Solved: Basic PAT/NAT setup problem

DurableJoe · ‎03-28-2012

Compared to what most people are posting about, what I am trying to resolve seems so simple, and it is so frustrating not to get it working.

I have an ASA 5505 running 8.4 in a remote office. The outside interface is connected to a cable modem that gives us a static IP. The inside is a lan where 3 workstations and a printer sit. I canno get this blasted thing to let the workstations access the internet. When running from CLI, I can ping ip addresses on the internet, but my workstations cannot. Here is my config:

NOLAasa# show run
: Saved
:
ASA Version 8.4(3)
!
hostname NOLAasa
enable password Hm9VvynuYBmz1gGv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.4.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.54.6 255.255.255.224
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic obj_any interface
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.54.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.4.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.4.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.4.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.4.101-10.0.4.132 inside
dhcpd dns 10.0.0.42 68.105.28.16 interface inside
dhcpd wins 10.0.0.42 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d516e5670440d426070f860b2548a780
: end

Please help, this is driving me nuts.

Jouni Forss · ‎03-28-2012

EDIT: Seems your configuration should work though I have never done the PAT like that.

EDIT2: I got the picture that your outside interface would be getting IP address from a DHCP server? Wouldnt the Vlan2 then have a configuration line of "ip address dhcp setroute". It would then get an IP address from the device in front and set the default route itself without configuring it.

Hi,

These are 2 of the basic formats I use to configure simple PAT

PAT1

nat (any,outside) after-auto source dynamic any interface

PAT2

object-group network DEFAULT-PAT-SOURCE

description PAT translation source addresses

network-object 10.0.4.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

You could try those. Remember to remove the old configurations and perhaps use "clear xlate" to remove all the existing translations from the ASA

Please rate if this helped

- Jouni

View solution in original post

Jouni Forss · ‎03-28-2012

EDIT: Seems your configuration should work though I have never done the PAT like that.

EDIT2: I got the picture that your outside interface would be getting IP address from a DHCP server? Wouldnt the Vlan2 then have a configuration line of "ip address dhcp setroute". It would then get an IP address from the device in front and set the default route itself without configuring it.

Hi,

These are 2 of the basic formats I use to configure simple PAT

PAT1

nat (any,outside) after-auto source dynamic any interface

PAT2

object-group network DEFAULT-PAT-SOURCE

description PAT translation source addresses

network-object 10.0.4.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

You could try those. Remember to remove the old configurations and perhaps use "clear xlate" to remove all the existing translations from the ASA

Please rate if this helped

- Jouni

DurableJoe · ‎03-28-2012

thanks for your reply. I tried both of those suggestions, and I still couldn't ping from the workstation an IP address that I can ping from inside the router. However, I launched internet explorer and I can go to websites, so it is translating stuff. Why can't I ping an ip address but I can go to websites? Do I need to put in an ACL or something to specifically allow pinging to go throug the PAT?

DurableJoe · ‎03-28-2012

solved the ping problem, added:

access-list global-access extended permit icmp any any

I tried both of the pat statements given, both work. Thanks for your help.

Jouni Forss · ‎03-28-2012

Hi,

I think I know why your original ICMPs werent getting through.

I don't know if you left it out but the bottom part of the configuration on the ASA CLI should show "policy-map" configuration which has alot of "inspect " rows.

You could have added a row "inspect icmp" there

After that you could have just added the access-list line

access-list global-access permit icmp 10.0.4.0 255.255.255.0 any

This would only allow ICMP from LAN to WAN. Now if you give a static public IP address to some server on the LAN. Anyone from WAN can send ICMP to it since you have a "permit icmp any any" line in the access-list.

I guess you have only a single ACL configured on the ASA that handles ACL rules for all interfaces? I personally have sticked to using interface specific ACLs on the ASA. Seems simpler/clearer that way.