Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
2
Replies

ASA5506-X NAT SETTING WORKING ON PACKET-TRACERT BUT FAILED IN REAL

Go to solution
Woodies WU
Level 1
Level 1

‎03-23-2023 10:07 AM

Hi everyone,

  I'm stock configuring ASA5506-X. I am trying to get office computers(outside, 10.108.70.X) to access CCTVs(inside, 192.168.129.X) both are on different networks through ASA5506-X. I have set nat, access-list and inspect rules. It seems to work with packet-tracer, but fails in real environment. The ideal is devices in the outside subnet can ping 10.108.70.31 and 10.108.70.32, both are mapped  to 192.168.129.31 and 192.168.129.32, which are IPs of CCTVs. 

 

 

 

object network CCTV1-OUTSIDE-IP
 host 10.108.70.31
object network CCTV2-OUTSIDE-IP
 host 10.108.70.32
object network CCTV1-INSIDE-IP
 host 192.168.129.31
object network CCTV2-INSIDE-IP
 host 192.168.129.32
object network CCTV1-INSIDE-IP
 nat (inside_1,outside) static CCTV1-OUTSIDE-IP
object network CCTV2-INSIDE-IP
 nat (inside_1,outside) static CCTV2-OUTSIDE-IP

access-group OUTSIDE-TRAFFIC in interface outside
access-list OUTSIDE-TRAFFIC extended permit icmp any any unreachable
access-list OUTSIDE-TRAFFIC extended permit icmp any any echo
access-list OUTSIDE-TRAFFIC extended permit icmp any any
access-list OUTSIDE-TRAFFIC extended permit icmp any any echo-reply

policy-map global_policy
 class inspection_default
  inspect icmp

 

 

 

I have attached the detail of "show running-config" and "packet-tracer" in the hope you can give advice. Thanks a lot for any hint!

Preview file
3 KB
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Woodies WU
Level 1
Level 1

‎03-25-2023 02:54 AM

I found there is no issue with NAT and PACKET-TRACERT but my plan.

Originally, I plan to establish 2 outside IPs mapped to 2 inside CCTVs through ASA NAT rules. In my imagination, outside devices can connect CCTVs through the 2 mapped IPs. However, the ASA is not the gateway of outside devices neighter inside CCTVs .The ASA never recieves the icmp request from outside or icmp request-reply inside device. This crux was discovered with "debug icmp trace" command.

debug icmp trace

And previous supplementary notes are misleading, part of ping commands were sent by ASA. Lack of consideration of the status of subnets.

In the end, I made some complex PAT rules. Don't know what to call it? It would be very grateful if someone could answer. It lets both sides, outside devices, and inside CCTVs only need to communicate with the ASA's interface.

object network CCTV1-INSIDE-IP
 host 192.168.129.31
object network CCTV2-INSIDE-IP
 host 192.168.129.32
object service CCTV1-OUTSIDE-PORT
 service tcp source eq 50001
object service CCTV2-OUTSIDE-PORT
 service tcp source eq 50002
object service CCTV-INSIDE-PORT
 service tcp source eq 1482
access-list OUTSIDE-TRAFFIC extended permit tcp any object CCTV1-INSIDE-IP eq 1482
access-list OUTSIDE-TRAFFIC extended permit tcp any object CCTV2-INSIDE-IP eq 1482

nat (inside_1,outside) source static CCTV2-INSIDE-IP interface destination static interface any service CCTV-INSIDE-PORT CCTV2-OUTSIDE-PORT
nat (inside_1,outside) source static CCTV1-INSIDE-IP interface destination static interface any service CCTV-INSIDE-PORT CCTV1-OUTSIDE-PORT

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Woodies WU
Level 1
Level 1

‎03-23-2023 10:35 AM

Supplementary Note:

1. I can ping 192.168.129.31 and 192.168.129.32(CCTVX-INSIDE-IPs) from inside.

2. I can ping 10.108.70.X (outside computers) from inside.

3. I can ping 10.108.70.30 (outside interface) from outside.

4. I can't ping 10.108.70.31 and 10.108.70.32 (CCTVX-OUTSIDE-IP) from outside.

0 Helpful

Go to solution
Woodies WU
Level 1
Level 1

‎03-25-2023 02:54 AM

I found there is no issue with NAT and PACKET-TRACERT but my plan.

Originally, I plan to establish 2 outside IPs mapped to 2 inside CCTVs through ASA NAT rules. In my imagination, outside devices can connect CCTVs through the 2 mapped IPs. However, the ASA is not the gateway of outside devices neighter inside CCTVs .The ASA never recieves the icmp request from outside or icmp request-reply inside device. This crux was discovered with "debug icmp trace" command.

debug icmp trace

And previous supplementary notes are misleading, part of ping commands were sent by ASA. Lack of consideration of the status of subnets.

In the end, I made some complex PAT rules. Don't know what to call it? It would be very grateful if someone could answer. It lets both sides, outside devices, and inside CCTVs only need to communicate with the ASA's interface.

object network CCTV1-INSIDE-IP
 host 192.168.129.31
object network CCTV2-INSIDE-IP
 host 192.168.129.32
object service CCTV1-OUTSIDE-PORT
 service tcp source eq 50001
object service CCTV2-OUTSIDE-PORT
 service tcp source eq 50002
object service CCTV-INSIDE-PORT
 service tcp source eq 1482
access-list OUTSIDE-TRAFFIC extended permit tcp any object CCTV1-INSIDE-IP eq 1482
access-list OUTSIDE-TRAFFIC extended permit tcp any object CCTV2-INSIDE-IP eq 1482

nat (inside_1,outside) source static CCTV2-INSIDE-IP interface destination static interface any service CCTV-INSIDE-PORT CCTV2-OUTSIDE-PORT
nat (inside_1,outside) source static CCTV1-INSIDE-IP interface destination static interface any service CCTV-INSIDE-PORT CCTV1-OUTSIDE-PORT
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card