cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7091
Views
5
Helpful
8
Replies

ASA/ACL Issues with new NAT / ACL wth IOS 9.1 (1)

torreybrowne
Level 1
Level 1

I was lucky enough to inherit someone elses mess and I dont even know where to begin on this issue. With old NAT policies this was pretty cut and dry but even with 2 days of researching and trying several things I am still having the same issue, and I think I have made things worse.

It seems like a simple enough thing to do.

I need ports 80 + 22609 from IP 1.1.1.1 to point to VLAN14 IP address 192.168.117.2 (not working)

I also need ports 443, 3389, and 25 from IP 1.1.1.2 to point to inside addres 10.10.10.254 (working)

All VLAN's need to talk to each other (working)

All VLAN's should have access to the outside interface (not working)

The VPN should also be able to access all VLAN's (was working, now not working - does this use port 80?)

I know I have made a mess out of this ASA, can someone lend a hand with this?

A sanitized config is below:


:
ASA Version 9.1(1)
!
hostname ASA
enable password .6P5ImsmKko6/jej encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd .6P5ImsmKko6/jej encrypted
names
ip local pool VPN_POOL 192.168.100.50-192.168.100.100 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,10-14,90,100
switchport trunk native vlan 1
switchport mode trunk

             
!
interface Ethernet0/2
switchport access vlan 14
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan1
nameif inside
VLAN14-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
VLAN14-level 0

ip address 1.1.1.1 255.255.255.248
!
interface Vlan10
nameif VLAN10
VLAN14-level 100
ip address 192.168.117.1 255.255.255.0
!
interface Vlan11
nameif VLAN11
VLAN14-level 100
ip address 192.168.116.1 255.255.255.0
!
interface Vlan14
nameif VLAN14
VLAN14-level 100
ip address 192.168.119.1 255.255.255.0
!
boot system disk0:/asa911-k8.bin
ftp mode passive
same-VLAN14-traffic permit inter-interface
same-VLAN14-traffic permit intra-interface
object network DEVICE1
host 192.168.119.3
object network DEVICE2

host 192.168.119.4
object network VLAN10
subnet 192.168.117.0 255.255.255.0
object network VLAN14
subnet 192.168.119.0 255.255.255.0
object network VLAN11
subnet 192.168.116.0 255.255.255.0
object network inside
subnet 10.10.10.0 255.255.255.0
object network internal_lan
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-192.168.116.0
subnet 192.168.116.0 255.255.255.0
object network obj-192.168.117.0
subnet 192.168.117.0 255.255.255.0
object network obj-192.168.119.0
subnet 192.168.119.0 255.255.255.0
object network obj-192.168.119.2-80
object network NETWORK_OBJ_192.168.100.0_25
subnet 192.168.100.0 255.255.255.128
object network NETWORK_OBJ_10.10.10.0_24

subnet 10.10.10.0 255.255.255.0
object service TCP-3389
service tcp source eq 3389
object network HOST-10.10.10.254-443
host 10.10.10.254
object network HOST-10.10.10.254-3389
host 10.10.10.254
object network HOST-10.10.10.254-25
host 10.10.10.254
object network HOST-192.168.119.2-80
host 192.168.119.2
object network HOST-192.168.119.2-22609
host 192.168.119.2
object network ANY-0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network ANY-0.0.0.0-01
subnet 0.0.0.0 0.0.0.0
object network ANY-0.0.0.0-02
subnet 0.0.0.0 0.0.0.0
object network ANY-0.0.0.0-03
subnet 0.0.0.0 0.0.0.0
object-group service Access_Control tcp
port-object eq 81
object-group service NVR tcp-udp

port-object eq 22609
object-group network Internal
network-object object VLAN14
network-object object VLAN11
network-object object inside
network-object object VLAN10
object-group icmp-type PING
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service SBS_443
service-object tcp destination eq https
object-group service SBS_3389
service-object tcp destination eq 3389
object-group service SBS_25
service-object tcp destination eq smtp
object-group service BL_80
service-object tcp destination eq www
object-group service BL_22609
service-object tcp destination eq 22609
access-list AllNetworks standard permit host 1.1.1.1
access-list CE_11 standard permit host 1.1.1.1

             
access-list INBOUND extended permit icmp any4 any4 object-group PING
access-list outside_access_in extended permit tcp any4 object DEVICE1 object-group Access_Control
access-list outside_access_in extended permit ip any4 object DEVICE2
access-list capi extended permit icmp any4 any4
access-list Internal standard permit 192.168.117.0 255.255.255.0
access-list Internal standard permit 10.10.10.0 255.255.255.0
access-list Internal standard permit 192.168.116.0 255.255.255.0
access-list Internal standard permit 192.168.119.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list SBS_IN extended permit object-group SBS_443 any object HOST-10.10.10.254-443
access-list SBS_IN extended permit object-group SBS_3389 any object HOST-10.10.10.254-3389
access-list SBS_IN extended permit object-group SBS_25 any object HOST-10.10.10.254-25
access-list SBS_IN extended permit object-group BL_80 any object HOST-192.168.119.2-80
access-list SBS_IN extended permit object-group BL_22609 any object HOST-192.168.119.2-22609
access-list BL_IN extended permit object-group BL_80 any object HOST-192.168.119.2-80
access-list BL_IN extended permit object-group BL_22609 any object HOST-192.168.119.2-22609
access-list BL_IN extended permit object-group SBS_25 any object HOST-10.10.10.254-25
access-list BL_IN extended permit object-group SBS_3389 any object HOST-10.10.10.254-3389
access-list BL_IN extended permit object-group SBS_443 any object HOST-10.10.10.254-443
pager lines 24
logging enable
logging asdm informational
logging mail warnings
mtu inside 1500

             
mtu outside 1500
mtu VLAN10 1500
mtu VLAN11 1500
mtu VLAN14 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (VLAN11,outside) source static obj-192.168.116.0 obj-192.168.116.0 destination static obj-192.168.100.0 obj-192.168.100.0
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-192.168.100.0 obj-192.168.100.0
nat (VLAN10,outside) source static obj-192.168.117.0 obj-192.168.117.0 destination static obj-192.168.100.0 obj-192.168.100.0
nat (VLAN14,outside) source static obj-192.168.119.0 obj-192.168.119.0 destination static obj-192.168.100.0 obj-192.168.100.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 no-proxy-arp route-lookup
nat (VLAN10,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 no-proxy-arp route-lookup
nat (VLAN14,outside) source dynamic any interface
!
object network HOST-10.10.10.254-443
nat (inside,outside) static 1.1.1.2 service tcp https https
object network HOST-10.10.10.254-3389
nat (inside,outside) static 1.1.1.2 service tcp 3389 3389
object network HOST-10.10.10.254-25
nat (inside,outside) static 1.1.1.2 service tcp smtp smtp

             
object network HOST-192.168.119.2-80
nat (inside,outside) static 1.1.1.2 service tcp www www
object network HOST-192.168.119.2-22609
nat (inside,outside) static 1.1.1.2 service tcp 22609 22609
object network ANY-0.0.0.0
nat (inside,outside) dynamic interface
object network ANY-0.0.0.0-01
nat (VLAN10,outside) dynamic interface
object network ANY-0.0.0.0-02
nat (VLAN11,outside) dynamic interface
access-group BL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable

http 10.1.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec VLAN14-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa
crl configure
crypto ca trustpool policy
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
certificate 67583851
    308201e7 30820150 a0030201 02020467 58385130 0d06092a 864886f7 0d010105
    05003038 31173015 06035504 03130e73 696e676c 65747265 652d6173 61311d30
    1b06092a 864886f7 0d010902 160e7369 6e676c65 74726565 2d617361 301e170d
    31333033 31323130 31303237 5a170d32 33303331 30313031 3032375a 30383117
    30150603 55040313 0e73696e 676c6574 7265652d 61736131 1d301b06 092a8648
    86f70d01 0902160e 73696e67 6c657472 65652d61 73613081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100b6 fd021c10 0f03424e 2586201a
    91fc99b4 d1fa9a67 72197c3f 69c6e2ea 5c49204f 5b8525e9 bab88dfa 35d2efde
    93df0463 b038d9c4 2c10e6cd 9d3871aa 581eb29c 6a203260 99a61c75 e323a0e4
    1f5007ca 4d21bb6e fecacd84 ead66fac e6bac2cb fe4af0e6 9b918fda 8ae5a212
    ce13fbb5 d8af2e2a 36614285 31472c77 55ea5902 03010001 300d0609 2a864886
    f70d0101 05050003 81810072 beddaa23 54ca6724 09c27c97 f67c7833 8e3b264e
    09e52c14 f9ee20a5 0b2b869a 22897a22 90ddbe40 b640cabf 77d3e0a2 2d959ccf
    371df070 d44412c5 34139213 17dd79ae 63585c5b 08ae97db 5697d201 ef5de15f
    ad1d3aaf b5075a63 fc207c6e 46c4ab6d 88ddbe34 b8c9d672 7e9b6aaf 5048f2cc
    b0bf2991 1a675288 24d776

             
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha

             
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 30
ssh 10.10.10.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access VLAN10

dhcpd auto_config outside
!
dhcpd address 10.10.10.100-10.10.10.200 inside
dhcpd dns 4.2.2.2 interface inside
!
dhcpd address 192.168.117.100-192.168.117.120 VLAN10
dhcpd dns 8.8.8.8 4.2.2.2 interface VLAN10

             
dhcpd enable VLAN10
!
dhcpd address 192.168.116.100-192.168.116.120 VLAN11
dhcpd dns 4.2.2.2 interface VLAN11
dhcpd enable VLAN11
!
dhcpd address 192.168.119.150-192.168.119.170 VLAN14
dhcpd dns 8.8.8.8 interface VLAN14
dhcpd enable VLAN14
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 AnyConnect
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified

             
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value Internal
webvpn
  anyconnect profiles value AnyConnect_client_profile type user
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-network-list value Internal
default-domain none
webvpn
  anyconnect profiles value AnyConnect_client_profile type user
username ccccadmin password lFNt1atMgR95AGag encrypted privilege 15
username ccccadmin attributes
vpn-group-policy GroupPolicy_AnyConnect
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
username wwwwadmin password E9pJaZMkOz8i2wTZ encrypted privilege 15
username wwwwadmin attributes
vpn-group-policy GroupPolicy_AnyConnect
webvpn
  anyconnect ask none default anyconnect
tunnel-group DefaultL2LGroup general-attributes
default-group-policy GroupPolicy_AnyConnect

             
tunnel-group DefaultRAGroup general-attributes
default-group-policy GroupPolicy_AnyConnect
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225

             
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:12c3dc406eace07ed49bbc59489a19bb
: end

asa#                      

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

First of all, a couple of observations

The 1.1.1.2 which is working correctly doesnt need to be done in 3 different Static PAT configurations. If you can actually spare the 1.1.1.2 IP for the server 10.10.10.254 alone then you can configure Static NAT and allow the needed ports in the ACL.

You also say that the 1.1.1.1 with the mentioned TCP ports doesnt work. For that there is 3 problems.

  • You have configured the Static PAT using IP 1.1.1.2 instead of the interface IP 1.1.1.1
  • You talk about the IP 192.168.117.2 being from VLAN14 though VLAN14 according to the above is 192.168.119.0/24?
  • You are using "inside" interface as the source interface for the NAT

If I read all of the above configuration needs correctly then your whole NAT configuration could be accomplished with the following

NAT for VPN Client

object network LAN-VLAN-1

subnet 10.10.10.0 255.255.255.0

object network LAN-VLAN-10

subnet 192.168.117.0 255.255.255.0

object network LAN-VLAN-11

subnet 192.168.116.0 255.255.255.0

object network LAN-VLAN-14

subnet 192.168.119.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN-VLAN-1 LAN-VLAN-1 destination static VPN-POOL VPN-POOL

nat (VLAN10,outside) source static LAN-VLAN-10 LAN-VLAN-10 destination static VPN-POOL VPN-POOL

nat (VLAN11,outside) source static LAN-VLAN-11 LAN-VLAN-11 destination static VPN-POOL VPN-POOL

nat (VLAN14,outside) source static LAN-VLAN-14 LAN-VLAN-14 destination static VPN-POOL VPN-POOL

Static NAT and Static PAT configurations

object network STATIC-1.1.1.2

host 10.10.10.254

nat (inside,outside) static 1.1.1.2 dns

object network STATIC-PAT-INTERFACE-TCP80

host 192.168.117.2

nat (VLAN10,outside) static interface service tcp 80 80

object network STATIC-PAT-INTERFACE-TCP22609

host 192.168.117.2

nat (VLAN10,outside) static interface service tcp 22609 22609

access-list OUTSIDE-IN remark Server 10.10.10.254

access-list OUTSIDE-IN permit tcp any object STATIC-1.1.1.2 eq 25

access-list OUTSIDE-IN permit tcp any object STATIC-1.1.1.2 eq 443

access-list OUTSIDE-IN permit tcp any object STATIC-1.1.1.2 eq 3389

access-list OUTSIDE-IN remark Server 192.168.117.2

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-INTERFACE-TCP80 eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-INTERFACE-TCP22609 eq 22609

access-group OUTSIDE-IN in interface outside

Default PAT for all networks for Internet Traffic

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.116.0 255.255.255.0

network-object 192.168.117.0 255.255.255.0

network-object 192.168.119.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

If you want to try the above configuration then you MUST first delete all the existing NAT configurations. Ofcourse I cant guarantee all will work but it should.

Please also comment on the notes I made at the start about some of the information that doesnt match related to the Static NAT and Static PAT configurations. Especially what is the correct source IP/interface for the NAT not working.

I wrote a document to the Security forums of CSC couple of days ago. It should give you the basic theory and configuration formats for the 8.3+ software. (Though I plan to expand it in the future)

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps. Please rate if so and ask more questions if needed

- Jouni

View solution in original post

Hi,

Just incase the corrected version of my above NAT configurations. Bolded the changes.

object network LAN-VLAN-1

subnet 10.10.10.0 255.255.255.0

object network LAN-VLAN-10

subnet 192.168.117.0 255.255.255.0

object network LAN-VLAN-11

subnet 192.168.116.0 255.255.255.0

object network LAN-VLAN-14

subnet 192.168.119.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN-VLAN-1 LAN-VLAN-1 destination static VPN-POOL VPN-POOL

nat (VLAN10,outside) source static LAN-VLAN-10 LAN-VLAN-10 destination static VPN-POOL VPN-POOL

nat (VLAN11,outside) source static LAN-VLAN-11 LAN-VLAN-11 destination static VPN-POOL VPN-POOL

nat (VLAN14,outside) source static LAN-VLAN-14 LAN-VLAN-14 destination static VPN-POOL VPN-POOL

object network STATIC-1.1.1.2

host 10.10.10.254

nat (inside,outside) static 1.1.1.2 dns

object network STATIC-PAT-INTERFACE-TCP80

host 192.168.119.2

nat (VLAN14,outside) static interface service tcp 80 80

object network STATIC-PAT-INTERFACE-TCP22609

host 192.168.119.2

nat (VLAN14,outside) static interface service tcp 22609 22609

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.116.0 255.255.255.0

network-object 192.168.117.0 255.255.255.0

network-object 192.168.119.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

First of all, a couple of observations

The 1.1.1.2 which is working correctly doesnt need to be done in 3 different Static PAT configurations. If you can actually spare the 1.1.1.2 IP for the server 10.10.10.254 alone then you can configure Static NAT and allow the needed ports in the ACL.

You also say that the 1.1.1.1 with the mentioned TCP ports doesnt work. For that there is 3 problems.

  • You have configured the Static PAT using IP 1.1.1.2 instead of the interface IP 1.1.1.1
  • You talk about the IP 192.168.117.2 being from VLAN14 though VLAN14 according to the above is 192.168.119.0/24?
  • You are using "inside" interface as the source interface for the NAT

If I read all of the above configuration needs correctly then your whole NAT configuration could be accomplished with the following

NAT for VPN Client

object network LAN-VLAN-1

subnet 10.10.10.0 255.255.255.0

object network LAN-VLAN-10

subnet 192.168.117.0 255.255.255.0

object network LAN-VLAN-11

subnet 192.168.116.0 255.255.255.0

object network LAN-VLAN-14

subnet 192.168.119.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN-VLAN-1 LAN-VLAN-1 destination static VPN-POOL VPN-POOL

nat (VLAN10,outside) source static LAN-VLAN-10 LAN-VLAN-10 destination static VPN-POOL VPN-POOL

nat (VLAN11,outside) source static LAN-VLAN-11 LAN-VLAN-11 destination static VPN-POOL VPN-POOL

nat (VLAN14,outside) source static LAN-VLAN-14 LAN-VLAN-14 destination static VPN-POOL VPN-POOL

Static NAT and Static PAT configurations

object network STATIC-1.1.1.2

host 10.10.10.254

nat (inside,outside) static 1.1.1.2 dns

object network STATIC-PAT-INTERFACE-TCP80

host 192.168.117.2

nat (VLAN10,outside) static interface service tcp 80 80

object network STATIC-PAT-INTERFACE-TCP22609

host 192.168.117.2

nat (VLAN10,outside) static interface service tcp 22609 22609

access-list OUTSIDE-IN remark Server 10.10.10.254

access-list OUTSIDE-IN permit tcp any object STATIC-1.1.1.2 eq 25

access-list OUTSIDE-IN permit tcp any object STATIC-1.1.1.2 eq 443

access-list OUTSIDE-IN permit tcp any object STATIC-1.1.1.2 eq 3389

access-list OUTSIDE-IN remark Server 192.168.117.2

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-INTERFACE-TCP80 eq 80

access-list OUTSIDE-IN permit tcp any object STATIC-PAT-INTERFACE-TCP22609 eq 22609

access-group OUTSIDE-IN in interface outside

Default PAT for all networks for Internet Traffic

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.116.0 255.255.255.0

network-object 192.168.117.0 255.255.255.0

network-object 192.168.119.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

If you want to try the above configuration then you MUST first delete all the existing NAT configurations. Ofcourse I cant guarantee all will work but it should.

Please also comment on the notes I made at the start about some of the information that doesnt match related to the Static NAT and Static PAT configurations. Especially what is the correct source IP/interface for the NAT not working.

I wrote a document to the Security forums of CSC couple of days ago. It should give you the basic theory and configuration formats for the 8.3+ software. (Though I plan to expand it in the future)

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps. Please rate if so and ask more questions if needed

- Jouni

Also,

I think you are missing one line of configuration from the VPN group-policy

group-policy GroupPolicy_AnyConnect attributes

split-tunnel-policy tunnelspecified

- Jouni

 Hi all i problem with asa 5512-x. i have tried to configure port forwarding using static PAT to send mail but have not succeeded HERE IS MY CONFIG:

 

ASA Version 9.1(1)
!
hostname ciscoasa

names
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.3164
 vlan 3164
 nameif outside
 security-level 0
 ip address 212.49.66.201 255.255.255.252
!
interface GigabitEthernet0/1
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.252
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.20.30.40 255.0.0.0
!
ftp mode passive
object network OBDATA
 subnet 192.168.37.0 255.255.255.0
object network OBVOICE
 subnet 172.16.50.0 255.255.255.0

object network MAILSERVER-PRIVATE
 host 192.169.37.1
object network MAILSERVER-SMTP
 host 192.169.37.1
object network MAILSERVER-POP3
 host 192.169.37.1
object network MAILSERVER-LOTUSNOTES
 host 192.169.37.1
object network MAILSERVER-8088
 host 192.169.37.1
object network MAILSERVER-WWW
 host 192.169.37.1
object network MAILSERVER-PUBLIC
 host 62.24.114.30
object-group network INSIDEHOSTS
 network-object object OBDATA
 network-object object OBVOICE
access-list INCOMING extended permit tcp any object MAILSERVER-SMTP eq smtp
access-list INCOMING extended permit tcp any object MAILSERVER-POP3 eq pop3
access-list INCOMING extended permit tcp any object MAILSERVER-LOTUSNOTES eq lotusnotes
access-list INCOMING extended permit ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network MAILSERVER-PRIVATE
 nat (inside,outside) dynamic MAILSERVER-PUBLIC
object network MAILSERVER-SMTP
 nat (inside,outside) static 62.24.114.30 service tcp smtp smtp
object network MAILSERVER-POP3
 nat (inside,outside) static 62.24.114.30 service tcp pop3 pop3
object network MAILSERVER-LOTUSNOTES
 nat (inside,outside) static 62.24.114.30 service tcp lotusnotes lotusnotes
!
nat (inside,outside) after-auto source dynamic any MAILSERVER-PUBLIC
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 212.49.66.202 1
route inside 172.16.50.0 255.255.255.0 192.168.2.2 1
route inside 192.168.37.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
client-update enable
telnet timeout 5
ssh 192.168.40.0 255.255.255.0 management
ssh timeout 20
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4bb5d1b8e367d5585bd19ba8636e64b9
: end

 

hi Jouni,

 

I've got the same issue, simply PAT from OUTSIDE to INSIDE does not work on my asa5512-x on 9.1(1).

I'm trying to give to my outside interface (dhcp with setroute) the kick from outside on 443 towards LAN device (https webserver) and it does not work the way I wanted showing no connections from outside my networks.

I've made all as above and still no go. Do i need to make double-nat to make it work on 9.1 ?

here is what I've got at the moment:

 

object network XXX
 host 1.2.3.4

object network XXX
 nat (inside,outside) static interface service tcp https

object network lan

network 1.2.3.0/24
 nat (inside,outside) dynamic interface

 

does it overlap in some essence that I've got whole LAN coming OUT via same OUTSIDE interface on which ultimately I'm going to share from outside the 443 down towards 1.2.3.4 host? how to make the best conf. on that matter ? can you help?

 

I'm doing 9.1 first time and this new redesigned NAT drives me crazy as I just wanted to PUBLISH one host form my INSIDE with the OUTSIDE world via HTTPS. That's all I need

 

Cheers

 

Jerrt

torreybrowne
Level 1
Level 1

Thank you, I mis-typed the IP address 192.168.117.2 it is actually supposed to be 192.168.19.2

I cannot thank you enough, I will work on this right now and get right back to you!!!

Hi,

Just incase the corrected version of my above NAT configurations. Bolded the changes.

object network LAN-VLAN-1

subnet 10.10.10.0 255.255.255.0

object network LAN-VLAN-10

subnet 192.168.117.0 255.255.255.0

object network LAN-VLAN-11

subnet 192.168.116.0 255.255.255.0

object network LAN-VLAN-14

subnet 192.168.119.0 255.255.255.0

object network VPN-POOL

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN-VLAN-1 LAN-VLAN-1 destination static VPN-POOL VPN-POOL

nat (VLAN10,outside) source static LAN-VLAN-10 LAN-VLAN-10 destination static VPN-POOL VPN-POOL

nat (VLAN11,outside) source static LAN-VLAN-11 LAN-VLAN-11 destination static VPN-POOL VPN-POOL

nat (VLAN14,outside) source static LAN-VLAN-14 LAN-VLAN-14 destination static VPN-POOL VPN-POOL

object network STATIC-1.1.1.2

host 10.10.10.254

nat (inside,outside) static 1.1.1.2 dns

object network STATIC-PAT-INTERFACE-TCP80

host 192.168.119.2

nat (VLAN14,outside) static interface service tcp 80 80

object network STATIC-PAT-INTERFACE-TCP22609

host 192.168.119.2

nat (VLAN14,outside) static interface service tcp 22609 22609

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.116.0 255.255.255.0

network-object 192.168.117.0 255.255.255.0

network-object 192.168.119.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

- Jouni

torreybrowne
Level 1
Level 1

Jouni, if I could give you a million stars I would. I cannot believe that you fixed every issue in one shot. I am in shock...that was/is amazing. Everything is woking and what is better, it all makes sense to me as well. I guess even after reading everything I read, it took someone like you to break it down for me. I cannot thank you enough!!!!!

Glad to help and hear everything is working ok now

Current rating and marking the question as answered is enough

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: