Dynamic NAT ASA 8.4 Packet Tracer not working

chicagoal00 · ‎08-31-2014

Hi guys,

I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.

Thanks!

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.10.10.2 255.0.0.0

!

object network inside-subnet

subnet 192.168.1.0 255.255.255.0

!

object network inside-subnet

nat (inside,outside) dynamic interface

!

telnet timeout 5

ssh timeout 5

!

dhcpd address 192.168.1.5-192.168.1.35 inside

!

dhcpd auto_config outside

!

chicagoal00 · ‎08-31-2014

..

Karsten Iwen · ‎09-01-2014

For pinging through the ASA you need to enable ICMP-inspection:

policy-map global_policy class inspection_default inspect icmp

Based on the shown config it should work. If not, show your full config and tell us how you are exactly testing.

Marius Gunnerud · ‎09-01-2014

Thats inspect icmp....not inspect ftp ;-)

But if that does not work, you may want to try to add an ACL to the outside interface allowing ICMP replies.

access-list TEST permit icmp any any echo-reply

access-group TEST in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Karsten Iwen · ‎09-01-2014

> Thats inspect icmp....not inspect ftp ;-)

OMG ... I had an ASA-window open and so i copied it instead of typing. And then I forgot to change the inspect ... I corrected it in my post.

Marius Gunnerud · ‎09-01-2014

:-D

--
Please remember to select a correct answer and rate helpful posts

chicagoal00 · ‎09-01-2014

Thanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working.

Does anyone have a suggestion? My updated config is below.

Thanks!

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.0.1 255.0.0.0

!

object network inside-subnet

subnet 192.168.1.0 255.255.255.0

object network outside-subnet

subnet 10.0.0.0 255.0.0.0

!

access-list TEST extended permit icmp any any echo-reply

access-list TEST extended permit tcp any any eq www

access-list http extended permit tcp any any eq www

access-list http2 extended permit udp any any eq www

!

access-group TEST in interface outside

object network inside-subnet

nat (inside,outside) dynamic interface

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.35 inside

dhcpd enable inside

!

Marius Gunnerud · ‎09-02-2014

you need a more specific NAT for that. You can do that one of two ways:

object network WWW-SERVER
host 10.0.0.6
nat (inside,outside) static interface service tcp www www

or

object service WEB
service tcp destination eq http

nat (inside,outside) source static WWW-SERVER interface service WEB WEB

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts