Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3815
Views
0
Helpful
2
Replies

ASA 5515-x Static NAT & PAT

Go to solution
emily00001
Level 1
Level 1

‎02-23-2014 03:13 AM - edited ‎03-11-2019 08:49 PM

I'm trying to set up remote access to some computers behind this firewall without success. The way I tried to set-up remote access is basically covered within the following lines (in this case a test to the snmp server's port 80). Any help or guidance would be appreciated =)

object network centos-snmp

host 10.10.1.10

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

object network centos-snmp

nat (inside,outside) static interface service tcp www www

access-group outside-to-centos-snmp in interface outside

ciscoasa# packet-tracer input outside tcp 1.2.3.4 www 10.10.1.10 www

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.1.0             255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

This is the configuration I'm currently running with the sensitive information removed from this post:

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

enable password abcd encrypted

passwd abcd encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.1

description Inside Main VLAN

vlan 1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0

!            

interface GigabitEthernet0/1.2

description Inside Guest

vlan 2

nameif guest

security-level 10

ip address 10.10.2.1 255.255.255.0

!

interface GigabitEthernet0/1.3

description Inside Office

vlan 3

nameif office

security-level 30

ip address 10.10.3.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network centos-snmp

host 10.10.1.10

object-group network Inside-Networks

network-object 10.10.1.0 255.255.255.0

object-group network Guest-Networks

network-object 10.10.2.0 255.255.255.0

object-group network Office_Inside-Networks

network-object 10.10.3.0 255.255.255.0

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (guest,outside) source dynamic Guest-Networks interface

nat (office,outside) source dynamic Office_Inside-Networks interface

nat (inside,outside) source dynamic Inside-Networks interface

!

object network centos-snmp

nat (inside,outside) static interface service tcp www www

access-group outside-to-centos-snmp in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.3.4 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 4443

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 10.10.1.10 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd domain mydomain.com

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 10.10.2.21-10.10.2.254 guest

dhcpd dns 11.22.33.44 55.66.77.88 interface guest

dhcpd enable guest

!

dhcpd address 10.10.1.21-10.10.1.254 inside

dhcpd dns 11.22.33.44 55.66.77.88 interface inside

dhcpd option 43 hex f1040a0a0102 interface inside

dhcpd enable inside

!

dhcpd address 10.10.3.21-10.10.3.254 office

dhcpd dns 11.22.33.44 55.66.77.88 interface office

dhcpd enable office

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username emily password abcde encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:abcde

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee

‎02-23-2014 02:36 PM

Hello,

first of all you need to move your PAT entries to after-auto NAT table section:

no nat (inside,outside) source dynamic Inside-Networks interface
no nat (office,outside) source dynamic Office_Inside-Networks interface
no nat (guest,outside) source dynamic Guest-Networks interface







sh run nat


!


object network centos-snmp


 nat (inside,outside) static interface service tcp www www


!


nat (inside,outside) after-auto source dynamic Inside-Networks interface


nat (office,outside) after-auto source dynamic Office_Inside-Networks interface


nat (guest,outside) after-auto source dynamic Guest-Networks interface

NAT table will look like this:

sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static centos-snmp interface   service tcp www www
    translate_hits = 1, untranslate_hits = 2
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic Inside-Networks interface
    translate_hits = 0, untranslate_hits = 0
2 (office) to (outside) source dynamic Office_Inside-Networks interface
    translate_hits = 0, untranslate_hits = 0
3 (guest) to (outside) source dynamic Guest-Networks interface
    translate_hits = 0, untranslate_hits = 0

You can test your configuration with following packet-tracer simulation command. Please keep in mind that 8.8.8.8 is source IP address and source port is random for example 1025 and destination IP address is IP address of your outside interface. Once the traffic will match IP address of your outside interface and destination port 80 traffic will be translated towards your host on inside network 10.10.1.10 and port 80:

packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/80 to 10.10.1.10/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-to-centos-snmp in interface outside
access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic Inside-Networks interface
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

I hope that it helps. For more information I recommend to read this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Kind regards,

Veronika

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee

‎02-23-2014 02:36 PM

Hello,

first of all you need to move your PAT entries to after-auto NAT table section:

no nat (inside,outside) source dynamic Inside-Networks interface
no nat (office,outside) source dynamic Office_Inside-Networks interface
no nat (guest,outside) source dynamic Guest-Networks interface







sh run nat


!


object network centos-snmp


 nat (inside,outside) static interface service tcp www www


!


nat (inside,outside) after-auto source dynamic Inside-Networks interface


nat (office,outside) after-auto source dynamic Office_Inside-Networks interface


nat (guest,outside) after-auto source dynamic Guest-Networks interface

NAT table will look like this:

sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static centos-snmp interface   service tcp www www
    translate_hits = 1, untranslate_hits = 2
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic Inside-Networks interface
    translate_hits = 0, untranslate_hits = 0
2 (office) to (outside) source dynamic Office_Inside-Networks interface
    translate_hits = 0, untranslate_hits = 0
3 (guest) to (outside) source dynamic Guest-Networks interface
    translate_hits = 0, untranslate_hits = 0

You can test your configuration with following packet-tracer simulation command. Please keep in mind that 8.8.8.8 is source IP address and source port is random for example 1025 and destination IP address is IP address of your outside interface. Once the traffic will match IP address of your outside interface and destination port 80 traffic will be translated towards your host on inside network 10.10.1.10 and port 80:

packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/80 to 10.10.1.10/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-to-centos-snmp in interface outside
access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic Inside-Networks interface
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network centos-snmp
 nat (inside,outside) static interface service tcp www www
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

I hope that it helps. For more information I recommend to read this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Kind regards,

Veronika

0 Helpful

Go to solution
emily00001
Level 1
Level 1
In response to Veronika Klauzova

‎02-23-2014 03:55 PM

Thank you Veronika,

This helped, I had attempted to use the after-auto parameter but only on the nat that related directly to the network that the computer was on. Also thank you for clarifying the packet-tracer component of ASA as I had this wrong.

Best regards,

Emily

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card