cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4014
Views
0
Helpful
2
Replies

ASA 5515-x Static NAT & PAT

emily00001
Level 1
Level 1

I'm trying to set up remote access to some computers behind this firewall without success. The way I tried to set-up remote access is basically covered within the following lines (in this case a test to the snmp server's port 80). Any help or guidance would be appreciated =)

object network centos-snmp

host 10.10.1.10

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

object network centos-snmp

nat (inside,outside) static interface service tcp www www

access-group outside-to-centos-snmp in interface outside

ciscoasa# packet-tracer input outside tcp 1.2.3.4 www 10.10.1.10 www

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.1.0             255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

This is the configuration I'm currently running with the sensitive information removed from this post:

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

enable password abcd encrypted

passwd abcd encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.1

description Inside Main VLAN

vlan 1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0

!            

interface GigabitEthernet0/1.2

description Inside Guest

vlan 2

nameif guest

security-level 10

ip address 10.10.2.1 255.255.255.0

!

interface GigabitEthernet0/1.3

description Inside Office

vlan 3

nameif office

security-level 30

ip address 10.10.3.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

object network centos-snmp

host 10.10.1.10

object-group network Inside-Networks

network-object 10.10.1.0 255.255.255.0

object-group network Guest-Networks

network-object 10.10.2.0 255.255.255.0

object-group network Office_Inside-Networks

network-object 10.10.3.0 255.255.255.0

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu office 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (guest,outside) source dynamic Guest-Networks interface

nat (office,outside) source dynamic Office_Inside-Networks interface

nat (inside,outside) source dynamic Inside-Networks interface

!

object network centos-snmp

nat (inside,outside) static interface service tcp www www

access-group outside-to-centos-snmp in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.3.4 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 4443

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 10.10.1.10 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd domain mydomain.com

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 10.10.2.21-10.10.2.254 guest

dhcpd dns 11.22.33.44 55.66.77.88 interface guest

dhcpd enable guest

!

dhcpd address 10.10.1.21-10.10.1.254 inside

dhcpd dns 11.22.33.44 55.66.77.88 interface inside

dhcpd option 43 hex f1040a0a0102 interface inside

dhcpd enable inside

!

dhcpd address 10.10.3.21-10.10.3.254 office

dhcpd dns 11.22.33.44 55.66.77.88 interface office

dhcpd enable office

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username emily password abcde encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:abcde

: end

1 Accepted Solution

Accepted Solutions

Veronika Klauzova
Cisco Employee
Cisco Employee

Hello,

first of all you need to move your PAT entries to after-auto NAT table section:

no nat (inside,outside) source dynamic Inside-Networks interface

no nat (office,outside) source dynamic Office_Inside-Networks interface

no nat (guest,outside) source dynamic Guest-Networks interface



sh run nat

!

object network centos-snmp

nat (inside,outside) static interface service tcp www www

!

nat (inside,outside) after-auto source dynamic Inside-Networks interface

nat (office,outside) after-auto source dynamic Office_Inside-Networks interface

nat (guest,outside) after-auto source dynamic Guest-Networks interface

NAT table will look like this:

sh nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static centos-snmp interface   service tcp www www

    translate_hits = 1, untranslate_hits = 2

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic Inside-Networks interface

    translate_hits = 0, untranslate_hits = 0

2 (office) to (outside) source dynamic Office_Inside-Networks interface

    translate_hits = 0, untranslate_hits = 0

3 (guest) to (outside) source dynamic Guest-Networks interface

    translate_hits = 0, untranslate_hits = 0

You can test your configuration with following packet-tracer simulation command. Please keep in mind that 8.8.8.8 is source IP address and source port is random for example 1025 and destination IP address is IP address of your outside interface. Once the traffic will match IP address of your outside interface and destination port 80 traffic will be translated towards your host on inside network 10.10.1.10 and port 80:

packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network centos-snmp

nat (inside,outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.1.10/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside-to-centos-snmp in interface outside

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) after-auto source dynamic Inside-Networks interface

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network centos-snmp

nat (inside,outside) static interface service tcp www www

Additional Information:

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

I hope that it helps. For more information I recommend to read this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Kind regards,

Veronika

View solution in original post

2 Replies 2

Veronika Klauzova
Cisco Employee
Cisco Employee

Hello,

first of all you need to move your PAT entries to after-auto NAT table section:

no nat (inside,outside) source dynamic Inside-Networks interface

no nat (office,outside) source dynamic Office_Inside-Networks interface

no nat (guest,outside) source dynamic Guest-Networks interface



sh run nat

!

object network centos-snmp

nat (inside,outside) static interface service tcp www www

!

nat (inside,outside) after-auto source dynamic Inside-Networks interface

nat (office,outside) after-auto source dynamic Office_Inside-Networks interface

nat (guest,outside) after-auto source dynamic Guest-Networks interface

NAT table will look like this:

sh nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static centos-snmp interface   service tcp www www

    translate_hits = 1, untranslate_hits = 2

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic Inside-Networks interface

    translate_hits = 0, untranslate_hits = 0

2 (office) to (outside) source dynamic Office_Inside-Networks interface

    translate_hits = 0, untranslate_hits = 0

3 (guest) to (outside) source dynamic Guest-Networks interface

    translate_hits = 0, untranslate_hits = 0

You can test your configuration with following packet-tracer simulation command. Please keep in mind that 8.8.8.8 is source IP address and source port is random for example 1025 and destination IP address is IP address of your outside interface. Once the traffic will match IP address of your outside interface and destination port 80 traffic will be translated towards your host on inside network 10.10.1.10 and port 80:

packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network centos-snmp

nat (inside,outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.1.10/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside-to-centos-snmp in interface outside

access-list outside-to-centos-snmp extended permit tcp any host 10.10.1.10 eq www

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) after-auto source dynamic Inside-Networks interface

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network centos-snmp

nat (inside,outside) static interface service tcp www www

Additional Information:

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

I hope that it helps. For more information I recommend to read this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Kind regards,

Veronika

Thank you Veronika,

This helped, I had attempted to use the after-auto parameter but only on the nat that related directly to the network that the computer was on. Also thank you for clarifying the packet-tracer component of ASA as I had this wrong.

Best regards,

Emily

Review Cisco Networking for a $25 gift card