Re: Dynamic NAT issues ASA 8.2

Iridescence · ‎09-14-2017

Hi,

It's been a few days that I'm trying to figure this out and I didn't find why my NAT is not working. ( ICMP Packets dropped by NAT rule, no internet connection even though the firewall is WIDE OPEN).

I try to get a dynamic NAT with the outside Vlan being on eth0/0 assigned by DHCP on an other vlan network

my inside Vlan is 10.200.0.0/16, any eth > eth0/0

I'm fairly new in configuring NAT so I might have forgot something obvious.

Here is the config:

ASA Version 8.2(5)
!
hostname Firewall1
enable password n8g4OAMVUv3ysq.k encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.200.0.0 inside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.200.2.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list insideVlan_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list aclIn extended permit ip any any
access-list insideVlan_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_nat_outbound extended permit ip inside 255.255.0.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
ipv6 access-list insideVlan_access_ipv6_in permit ip any any
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 inside 255.255.0.0
access-group insideVlan_access_in in interface inside
access-group insideVlan_access_out out interface inside
access-group insideVlan_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outside_access_ipv6_in in interface outside

Thanks for your help!

Francesco Molino · ‎09-14-2017

Hi

If you want to nat your inside network to outside for getting internet access, you'll need to change your nat config like:

no nat (inside) 1 inside 255.255.0.0
no nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Iridescence · ‎09-15-2017

Hi, thank you for your answer.

Unfortunately these change don't solve the issue, I still have the packets dropped by the nat rule when I try an ICMP packet in the ASDM interface. And I still have no internet connection.

I don't really understand why I should use an 'any' source in my NAT rule as I know that any source will be on my subnet 10.200.0.0/16

Francesco Molino · ‎09-15-2017

You don't need to use any.
you can also use: nat (inside) 1 10.200.0.0 255.255.0.0

Can you run the packet-tracer command below and paste the output in a text file:
packet-tracer input inside icmp 10.200.10.1 8 0 8.8.8.8

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Iridescence · ‎09-15-2017

Here is the output:

Firewall1# packet-tracer input inside icmp 10.200.10.1 8 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group insideVlan_access_in in interface inside
access-list insideVlan_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 inside 255.255.0.0
match ip inside inside 255.255.0.0 outside any
dynamic translation to pool 1 (10.8.60.4 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.200.10.1/0 to 10.8.60.4/61870 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 inside 255.255.0.0
match ip inside inside 255.255.0.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 447, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Francesco Molino · ‎09-15-2017

Here it shows that nat is working. Your traffic is natted on ip 10.8.60.4 that should correspond to your outside interface.

What's behind asa? Because this is a private ip and not a public IP.
Did you checked on that device what's going on?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Iridescence · ‎09-15-2017

Unfortunately I don't know. I'm not in charge of this network. But I have been told that it is all set up and ready for connecting my network through NAT with the asa. I only know that the gateway is 10.8.60.1 , and that I get an ip by dhcp

Francesco Molino · ‎09-15-2017

Ok try to ping the gateway with an internal host.
If that works, this is not an asa issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Iridescence · ‎09-16-2017

General failure when I tried to ping the gateway.

Pinging a machine inside my network works though

Francesco Molino · ‎09-16-2017

can you share a show route output from asa?

Can you ping your outside gateway from asa doing ping outside command?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Iridescence · ‎09-19-2017

Firewall1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.8.60.1 to network 0.0.0.0

C    10.8.60.0 255.255.254.0 is directly connected, outside
C    10.200.2.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 10.8.60.1, outside

and the ping

Firewall1# ping 10.8.60.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.60.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms