09-14-2017 03:19 PM - edited 02-21-2020 06:18 AM
Hi,
It's been a few days that I'm trying to figure this out and I didn't find why my NAT is not working. ( ICMP Packets dropped by NAT rule, no internet connection even though the firewall is WIDE OPEN).
I try to get a dynamic NAT with the outside Vlan being on eth0/0 assigned by DHCP on an other vlan network
my inside Vlan is 10.200.0.0/16, any eth > eth0/0
I'm fairly new in configuring NAT so I might have forgot something obvious.
Here is the config:
ASA Version 8.2(5)
!
hostname Firewall1
enable password n8g4OAMVUv3ysq.k encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.200.0.0 inside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.200.2.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list insideVlan_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list aclIn extended permit ip any any
access-list insideVlan_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_nat_outbound extended permit ip inside 255.255.0.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
ipv6 access-list insideVlan_access_ipv6_in permit ip any any
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 inside 255.255.0.0
access-group insideVlan_access_in in interface inside
access-group insideVlan_access_out out interface inside
access-group insideVlan_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outside_access_ipv6_in in interface outside
Thanks for your help!
09-14-2017 05:20 PM
09-15-2017 05:28 AM
Hi, thank you for your answer.
Unfortunately these change don't solve the issue, I still have the packets dropped by the nat rule when I try an ICMP packet in the ASDM interface. And I still have no internet connection.
I don't really understand why I should use an 'any' source in my NAT rule as I know that any source will be on my subnet 10.200.0.0/16
09-15-2017 06:54 AM
09-15-2017 01:36 PM
09-15-2017 02:48 PM
09-15-2017 03:56 PM
Unfortunately I don't know. I'm not in charge of this network. But I have been told that it is all set up and ready for connecting my network through NAT with the asa. I only know that the gateway is 10.8.60.1 , and that I get an ip by dhcp
09-15-2017 04:30 PM
09-16-2017 06:16 AM
General failure when I tried to ping the gateway.
Pinging a machine inside my network works though
09-16-2017 12:39 PM
09-19-2017 12:52 PM
Firewall1# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.8.60.1 to network 0.0.0.0
C 10.8.60.0 255.255.254.0 is directly connected, outside
C 10.200.2.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 10.8.60.1, outside
and the ping
Firewall1# ping 10.8.60.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.60.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: