Re: ASA (policy) NAT help - Page 2

whiteford · ‎05-08-2009

Hi,

I think this might a be policy NAT required, but I have never tried this before.

On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.

Possible

whiteford · ‎05-08-2009

I didn't see any translations:

Does this look ok to you guys, sorry for all the silly confusion I have created.

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (DMZ3) 2 access-list policy-nat-2

I went to the PC with 192.168.100.x amd pinged 10.100.0.61 which I know is live and got a request timeout.

andrew.prince · ‎05-08-2009

Config looks OK - can you confirm that layer 3 deivces on the 10.100.0.32/27 subnet know "how" to get "back" to 192.168.90.x thru 192.168.100.x ?

Are you allowing icmp - echo-replies back into the outside interface of the ASA?

whiteford · ‎05-08-2009

192.168.90.x can ping 10.100.0.32/27 as I'm pinging from that subnet.

I guess they will just send replies to 192.168.90.240 that translates to 192.168.100.x?

Is this staic NAT better than a policy NAT?

handsy · ‎05-08-2009

I think you have your bracketed interfaces the wrong way round for global and nat.

global (DMZ3)

nat (inside)

whiteford · ‎05-08-2009

Sadley, I couldn't get this to work:

I tried these 2 configs:

1.)

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

When i do a packet trace I get a drop:

packet-tracer input inside icmp 192.168.100.32 0 1 1 10.100$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in Remotesvr_Servers 255.255.255.224 DMZ3

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in VLAN100 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit icmp any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 137, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

2.)

access-list inside_outbound_nat0_acl extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat-2 extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

static (inside,DMZ3) 192.168.90.240 access-list policy-nat-2

On this one I get the error "global address overlaps with mask"

andrew.prince · ‎05-08-2009

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

This will not work - as you are trying to perform PAT in a Static 1:1 config, not possible.

use:-

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.0

nat (outside) 2 access-list policy-nat-2

or

access-list policy-nat-2 permit ip host 192.168.100.x 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

whiteford · ‎05-08-2009

tried those 2 example of yours and tried the packet trace again:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 145, untranslate_hits = 0

Additional Information:

andrew.prince · ‎05-08-2009

Post all your current NAT/Interface config.

whiteford · ‎05-08-2009

I have removed the config that I am trying, but here is some of it, need anything else, I've had to hide some bits:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address *.*.*.* 255.255.0.0

ospf cost 10

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.4

vlan 4

nameif DMZ2_Network

security-level 15

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.6

vlan 6

nameif DMZ1_Servers

security-level 10

ip address 172.24.0.100 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.7

vlan 7

nameif DMZ3

security-level 25

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.9

vlan 9

nameif DMZ6_WAN

security-level 35

ip address 172.30.0.4 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/2.10

vlan 10

nameif DMZ10_Servers

security-level 25

ip address 192.168.15.1 255.255.255.224

ospf cost 10

!

interface GigabitEthernet0/2.300

vlan 300

nameif DMZ4

security-level 20

ip address 172.25.1.1 255.255.255.0

ospf cost 10

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

static (inside,outside) udp interface 9996 SVR06 9996 netmask 255.255.255.255

static (inside,outside) *.*.*.* SVR10 netmask 255.255.255.255

static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat

static (DMZ10_Servers,outside) *.*.*.* SVR05_NEW netmask 255.255.255.255

static (inside,outside) *.*.*.* 192.168.25.42 netmask 255.255.255.255

nat-control

nat (outside) 1 Office1 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ2_Network) 0 access-list DMZ2_nat0_outbound

nat (DMZ2_Network) 1 0.0.0.0 0.0.0.0

nat (DMZ1_Servers) 0 access-list DMZ1_Servers_nat0_outbound

nat (DMZ1_Servers) 0 access-list DMZ_inbound_nat0_acl outside

nat (DMZ1_Servers) 1 0.0.0.0 0.0.0.0

nat (DMZ3) 0 access-list DMZ3_nat0_outbound

nat (DMZ3) 1 0.0.0.0 0.0.0.0

nat (DMZ6_WAN) 0 access-list DMZ6_WAN_nat0_outbound

nat (DMZ6_WAN) 1 0.0.0.0 0.0.0.0

nat (DMZ10_Servers) 0 access-list DMZ10_Servers_nat0_outbound

nat (DMZ10_Servers) 1 0.0.0.0 0.0.0.0

nat (DMZ4) 0 access-list DMZ4_outbound_nat0_acl

nat (DMZ4) 1 0.0.0.0 0.0.0.0

static (inside,outside) DMZ6-172.30.0.0 access-list policy-nat

no crypto isakmp nat-traversal

andrew.prince · ‎05-08-2009

So were is the desination? and what interface is the policy nat required from?