cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1967
Views
0
Helpful
10
Replies

Dynamic NAT issues ASA 8.2

Iridescence
Level 1
Level 1

Hi,

 

It's been a few days that I'm trying to figure this out and I didn't find why my NAT is not working. ( ICMP Packets dropped by NAT rule, no internet connection even though the firewall is WIDE OPEN).

 

I try to get a dynamic NAT with the outside Vlan being on eth0/0 assigned by DHCP on an other vlan network

my inside Vlan is  10.200.0.0/16, any eth > eth0/0

 

I'm fairly new in configuring NAT so I might have forgot something obvious.

 

Here is the config:

ASA Version 8.2(5)
!
hostname Firewall1
enable password n8g4OAMVUv3ysq.k encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.200.0.0 inside
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.200.2.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 100
 ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list insideVlan_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list aclIn extended permit ip any any
access-list insideVlan_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_nat_outbound extended permit ip inside 255.255.0.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
ipv6 access-list insideVlan_access_ipv6_in permit ip any any
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 inside 255.255.0.0
access-group insideVlan_access_in in interface inside
access-group insideVlan_access_out out interface inside
access-group insideVlan_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outside_access_ipv6_in in interface outside

 

 

Thanks for your help!

10 Replies 10

Francesco Molino
VIP Alumni
VIP Alumni
Hi

If you want to nat your inside network to outside for getting internet access, you'll need to change your nat config like:

no nat (inside) 1 inside 255.255.0.0
no nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 0.0.0.0 0.0.0.0


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, thank you for your answer.

Unfortunately these change don't solve the issue, I still have the packets dropped by the nat rule when I try an ICMP packet in the ASDM interface. And I still have no internet connection.

 

I don't really understand why I should use an 'any' source in my NAT rule as I know that any source will be on my subnet 10.200.0.0/16

You don't need to use any.
you can also use: nat (inside) 1 10.200.0.0 255.255.0.0

Can you run the packet-tracer command below and paste the output in a text file:
packet-tracer input inside icmp 10.200.10.1 8 0 8.8.8.8



Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Here is the output:

Firewall1# packet-tracer input inside icmp 10.200.10.1 8 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group insideVlan_access_in in interface inside
access-list insideVlan_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 inside 255.255.0.0
match ip inside inside 255.255.0.0 outside any
dynamic translation to pool 1 (10.8.60.4 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.200.10.1/0 to 10.8.60.4/61870 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 inside 255.255.0.0
match ip inside inside 255.255.0.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 447, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Here it shows that nat is working. Your traffic is natted on ip 10.8.60.4 that should correspond to your outside interface.

What's behind asa? Because this is a private ip and not a public IP.
Did you checked on that device what's going on?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Unfortunately I don't know. I'm not in charge of this network. But I have been told that it is all set up and ready for connecting my network through NAT with the asa. I only know that the gateway is 10.8.60.1 , and that I get an ip by dhcp

Ok try to ping the gateway with an internal host.
If that works, this is not an asa issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

General failure when I tried to ping the gateway.

Pinging a machine inside my network works though

can you share a show route output from asa?

Can you ping your outside gateway from asa doing ping outside command?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question


Firewall1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.8.60.1 to network 0.0.0.0

C    10.8.60.0 255.255.254.0 is directly connected, outside
C    10.200.2.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 10.8.60.1, outside

 

 

and the ping

 

Firewall1# ping 10.8.60.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.60.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Review Cisco Networking for a $25 gift card