.2.2.190
object network svpdpc64
host 10.2.2.227
object network pdoff07
host 10.2.2.116
object network svpdpc89
host 10.2.2.117
object network FinanceSvr
host 10.1.0.44
object network ENMMailSvr
host 10.51.0.2
object network MailServer
host 10.1.0.20
object network svpdpc85
host 10.2.2.154
object network Source-NAT
host 10.255.37.60
object network Scott-County
host 10.255.27.202
object network county-gcweba
host 156.98.10.33
object network wolfie
host 10.255.27.203
object network ENMNetwork
subnet 10.100.1.0 255.255.255.0
object network access-102-obj-allowed-in
subnet 192.168.100.0 255.255.255.0
description "Allowed Access in to Network 10.0.0.0 255.192.0.0"
object network default-coS-NAT
host 10.255.37.60
object network remote-access-vpn
subnet 192.168.100.0 255.255.255.0
object network VPN-Remote-access
subnet 192.168.100.0 255.255.255.0
object service FirePanel8888
service tcp source eq 8888
object network local-access-01
subnet 10.0.0.0 255.0.0.0
object network AnyConnect-VPN-Pool
subnet 192.168.100.0 255.255.255.0
object network McAfee-SaaS-1st
range Public-1 Public-2
description E-mail Cloud Filtering
object network McAfee-SaaS-2nd
range Public-1 Public-2
description E-mail Cloud Filtering
object network firepanel-public
host 10.255.37.34
object network LaserJet-SO
host 10.2.2.183
object network 10-255-99-27-24
subnet 10.255.27.0 255.255.255.0
object network COS_Source-NAT
subnet 10.0.0.0 255.0.0.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network ASARemoteNetworks
network-object 10.1.0.0 255.255.252.0
network-object 10.9.0.0 255.255.255.0
network-object 10.51.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 1081
object-group network ENMPD_REMOTE_NETWORK
network-object 10.102.1.0 255.255.255.0
object-group network COS_LOCAL
network-object 10.1.0.0 255.255.252.0
network-object 10.2.0.0 255.255.252.0
network-object 10.51.0.0 255.255.255.0
network-object 10.9.0.0 255.255.255.0
network-object host 156.98.10.33
network-object host 10.255.27.202
network-object host 10.255.27.203
object-group network ENMPW_REMOTE_NETWORK
network-object 10.101.1.0 255.255.255.0
object-group network COS_LOCAL-PW
network-object 10.1.0.0 255.255.252.0
network-object 10.51.0.0 255.255.255.0
network-object 10.9.0.0 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 4172
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq 4172
service-object tcp destination eq 22443
service-object tcp destination eq 8443
object-group network finance-external-hosts
network-object host 108.166.31.220
network-object host 209.198.206.133
network-object host 209.198.206.134
network-object host 209.198.206.135
network-object host 209.198.206.136
object-group network access-102-ogn
network-object 10.10.10.0 255.255.255.0
network-object 10.10.2.0 255.255.254.0
network-object 192.168.100.0 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service https-udp udp
port-object eq 443
object-group network McAfee-SaaS
description E-mail Cloud Filtering
network-object object McAfee-SaaS-1st
network-object object McAfee-SaaS-2nd
object-group network firepanel-local-ip
network-object host 10.1.0.61
network-object host 10.3.0.9
network-object host 10.6.2.40
network-object host 10.6.2.41
network-object host 10.7.0.20
network-object host 10.8.0.4
network-object host 10.22.0.10
access-list allow-all standard permit any4
access-list 102 extended permit ip 10.0.0.0 255.248.0.0 10.10.10.0 255.255.255.0
access-list 102 extended permit ip 10.0.0.0 255.248.0.0 10.10.2.0 255.255.254.0
access-list 102 extended permit ip 10.0.0.0 255.192.0.0 192.168.100.0 255.255.255.0
access-list 102 extended permit ip object-group COS_LOCAL object-group ENMPD_REMOTE_NETWORK
access-list 102 extended permit ip object-group COS_LOCAL-PW object-group ENMPW_REMOTE_NETWORK
access-list 102 extended permit ip object-group ASARemoteNetworks host 10.253.253.2
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object mailgate eq smtp
access-list outside_access_in extended permit tcp object-group McAfee-SaaS object MailServer eq smtp
access-list outside_access_in extended permit tcp any object MailServer object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp host 172.16.12.4 10.255.37.0 255.255.255.192
access-list outside_access_in extended permit tcp 208.38.68.128 255.255.255.192 object svpdpc56 eq 9100
access-list outside_access_in extended permit tcp any object CableCast eq www
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any object HPLJ4300 eq 9100
access-list outside_access_in extended permit object-group TCPUDP any object DNSSrv eq domain
access-list outside_access_in extended permit ip 10.255.27.0 255.255.255.0 object HPLJ4350
access-list outside_access_in extended permit ip object 10-255-99-27-24 object LaserJet-SO
access-list outside_access_in extended permit ip 10.255.27.0 255.255.255.0 object HPLJ1300n
access-list outside_access_in extended permit ip 207.7.154.0 255.255.255.0 object glacius
access-list outside_access_in extended permit tcp any object LaserFiechSrv eq www
access-list outside_access_in extended permit tcp any object HPLJ1320 eq 9100
access-list outside_access_in extended permit tcp any object HPLJ1320b eq 9100
access-list outside_access_in extended permit tcp any object HelpDeskSrv eq www
access-list outside_access_in extended permit tcp any object WebTracSrv object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit udp any object WebTracSrv eq www
access-list outside_access_in extended permit udp any object WebTracSrv eq 443
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group finance-external-hosts object FinanceSvr
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 108.166.31.220 object FinanceSvr
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object ViewSecSrv
access-list outside_access_in extended permit icmp any any log disable
access-list outside_access_in remark Elko New Market Mail Server "ENMMAIL"
access-list emaildmz_access_in extended permit tcp host 10.10.3.2 host 10.1.0.20
access-list emaildmz_access_in extended permit ip host 10.10.3.2 host 10.1.0.20
access-list emaildmz_access_in extended permit ip host 10.10.3.2 host 10.1.0.55
access-list emaildmz_access_in extended permit ip host 10.10.3.2 10.0.0.0 255.192.0.0
access-list emaildmz_access_in extended permit ip host 10.10.3.2 any
access-list ENM-Remote_access_in extended permit ip host 10.253.253.2 object-group ASARemoteNetworks
access-list outside_2_cryptomap extended permit ip object-group COS_LOCAL object-group ENMPD_REMOTE_NETWORK
access-list sfr_redirect extended permit ip any any
access-list VPN_NAT extended permit ip 192.168.100.0 255.255.255.0 any
access-list VPN_NAT extended permit ip 10.102.1.0 255.255.255.0 object SC-local
access-list VPN_NAT extended permit ip 10.102.1.0 255.255.255.0 object SC-local-gwca
access-list global-access extended permit ip any any
access-list Tunnel webtype permit tcp 10.0.0.0 255.0.0.0 log default
pager lines 24
logging enable
logging buffer-size 64000
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu emaildmz 1500
mtu asa-dmz 1500
mtu mnetworks-outside 1500
mtu outside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network mailgate
nat (emaildmz,outside) static 10.255.37.3
object network HPLJ4300
nat (inside,outside) static 10.255.37.33
object network HPColor-Printer
nat (inside,outside) static 10.255.37.37
object network svpdpc86
nat (inside,outside) static 10.255.37.38
object network svpdpc83
nat (inside,outside) static 10.255.37.39
object network svpdpc84
nat (inside,outside) static 10.255.37.44
object network svpdpc60
nat (inside,outside) static 10.255.37.47
object network pdoff08
nat (inside,outside) static 10.255.37.49
object network svpdpc79
nat (inside,outside) static 10.255.37.52
object network svpdlt25
nat (inside,outside) static 10.255.37.53
object network svpdpc74
nat (inside,outside) static 10.255.37.54
object network svpdpc67
nat (inside,outside) static 10.255.37.55
object network svpdpc27
nat (inside,outside) static 10.255.37.59
object network svpdpc81
nat (inside,outside) static 10.255.37.31
object network HPLJ1320
nat (inside,outside) static 10.255.37.48
object network CableCast
nat (inside,outside) static 10.255.37.12
object network svpdpc78
nat (inside,outside) static 10.255.37.24
object network HPLJ4350
nat (inside,outside) static 10.255.37.26
object network DNSSrv
nat (inside,outside) static 10.255.37.27
object network LaserFiechSrv
nat (inside,outside) static 10.255.37.11
object network emaildmz
nat (inside,emaildmz) static 10.0.1.18
object network glacius
nat (inside,outside) static 10.255.37.14
object network svpdpc45
nat (inside,outside) static 10.255.37.6
object network pdoff06
nat (inside,outside) static 10.255.37.16
object network pdoff01
nat (inside,outside) static 10.255.37.18
object network pdoff03
nat (inside,outside) static 10.255.37.19
object network pdoff02
nat (inside,outside) static 10.255.37.28
object network pdoff05
nat (inside,outside) static 10.255.37.29
object network pdoff04
nat (inside,outside) static 10.255.37.40
object network svpdpc53
nat (inside,outside) static 10.255.37.41
object network ViewSecSrv
nat (inside,outside) static 10.255.37.42
object network svpdpc68
nat (inside,outside) static 10.255.37.51
object network WebTracSrv
nat (inside,outside) static 10.255.37.20
object network HPLJ1300n
nat (inside,outside) static 10.255.37.25
object network svpdpc75
nat (inside,outside) static 10.255.37.8
object network HPLJ1320b
nat (inside,outside) static 10.255.37.30
object network svpdpc87
nat (inside,outside) static 10.255.37.5
object network HelpDeskSrv
nat (inside,outside) static 10.255.37.35
object network svpdpc80
nat (inside,outside) static 10.255.37.7
object network svpdpc56
nat (inside,outside) static 10.255.37.9
object network svpdpc64
nat (inside,outside) static 10.255.37.15
object network pdoff07
nat (inside,outside) static 10.255.37.22
object network svpdpc89
nat (inside,outside) static 10.255.37.23
object network FinanceSvr
nat (inside,outside) static 10.255.37.50
object network MailServer
nat (inside,outside) static 10.255.37.2
object network svpdpc85
nat (inside,outside) static 10.255.37.32
object network LaserJet-SO
nat (inside,outside) static 10.255.37.10
!
nat (inside,outside) after-auto source static firepanel-local-ip firepanel-public description "Mapped FirePanel Block 10.255.37.34"
nat (inside,outside) after-auto source static any any destination static VPN-Remote-access VPN-Remote-access
nat (inside,outside) after-auto source static LOCAL_NETWORS-COS destination static ENMPD_REMOTE_NETWORK ENMPD_REMOTE_NETWORK
nat (inside,outside) after-auto source static any Source-NAT
nat (inside,outside) after-auto source dynamic COS_Source-NAT Source-NAT
nat (inside,outside) after-auto source dynamic access-102-ogn default-coS-NAT inactive
nat (outside,inside) after-auto source static AnyConnect-VPN-Pool AnyConnect-VPN-Pool destination static local-access-01 local-access-01
access-group emaildmz_access_in in interface emaildmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.255.37.62 1
route inside 10.0.0.0 255.192.0.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
sysopt noproxyarp inside
sysopt noproxyarp emaildmz
sysopt noproxyarp asa-dmz
sysopt noproxyarp mnetworks-outside
sysopt noproxyarp management
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet Public-2 255.255.255.255 outside
telnet 192.168.10.0 255.255.255.0 management
telnet timeout 10
no ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh public-3 255.255.255.255 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.1.0.50 source inside prefer
!
class-map inspection_default
match default-inspection-traffic
class-map sfr_cm
match access-list sfr_redirect
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr_cm
sfr fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
04-27-2015 08:58 AM
Hi. Where is your PAT rule? I can't seem to find it.
One thing you need to remember is that NAT rules are processed in order, so when you have multiple rules matching a request through the firewall, the first rule that matches will be processed. Why do you have so many static nat rules for printers and other hosts? Which devices do you want to provide internet access to?
04-27-2015 08:23 AM
Accidentally Double Posted : deleted
Levi
04-27-2015 08:24 AM
triple posted - Error
Levi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide