cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2077
Views
0
Helpful
18
Replies

ASA NAT Issue

bboston85
Level 1
Level 1

I hope someone can point me in the correct direction here.

I have a client that needs 4 machines with static internal addresses. He is using a remote filtering service that filters by public IP. I have set the proper NAT and Global statements I believe. The unfiltered and filtered machines are all on the same /24 subnet so I setup object-group lists with individual ip ranges for filtered and unfiltered and then created access-lists that are mapped via the NAT statements. Basically, I need client IP's 192.168.1.1-35 to be on one public IP and clients 192.168.1.130-140 on a separate public IP.

After setting all that up I get a SYN Timeout statement in the logs, it looks to me as if the traffic gets out but does not route back in. The second public IP I am using is available and points through our perimeter router so there is no issue there.

Do I need a static statement to translate the secondary IP in to the public side?

Thanks,

Bryan.

18 Replies 18

Bryan,

If you need outbound access for those devices then you use nat/global.

ie.

nat (inside) 1 First_Range MASK

global (outside) 1 PUBLIC_IP_1

nat (inside) 2 Second_Range MASK

global (outside) 2 PUBLIC_IP_2

In the above example, the First_Range private IPs will be translated to PUBLIC_IP_1

The second range will be translated to PUBLIC_IP_2

On the other hand if you need inbound access, you require a STATIC NAT.

Static NAT is bidirectional so it will work both inbound/outbound.

You can use Port Redirection in the static NAT to translate a range of private IPs to a single public IP and vice versa.

For inbound access, an ACL allowing the traffic is required as well.

Hope it helps.


Federico.

Thank you for your quick response Federico.

The example that you displayed is essentially what I have, accept for the ACL. How would I write that to reference the secondart public ip?

Thanks again,

Bryan.

Bryan,

You need to check if there's an ACL already applied in the inbound direction on the outside interface:

sh run access-group

Let's say the name of the ACL is OUTSIDE (or create a new ACL).

access-list OUTSIDE permit tcp any host PUBLIC_IP_2 eq 80

access-list OUTSIDE permit tcp any host PUBLIC_IP_2 eq 25

...

access-group OUTSIDE in interface outside

The above ACL allows incoming TCP traffic from any source (Internet) to PUBLIC_IP_2 for web traffic and SMTP.

Federico.

Thanks again Federico,

I will take a look at this in the morning. As I recall, there was not an inbound ACL present. I feel better about this since I have some sort of heading now.

Just to be sure, adding that ACL will not open up free access from the outside world without having a static entry in place correct?

Thanks,

Bryan.

Well.....

Creating an ACL (and applying it inbound on the outside interface), allows for inbound traffic (whatever traffic allowed on the ACL).

Remember there's an implicit deny any at the end (anything not explicity permitted is denied).

In order to be able to initiate inbound traffic, besides the ACL a static NAT is required. So one would think that if not having static NAT, then no traffic could enter the ASA.... BUT...

There are other methods, ie NAT 0 with ACL also allows traffic from outside-to-inside.

In short, in normal circumstances, the fact of creating an ACL without static NAT should not be a problem, I will strongly recommend against that and instead just permit the desired traffic in the ACL (no more).

Hope it helps.


Federico.

Great. Thank you very much! This helped tremendously. Unlike a normal everyday forum, the CSC forums are almost like an instant help line for those of us still learning this Cisco stuff.

Thanks.

Brian,

Thanks for the kind words, I honestly believe this is the best forum/community out there ;p

And believe me... we are all still learning :-)

If you found this one helpful please mark it as answered and rate it!

Thank you!

Federico.

Will do. I'm on my Blackberry at the moment, but will do that as soon as I get a chance.

Ok, unfortunately, no go on this. For testing purposes I created a NAT entry for a single host. I also have created a corresponding global entry as seen below:

nat (inside) 2 client_ip 255.255.255.255

global (outside) 2 public_ip netmask 255.255.255.224

It seems the traffic is going out of the ASA just fine, but it does not get back in for some reason or another. After checking the logs I see the connection build messages and a few teardown messages with "SYN Timeout" at the end about 30 seconds after the original translation entry is built.

I believe the NAT-ting is working fine from seeing this since the ASA looks to be expecting a response. My question is, would the issue be an ACL problem with my ASA, or with my ISP's router (which is the next hop) maybe not having this IP routed to us? I have left a message with our ISP contact already so I am hoping the issue may be on their side.

I don't feel the issue could be with an ACL because I do not get any "connection denied" messages in the debug logging.

Any more help is greatly appreciated!

Thanks,

Bryan.

Bryan,

If you see the traffic going out (NATing is working), and the SYN timeout indicates that there's no response from the outside host.

It sounds like traffic is going out but not replied received.

This is not a problem with the ACL, because the ACL applied to the outside interface only checks inbound traffic (not replies for traffic originated from inside).

In other words, the outside ACL only check inbound traffic initiated from the outside coming inside the ASA.

Questions:

Can you actually PING the outside host from the internal device? Or from the ASA?

Perhaps this outside device is just not responding to your requests.


Federico.

Sorry, I forgot the meaning of the term stateful firewall. Ha ha.

I am able to ping any internet host from the client that is being NAT-ted. The issue I am having is while trying to browse to a website, or IE: whatismyip.com to see if the NAT is working, or even just google or yahoo. No matter what website I go to, the page will not come up since there is no communication back from the server side.

So, the host defintely gets to the internet (PING), the problem is just opening a web page (any page)?

This could be a DNS issue... can you check the ''nslookup cisco.com'' from the PC to make sure the DNS resolves correctly?

Can you set the DNS to 4.2.2.2 as a test?

What about opening a browser to: http://198.133.219.25 (should get cisco.com)

Federico.

Nope, I tried pointing to sites via IP address and using nslookup and was still not getting a response. From EVERYTHING I have read online and in Cisco documentation, the NAT and Global entries are all I should need to make the outgoing/public IP address different than the standard Global pool. I have seen the Static command used also and have tried that also on a single host with the same response, or lack thereof.

Assuming this is correct, my issue would most likely lie with the routing being done ahead of me based on the fact that I do not get a response from the distant host. Correct, or am I missing something?

Thanks again Federico, you are helping keep another IT colleague sane for 1 more day.

I also forgot to mention one thing. If I set the ASA's outside interface vlan IP to the IP I am trying to nat the inside client to, I cannot pass traffic. I would again assume the issue is down the line from me from this observation.

Review Cisco Networking for a $25 gift card