cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2367
Views
0
Helpful
5
Replies

ASA 5515 9.4 NAT Conundrum

artemis88
Level 1
Level 1

All,

 

I've recently started to configure a NAT'ing policy for a cisco ASA 5515 (using FirePower) and I have run into some seriously odd issues.  Here's the basic scope.

Physical Config:

single upstream (1 Public in a /26) link on ASA rest are downstream

 

I have multiple Public IPs statically being NAT'd to Multiple private IPs within the network.  They exist in the /26 but do not exists in the configuration of any interfaces.

I want to specifically NAT all outgoing traffic to a single IP as the primary internet drain. (again inside the /26 but no on the outgoing interface)

There are two weird things happening :

1. My basic intrinsic NAT for internet drain does not function unless I modify the global_access access list which is not something I want to do.

2.  I have my basic NAT set as a static not a dynamic yet it still functions as a dynamic PAT on a single IP.

 

The 9.4 NAT documentation seems rather confused on how to proper attain this.  Does anyone have any suggestions.  I'm rather stumped.  As based on the Documentation my config should not even work.

 

Thank you,

 

NOTE I can provide a heavily obfuscated Config.

 

Just wondering if people have Seen this issue.  The documentation is rife with contradictions and false leads as to what my issue is.

Thank you,

 

 

 

5 Replies 5

Andre Neethling
Level 4
Level 4

Post the config please?

Please NOTE Heavily Obfuscated :  All public turned to 10.255.

 

NOTES :    

All Internet Traffic unless it's in a static NAT should be translated to 

10.255.37.60

Primary Out Interface uses 10.255.37.61

 

Here is the config

Connected:@ 2015.04.24 - 08:41 - User Levi Pederson
Type help or '?' for a list of available commands.
saasa> en
Password: ********
saasa# show run
: Saved


: Serial Number: 
: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1) 
!
hostname saasa
domain-name domain.name
enable password encrypted
password encrypted
names
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif emaildmz
 security-level 10
 ip address 10.10.3.1 255.255.255.0 
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description "DMZ -2"
 nameif asa-dmz
 security-level 0
 no ip address
!
interface GigabitEthernet0/4
 nameif mnetworks-outside
 security-level 0
 ip address dhcp 
!
interface GigabitEthernet0/5
 nameif outside
 security-level 0
 ip address 10.255.37.61 255.255.255.192 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.50.0.10 255.255.255.0 
!
boot system disk0:/asa941-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.1.0.4
 name-server 10.2.0.4
 name-server 10.1.0.55
 domain-name domain.name
same-security-traffic permit intra-interface
object network mailgate
 host 10.10.3.2
object network HPLJ4300
 host 10.2.2.140
object network HPColor-Printer
 host 10.2.2.139
object network svpdpc86
 host 10.2.2.155
object network svpdpc83
 host 10.2.2.156
object network svpdpc84
 host 10.2.2.163
object network svpdpc60
 host 10.2.2.166
object network pdoff08
 host 10.2.0.190
object network svpdpc79
 host 10.2.2.118
object network svpdlt25
 host 10.2.2.172
object network svpdpc74
 host 10.2.2.173
object network svpdpc67
 host 10.2.2.174
object network svpdpc27
 host 10.2.2.178
object network svpdpc81
 host 10.2.2.157
object network HPLJ1320
 host 10.2.2.233
object network CableCast
 host 10.1.2.124
object network svpdpc78
 host 10.2.2.119
object network HPLJ4350
 host 10.2.2.191
object network DNSSrv
 host 10.1.0.55
object network LaserFiechSrv
 host 10.1.0.198
object network emaildmz
 host 10.0.1.18
object network glacius
 host 10.1.0.165
object network svpdpc45
 host 10.2.2.217
object network pdoff06
 host 10.2.2.115
object network pdoff01
 host 10.2.2.110
object network pdoff03
 host 10.2.2.112
object network pdoff02
 host 10.2.2.111
object network pdoff05
 host 10.2.2.114
object network pdoff04
 host 10.2.2.113
object network svpdpc53
 host 10.2.2.225
object network ViewSecSrv
 host 10.9.0.7
object network svpdpc68
 host 10.2.2.228
object network WebTracSrv
 host 10.3.0.13
object network WebServer
 host 10.1.0.38
object network HPLJ1300n
 host 10.2.2.126
object network svpdpc75
 host 10.2.2.243
object network HPLJ1320b
 host 10.2.0.203
object network svpdpc87
 host 10.2.2.167
object network HelpDeskSrv
 host 10.1.0.49
object network svpdpc80
 host 10.2.2.246
object network svpdpc56
 host 10.2.2.190
object network svpdpc64
 host 10.2.2.227
object network pdoff07
 host 10.2.2.116
object network svpdpc89
 host 10.2.2.117
object network FinanceSvr
 host 10.1.0.44
object network ENMMailSvr
 host 10.51.0.2
object network MailServer
 host 10.1.0.20
object network svpdpc85
 host 10.2.2.154
object network Source-NAT
 host 10.255.37.60
object network Scott-County
 host 10.255.27.202
object network county-gcweba
 host 156.98.10.33
object network wolfie
 host 10.255.27.203
object network ENMNetwork
 subnet 10.100.1.0 255.255.255.0
object network access-102-obj-allowed-in
 subnet 192.168.100.0 255.255.255.0
 description "Allowed Access in to Network 10.0.0.0 255.192.0.0"
object network default-coS-NAT
 host 10.255.37.60
object network remote-access-vpn
 subnet 192.168.100.0 255.255.255.0
object network VPN-Remote-access
 subnet 192.168.100.0 255.255.255.0
object service FirePanel8888
 service tcp source eq 8888 
object network local-access-01
 subnet 10.0.0.0 255.0.0.0
object network AnyConnect-VPN-Pool
 subnet 192.168.100.0 255.255.255.0
object network McAfee-SaaS-1st
 range Public-1 Public-2
 description E-mail Cloud Filtering
object network McAfee-SaaS-2nd
 range Public-1 Public-2
 description E-mail Cloud Filtering
object network firepanel-public
 host 10.255.37.34
object network LaserJet-SO
 host 10.2.2.183
object network 10-255-99-27-24
 subnet 10.255.27.0 255.255.255.0
object network COS_Source-NAT
 subnet 10.0.0.0 255.0.0.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
 port-object eq pop3
 port-object eq smtp
object-group network ASARemoteNetworks
 network-object 10.1.0.0 255.255.252.0
 network-object 10.9.0.0 255.255.255.0
 network-object 10.51.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq 1081 
object-group network ENMPD_REMOTE_NETWORK
 network-object 10.102.1.0 255.255.255.0
object-group network COS_LOCAL
 network-object 10.1.0.0 255.255.252.0
 network-object 10.2.0.0 255.255.252.0
 network-object 10.51.0.0 255.255.255.0
 network-object 10.9.0.0 255.255.255.0
 network-object host 156.98.10.33
 network-object host 10.255.27.202
 network-object host 10.255.27.203
object-group network ENMPW_REMOTE_NETWORK
 network-object 10.101.1.0 255.255.255.0
object-group network COS_LOCAL-PW
 network-object 10.1.0.0 255.255.252.0
 network-object 10.51.0.0 255.255.255.0
 network-object 10.9.0.0 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_3
 service-object tcp destination eq 4172 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object udp destination eq 4172 
 service-object tcp destination eq 22443 
 service-object tcp destination eq 8443 
object-group network finance-external-hosts
 network-object host 108.166.31.220
 network-object host 209.198.206.133
 network-object host 209.198.206.134
 network-object host 209.198.206.135
 network-object host 209.198.206.136
object-group network access-102-ogn
 network-object 10.10.10.0 255.255.255.0
 network-object 10.10.2.0 255.255.254.0
 network-object 192.168.100.0 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service https-udp udp
 port-object eq 443
object-group network McAfee-SaaS
 description E-mail Cloud Filtering
 network-object object McAfee-SaaS-1st
 network-object object McAfee-SaaS-2nd
object-group network firepanel-local-ip
 network-object host 10.1.0.61
 network-object host 10.3.0.9
 network-object host 10.6.2.40
 network-object host 10.6.2.41
 network-object host 10.7.0.20
 network-object host 10.8.0.4
 network-object host 10.22.0.10
access-list allow-all standard permit any4 
access-list 102 extended permit ip 10.0.0.0 255.248.0.0 10.10.10.0 255.255.255.0 
access-list 102 extended permit ip 10.0.0.0 255.248.0.0 10.10.2.0 255.255.254.0 
access-list 102 extended permit ip 10.0.0.0 255.192.0.0 192.168.100.0 255.255.255.0 
access-list 102 extended permit ip object-group COS_LOCAL object-group ENMPD_REMOTE_NETWORK 
access-list 102 extended permit ip object-group COS_LOCAL-PW object-group ENMPW_REMOTE_NETWORK 
access-list 102 extended permit ip object-group ASARemoteNetworks host 10.253.253.2 
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any object mailgate eq smtp 
access-list outside_access_in extended permit tcp object-group McAfee-SaaS object MailServer eq smtp 
access-list outside_access_in extended permit tcp any object MailServer object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp host 172.16.12.4 10.255.37.0 255.255.255.192 
access-list outside_access_in extended permit tcp 208.38.68.128 255.255.255.192 object svpdpc56 eq 9100 
access-list outside_access_in extended permit tcp any object CableCast eq www 
access-list outside_access_in extended permit tcp any any eq pptp 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in extended permit tcp any object HPLJ4300 eq 9100 
access-list outside_access_in extended permit object-group TCPUDP any object DNSSrv eq domain 
access-list outside_access_in extended permit ip 10.255.27.0 255.255.255.0 object HPLJ4350 
access-list outside_access_in extended permit ip object 10-255-99-27-24 object LaserJet-SO 
access-list outside_access_in extended permit ip 10.255.27.0 255.255.255.0 object HPLJ1300n 
access-list outside_access_in extended permit ip 207.7.154.0 255.255.255.0 object glacius 
access-list outside_access_in extended permit tcp any object LaserFiechSrv eq www 
access-list outside_access_in extended permit tcp any object HPLJ1320 eq 9100 
access-list outside_access_in extended permit tcp any object HPLJ1320b eq 9100 
access-list outside_access_in extended permit tcp any object HelpDeskSrv eq www 
access-list outside_access_in extended permit tcp any object WebTracSrv object-group DM_INLINE_TCP_4 
access-list outside_access_in extended permit udp any object WebTracSrv eq www 
access-list outside_access_in extended permit udp any object WebTracSrv eq 443 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group finance-external-hosts object FinanceSvr 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 108.166.31.220 object FinanceSvr 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object ViewSecSrv 
access-list outside_access_in extended permit icmp any any log disable 
access-list outside_access_in remark Elko New Market Mail Server  "ENMMAIL"
access-list emaildmz_access_in extended permit tcp host 10.10.3.2 host 10.1.0.20 
access-list emaildmz_access_in extended permit ip host 10.10.3.2 host 10.1.0.20 
access-list emaildmz_access_in extended permit ip host 10.10.3.2 host 10.1.0.55 
access-list emaildmz_access_in extended permit ip host 10.10.3.2 10.0.0.0 255.192.0.0 
access-list emaildmz_access_in extended permit ip host 10.10.3.2 any 
access-list ENM-Remote_access_in extended permit ip host 10.253.253.2 object-group ASARemoteNetworks 
access-list outside_2_cryptomap extended permit ip object-group COS_LOCAL object-group ENMPD_REMOTE_NETWORK 
access-list sfr_redirect extended permit ip any any 
access-list VPN_NAT extended permit ip 192.168.100.0 255.255.255.0 any 
access-list VPN_NAT extended permit ip 10.102.1.0 255.255.255.0 object SC-local
access-list VPN_NAT extended permit ip 10.102.1.0 255.255.255.0 object SC-local-gwca
access-list global-access extended permit ip any any 
access-list Tunnel webtype permit tcp 10.0.0.0 255.0.0.0 log default
pager lines 24
logging enable
logging buffer-size 64000
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu emaildmz 1500
mtu asa-dmz 1500
mtu mnetworks-outside 1500
mtu outside 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network mailgate
 nat (emaildmz,outside) static 10.255.37.3
object network HPLJ4300
 nat (inside,outside) static 10.255.37.33
object network HPColor-Printer
 nat (inside,outside) static 10.255.37.37
object network svpdpc86
 nat (inside,outside) static 10.255.37.38
object network svpdpc83
 nat (inside,outside) static 10.255.37.39
object network svpdpc84
 nat (inside,outside) static 10.255.37.44
object network svpdpc60
 nat (inside,outside) static 10.255.37.47
object network pdoff08
 nat (inside,outside) static 10.255.37.49
object network svpdpc79
 nat (inside,outside) static 10.255.37.52
object network svpdlt25
 nat (inside,outside) static 10.255.37.53
object network svpdpc74
 nat (inside,outside) static 10.255.37.54
object network svpdpc67
 nat (inside,outside) static 10.255.37.55
object network svpdpc27
 nat (inside,outside) static 10.255.37.59
object network svpdpc81
 nat (inside,outside) static 10.255.37.31
object network HPLJ1320
 nat (inside,outside) static 10.255.37.48
object network CableCast
 nat (inside,outside) static 10.255.37.12
object network svpdpc78
 nat (inside,outside) static 10.255.37.24
object network HPLJ4350
 nat (inside,outside) static 10.255.37.26
object network DNSSrv
 nat (inside,outside) static 10.255.37.27
object network LaserFiechSrv
 nat (inside,outside) static 10.255.37.11
object network emaildmz
 nat (inside,emaildmz) static 10.0.1.18
object network glacius
 nat (inside,outside) static 10.255.37.14
object network svpdpc45
 nat (inside,outside) static 10.255.37.6
object network pdoff06
 nat (inside,outside) static 10.255.37.16
object network pdoff01
 nat (inside,outside) static 10.255.37.18
object network pdoff03
 nat (inside,outside) static 10.255.37.19
object network pdoff02
 nat (inside,outside) static 10.255.37.28
object network pdoff05
 nat (inside,outside) static 10.255.37.29
object network pdoff04
 nat (inside,outside) static 10.255.37.40
object network svpdpc53
 nat (inside,outside) static 10.255.37.41
object network ViewSecSrv
 nat (inside,outside) static 10.255.37.42
object network svpdpc68
 nat (inside,outside) static 10.255.37.51
object network WebTracSrv
 nat (inside,outside) static 10.255.37.20
object network HPLJ1300n
 nat (inside,outside) static 10.255.37.25
object network svpdpc75
 nat (inside,outside) static 10.255.37.8
object network HPLJ1320b
 nat (inside,outside) static 10.255.37.30
object network svpdpc87
 nat (inside,outside) static 10.255.37.5
object network HelpDeskSrv
 nat (inside,outside) static 10.255.37.35
object network svpdpc80
 nat (inside,outside) static 10.255.37.7
object network svpdpc56
 nat (inside,outside) static 10.255.37.9
object network svpdpc64
 nat (inside,outside) static 10.255.37.15
object network pdoff07
 nat (inside,outside) static 10.255.37.22
object network svpdpc89
 nat (inside,outside) static 10.255.37.23
object network FinanceSvr
 nat (inside,outside) static 10.255.37.50
object network MailServer
 nat (inside,outside) static 10.255.37.2
object network svpdpc85
 nat (inside,outside) static 10.255.37.32
object network LaserJet-SO
 nat (inside,outside) static 10.255.37.10
!
nat (inside,outside) after-auto source static firepanel-local-ip firepanel-public description "Mapped FirePanel Block 10.255.37.34"
nat (inside,outside) after-auto source static any any destination static VPN-Remote-access VPN-Remote-access
nat (inside,outside) after-auto source static LOCAL_NETWORS-COS destination static ENMPD_REMOTE_NETWORK ENMPD_REMOTE_NETWORK
nat (inside,outside) after-auto source static any Source-NAT
nat (inside,outside) after-auto source dynamic COS_Source-NAT Source-NAT
nat (inside,outside) after-auto source dynamic access-102-ogn default-coS-NAT inactive
nat (outside,inside) after-auto source static AnyConnect-VPN-Pool AnyConnect-VPN-Pool destination static local-access-01 local-access-01
access-group emaildmz_access_in in interface emaildmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.255.37.62 1
route inside 10.0.0.0 255.192.0.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
sysopt noproxyarp inside
sysopt noproxyarp emaildmz
sysopt noproxyarp asa-dmz
sysopt noproxyarp mnetworks-outside
sysopt noproxyarp management
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet Public-2 255.255.255.255 outside
telnet 192.168.10.0 255.255.255.0 management
telnet timeout 10
no ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh public-3 255.255.255.255 outside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.1.0.50 source inside prefer
!
class-map inspection_default
 match default-inspection-traffic
class-map sfr_cm
 match access-list sfr_redirect
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class sfr_cm
  sfr fail-open
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:

Hi. Where is your PAT rule? I can't seem to find it. 

One thing you need to remember is that NAT rules are processed in order, so when you have multiple rules matching a request through the firewall, the first rule that matches will be processed. Why do you have so many static nat rules for printers and other hosts? Which devices do you want to provide internet access to?

Accidentally Double Posted : deleted

Levi

triple posted - Error

 

Levi

Review Cisco Networking for a $25 gift card