07-27-2010 06:31 AM - edited 03-11-2019 11:16 AM
I have an ASA setup behind a T1 with pass though on port 0/0 on the ISP router
Internal ASA IP address is 10.130.1.1
The IPS also has an MPLS setup to another network with IP address of 10.130.1.2 on port 0/1 of the ISP router. The ip address of the other network is 192.168.5.0
I setup the static route for 192.168.5.0 to 10.130.1.2 on the ASA device but get the following error:
3 Jul 21 2010 17:28:38 305006 192.168.5.10 portmap translation creation failed for tcp src inside:10.130.1.5/13135 dst inside:192.168.5.10/3389
If I setup an exempt NAT rule from 10.130.1.0 to 192.168.5.0 and one from 192.168.5.0 to 10.130.1.0 I can ping across the two networks, but get the following error if I try to do anything else like RDC
6 Jul 21 2010 17:39:46 302013 10.130.1.5 192.168.5.10 Built inbound TCP connection 243379 for inside:10.130.1.5/13412 (10.130.1.5/13412) to inside:192.168.5.10/3389 (192.168.5.10/3389)
6 Jul 21 2010 17:39:46 302014 10.130.1.5 192.168.5.10 Teardown TCP connection 243379 for inside:10.130.1.5/13412 to inside:192.168.5.10/3389 duration 0:00:00 bytes 0 TCP Reset-O
Not sure how to allow traffic to be sent to the MPLS.
If I change the gateway on a local PC to 10.130.1.2 I can communicate without issue to the 192.168.5.0 network, but lose internet so I know the MPLS is working.
Internet router ------>Public IP ----> ASA 5505-----> 10.130.1.1 -----> Internal network
|-------------->MPLS 192.168.5.0---------------->10.130.1.2-------------------------------^
07-27-2010 06:38 AM
can you please past eyour nat config
show run nat
show run global
show run static
and also can you paste the routing table
show run route
show route
07-27-2010 07:03 AM
Result of the command: "show run nat"
nat (inside) 0 access-list NONAT
nat (inside) 101 access-list inside_nat_outbound
Result of the command: "show run global"
global (inside) 1 10.130.1.5 netmask 255.0.0.0
global (inside) 2 interface
global (inside) 3 10.130.1.0 netmask 255.255.255.0
global (inside) 4 192.168.0.0 netmask 255.255.0.0
global (outside) 101 interface
global (outside) 1 X.X.X.X netmask 255.0.0.0
Result of the command: "show run static"
static (inside,outside) X.X.X.X 10.130.1.5 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.130.1.6 netmask 255.255.255.255
Result of the command: "show run route"
route inside 159.1.0.0 255.255.0.0 10.130.1.6 1
route inside 192.168.5.0 255.255.255.0 10.130.1.2 1
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
Result of the command: "show route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is X.X.X.X to network 0.0.0.0
C X.X.X.X 255.255.255.248 is directly connected, outside
S 159.1.0.0 255.255.0.0 [1/0] via 10.130.1.6, inside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.130.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via X.X.X.X, outside
S 192.168.0.0 255.255.0.0 [1/0] via 10.130.1.2, inside
07-27-2010 06:51 AM
Matthew,
From what you describe it sounds like you are trying to 'hair-pin' traffic on the ASA's inside interface. If that is the case, you issue is probably due to asymetric traffic flow whereby the ASA only sees one side of the conversation, THis breaks the traffic since the Sequence number randomization kicks in on the FW and messes up one flow when compared to the revrse flow. Your best bet would be to also configure TCP State Bypass for those flows in question and add it to the global policy.
access-list tsp-list permit tcp 10.130.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list tsp-list permit tcp 192.168.5.0 255.255.255.0 10.130.1.0 255.255.255.0
!
class-map tsp-class
match access-list tcp-list
!
policy-map global_policy
class tsp-class
set connection advanced-options tcp-state-bypass
More information about this command is available here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242
and it requires you move to 8.2.1 or later... Like 8.2.2...
Hope this helps!
- Magnus
07-27-2010 07:20 AM
I inherited this appliance and it looks like old firmware:
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
I guess I would need to update it if that is the only solution. Is there and order to which componenet I need to update first?
07-27-2010 07:31 AM
assuming you need to access 192.168.5.0 from 10.130.1.0 network
static (inside,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 norandomseq nailed
static (inside,inside) 10.1.130.0 10.1.130.0 netmask 255.255.255.0 norandomseq nailed
the key command here is norandonseq nailed
07-27-2010 07:57 AM
If I do that and remove the nat exempt rule I get the following error and can no long ping:
3 Jul 27 2010 10:56:16 305006 192.168.5.10 portmap translation creation failed for tcp src inside:10.130.1.5/48946 dst inside:192.168.5.10/3389
I get the following when I try to ping:
3 Jul 27 2010 10:57:40 305006 192.168.5.10 portmap translation creation failed for icmp src inside:10.130.1.5 dst inside:192.168.5.10 (type 8, code 0)
Result of the command: "show run static"
static (inside,outside)X.X.X.X 10.130.1.5 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.130.1.6 netmask 255.255.255.255
static (inside,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 norandomseq nailed
static (inside,inside) 10.1.130.0 10.1.130.0 netmask 255.255.255.0 norandomseq nailed
07-27-2010 08:05 AM
can you try this
nat (inside) 0 access-list NONAT norandomseq nailed
also can you paste the acl nonat
07-27-2010 08:11 AM
Result of the command: "nat (inside) 0 access-list NONAT norandomseq nailed"
nat (inside) 0 access-list NONAT norandomseq nailed
^
ERROR: % Invalid Hostname
What is the acl nonat?
07-27-2010 08:15 AM
i was talking about this access-list
Result of the command: "show run nat"
nat (inside) 0 access-list NONAT
nat (inside) 101 access-list inside_nat_outbound
this is what you sent us on the community
nat (inside) 0 access-list NONAT norandomseq
i was refering to this access-list used here
07-27-2010 08:20 AM
Result of the command: "nat (inside) 0 access-list NONAT norandomseq"
The command has been sent to the device
Result of the command: "show run nat"
nat (inside) 0 access-list NONAT
nat (inside) 101 access-list inside_nat_outbound
07-27-2010 08:35 AM
can you please paste the packet tracer output with the static nats
07-27-2010 08:43 AM
obvious question and dumb question
hope you have same-security command
07-27-2010 08:56 AM
I thinkI just bricked it. I was trying to upgrade teh ASA ASDM. I put mismat
ched versions 8.3(1) and 6.2(5) because I just grabbed what was at the top of the lists. now I can't login. Am I done?
07-27-2010 09:18 AM
I can telnet in but don't know the syntax for the downgrade command
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: