11-15-2018 09:14 PM - edited 02-21-2020 08:28 AM
Hello,
I have a problem on Cisco Asa. Here are my config:
object network PARTNER-NETOBJ
subnet 10.175.0.0 255.255.0.0
nat (PARTNER,outside) dynamic AAA.AAA.AAA.AAA
object-group service PARTNER-SEROBJ
service-object tcp destination eq www
service-object tcp destination eq domain
service-object udp destination eq domain
service-object tcp destination eq https
service-object icmp echo-reply
service-object icmp
service-object tcp destination eq 8000
service-object tcp destination eq 8082
service-object tcp destination eq 3306
service-object tcp destination eq ssh
service-object icmp echo
access-group OUT-IN-ACL in interface outside
access-list OUT-IN-ACL extended permit object-group PARTNER-SEROBJ any object PARTNER-NETOBJ log
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect dns
inspect icmp
class FTP-CM
inspect ftp
!
service-policy global_policy global
- inside clients can access and ping to any web
- At home I cannot ping to AAA.AAA.AAA.AAA, I think it blocked by ASA and I use capture command to check
capture capin interface outside match icmp any any
capture capout interface partner match icmp any any
show capture capin
178: 11:49:26.455832 802.1Q vlan#2 P0 123.30.114.xxx > AAA.AAA.AAA.AAA : icmp: echo request
179: 11:49:31.456092 802.1Q vlan#2 P0 123.30.114.xxx > AAA.AAA.AAA.AAA : icmp: echo request
show capture capout
0 packet captured
0 packet shown
As information above, I see my IP Addr at home send icmp packet to AAA.AAA.AAA.AAA but it doesn't send back echo reply and I also check log in ASA and didn't see any icmp.
Could anyone help me ?
Thank you.
Sang.
Solved! Go to Solution.
11-15-2018 10:11 PM
Since your nat is dynamic many-to-one, you will not be able to initiate traffic inbound as the ASA would have no way of knowing which of the hosts in the 10.175.0.0 network to send the traffic to.
You could only do that if you have a static 1-1 nat.
11-22-2018 01:57 AM
I'm not sure why turning off one server would break access to another one.
When you have a mix of dynamic and static NATs for a given interface, put the dynamic NAT last in the list.
11-15-2018 09:39 PM
Since its One-to-One NAT why do you use Dynamic ?
object network PARTNER-NETOBJ
host 10.175.4.10
nat (PARTNER,outside) dynamic AAA.AAA.AAA.AAA
Change to
object network PARTNER-NETOBJ
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA
11-15-2018 10:01 PM
Hi Nandakumar,
Sorry I post wrong info, I change it to
object network PARTNER-NETOBJ
host 10.175.4.10
to
subnet 10.175.0.0 255.255.0.0
11-15-2018 10:06 PM
Enable "inspect icmp" under class map.
Also enable logging and provide the log message.
11-15-2018 10:10 PM
Hi
inspect icmp enabled under class map and i check log and didn't see any icmp
11-22-2018 02:29 AM
Enable "inspect icmp" under class map.
giving this command will enable ping reply from every interface.
the best is define an access-list
access-list XXXX permit icmp any priviate-server echo
access-group XXX in interface (outside/dmz etc)
11-15-2018 10:11 PM
Since your nat is dynamic many-to-one, you will not be able to initiate traffic inbound as the ASA would have no way of knowing which of the hosts in the 10.175.0.0 network to send the traffic to.
You could only do that if you have a static 1-1 nat.
11-15-2018 10:19 PM
Hi Marvin,
Thank you for suggesting, I change it to static and it worked, thank you so much.
Also I thank you Nandakumar.
Sang.
11-22-2018 12:38 AM - edited 11-22-2018 12:49 AM
Hi Marvin,
I have configured a static 1-1 nat as your advise
object network PARTNER-NETOBJ-NAT-10.175.4.10---1-1
host 10.175.4.10
nat (Partner,outside) static AAA.AAA.AAA.AAA
I ping to AAA.AAA.AAA.AAA from my home and it worked. After I configure one more static 1-1 nat to another server
object network PARTNER-NETOBJ-NAT-10.175.4.12---1-1
host 10.175.4.12
nat (Partner,outside) static AAA.AAA.AAA.AAA
and I also can ping to AAA.AAA.AAA.AAA from my home but if I power off server (10.175.4.10) then I cannot ping to AAA.AAA.AAA.AAA.
How do I can ping to one of servers while another server off ?
- Also I configured NAT https port for mail exchange but I access it from my home and it doesn't work (https:\\mail.abc.name.vn\owa), I cannot see any traffic from my home to mail exchange server and asa logging via https.
object network PARTNER-NETOBJ
subnet 10.175.0.0 255.255.0.0
nat (PARTNER,outside) dynamic AAA.AAA.AAA.AAA
object network PARTNER-NETOBJ-NAT-10.175.4.10---1-1
host 10.175.4.10
object network PARTNER-NETOBJ-NAT-10.175.4.10---8000
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp 8000 8000
object network PARTNER-NETOBJ-NAT-10.175.4.10---8082
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp 8082 8082
object network PARTNER-NETOBJ-NAT-10.175.4.10---3306
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp 3306 3306
-----
Mail Server Exchange
object network PARTNER-NETOBJ-NAT-10.175.4.12---1-1
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA
object network PARTNER-NETOBJ-NAT-10.175.4.12---25
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp smtp smtp
object network PARTNER-NETOBJ-NAT-10.175.4.12---443
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp https https
object network PARTNER-NETOBJ-NAT-10.175.4.12---80
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp www www
---------
object-group service PARTNER-SEROBJ-10.175.4.10
service-object tcp destination eq www
service-object tcp destination eq domain
service-object udp destination eq domain
service-object tcp destination eq 8000
service-object tcp destination eq 8082
service-object tcp destination eq 3306
object-group service PARTNER-SEROBJ-10.175.4.12
service-object tcp destination eq www
service-object tcp destination eq domain
service-object udp destination eq domain
service-object tcp destination eq smtp
service-object tcp destination eq https
access-list OUT-IN-ACL extended permit object-group PARTNER-SEROBJ-10.175.4.12 any object PARTNER-NETOBJ-NAT-10.175.4.12---1-1 log
access-list OUT-IN-ACL extended permit object-group PARTNER-SEROBJ-10.175.4.10 any object PARTNER-NETOBJ-NAT-10.175.4.10---1-1 log
access-group OUT-IN-ACL in interface outside
Can you help me ?
Thank you so much.
Sang.
11-22-2018 01:57 AM
I'm not sure why turning off one server would break access to another one.
When you have a mix of dynamic and static NATs for a given interface, put the dynamic NAT last in the list.
11-22-2018 10:50 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide