Re: CISCO ASA-5505 Object Question

Ammit · ‎02-17-2018

Hay guys

I have a network design with multiple vlans connected to a L3 switch and then an ASA. I am trying to get NAT working correctly, the L3 switch can ping outside and NAT works correctly but it does not work for clients. The packets get dropped by the router which I am assuming is because the packet src is the internal address and not the required NAT address.

I have currently have an object addressed 10.0.0.0 - 255.255.255.0 for the inside LAN, my question is do I need to create a object for each vlan for NAT to work correctly? Is this the cause of the issue?

Flavio Miranda · ‎02-17-2018

Hi @Ammit

Can you share firewall and switch config ? Object-group is a way to organize things on the configuration but it is not a requirement for the configuration to work.

Just to give you an idea, the client network needs to be on the NAT configuration and you should have ip nat inside on the subinterfaces.

Would be easier with the device´s config.

-If I helped you somehow, please, rate it as useful.-

Ammit · ‎02-18-2018

Thanks for the response, here is the configuration for the asa, it might be a bit messy as I seem to of gotten myself into a bit of a mess trying different things but hopefully you can spot where I am going wrong.

ASA Version 8.4(2)
!
hostname ASA1
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.165.200.226 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.30.1 255.255.255.0
!
object network LAN
 subnet 10.0.0.0 255.255.255.0
object network dmz-ftp
 host 10.10.30.3
object network dmz-mail
 host 10.10.30.4
object network dmz-servers

object network dmz-web
 host 10.10.30.2
object network router-switch
 subnet 10.10.10.0 255.255.255.0
!
route inside 10.10.10.0 255.255.255.0 10.10.10.2 1
route inside 10.1.0.0 255.255.255.0 10.10.10.2 1
route inside 10.2.0.0 255.255.255.0 10.10.10.2 1
route inside 10.3.0.0 255.255.255.0 10.10.10.2 1
route inside 10.1.10.0 255.255.255.0 10.10.10.2 1
route inside 10.1.20.0 255.255.255.0 10.10.10.2 1
route inside 10.1.30.0 255.255.255.0 10.10.10.2 1
route inside 10.2.10.0 255.255.255.0 10.10.10.2 1
route inside 10.2.30.0 255.255.255.0 10.10.10.2 1
route inside 10.2.20.0 255.255.255.0 10.10.10.2 1
route inside 10.3.10.0 255.255.255.0 10.10.10.2 1
route inside 10.3.20.0 255.255.255.0 10.10.10.2 1
route inside 10.3.30.0 255.255.255.0 10.10.10.2 1
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
route inside 10.10.0.0 255.255.0.0 10.10.10.2 1
route inside 10.10.0.0 255.255.255.0 10.10.10.2 1
!
access-list OUTSIDE-DMZ extended permit icmp any host 10.10.30.2
access-list OUTSIDE-DMZ extended permit icmp any host 10.10.30.3
access-list OUTSIDE-DMZ extended permit icmp any host 10.10.30.4
access-list OUTSIDE-DMZ extended permit tcp any host 10.10.30.4
access-list OUTSIDE-DMZ extended permit tcp any host 10.10.30.3
access-list OUTSIDE-DMZ extended permit tcp any host 10.10.30.2
access-list OUTSIDE-DMZ extended permit tcp any host 10.10.30.2 eq www
!
!
access-group OUTSIDE-DMZ in interface outside
object network LAN
 nat (inside,outside) dynamic interface
object network dmz-ftp
 nat (dmz,outside) static 209.165.200.226
object network dmz-mail
 nat (dmz,outside) static 209.165.200.226
object network dmz-web
 nat (dmz,outside) static 209.165.200.226
object network router-switch
 nat (inside,outside) dynamic interface
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
!
!
!
!
!
!

Flavio Miranda · ‎02-18-2018

Hi,

The changes below might help. However, the confirmation can be improved. The LAN object represents the whole network and you use it as NAT statement. And then you have more NAT statements using more specific IP addressing.

If possible add the config as a txt file. Copy and paste on thread body make it very hard to analyze. You can also paste but as a code.

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

ip nat inside

!

interface Vlan2

nameif outside

security-level 0

ipaddress 209.165.200.226 255.255.255.0

ip nat outside

!

-If I helped you somehow, please, rate it as useful.-

Marius Gunnerud · ‎02-19-2018

Since you say you have several VLANs terminating on the switch I am assuming that 10.10.10.0/24 subnet is not the client network but a network between the ASA and switch to allow routing to the internet.

If this is the case then you are correct in assuming that you would need object-groups that include all your LAN subnets. Or you could create a catch all NAT statement which matches on any source address and translates to the outside interface of the ASA. This all depends on your security policy and how many subnets you have to create objects for. The best would be to have a seperate object and NAT statement for each subnet but if you have a lot of subnets this might become an administration hassle and an object that matches all source traffic might be needed.

--
Please remember to select a correct answer and rate helpful posts