Solved: Internet access from inside network

MediaNetMat · ‎03-12-2016

Hi,

From few days I'm trying to create a NAT from my local network (10.0.50.1/24) to the public interface (using the same IP address as public interface) so what I did is:

myLAB(config)# object network INSIDE-SUBNET
myLAB(config-network-object)# nat (inside,outside) dynamic interface

Unfortunately it's not working. Any idea why?

My ASA configuration:

ASA Version 9.1(7)
!
hostname myLAB
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny tcp any4 any4 eq domain
xlate per-session deny tcp any4 any6 eq domain
xlate per-session deny tcp any6 any4 eq domain
xlate per-session deny tcp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 11.21.31.2 255.255.255.0
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 xxx.x.x.x.x
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistic access-list
no threat-detection statics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-lenght maximum client auto
message-lenght maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect sip
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

Aditya Ganjoo · ‎03-13-2016

Hi,

To enable ping responses on the test PC enable ICMP inspection on the ASA.

fixup protocol icmp

Also check your DNS settings on the PC, try a global DNS server like 4.2.2.2.

And can you share the show run nat config of your ASA ?

Regards,

Aditya

Please rate helpful posts.

View solution in original post

Akshay Rastogi · ‎03-13-2016

Hi,

Can you please try from any other device in the same subnet of inside interface if that is able to reach internet or not?

Also check the routing table of that Server(it might be having one persistent default route on the Server pointing to some other ip than ASA inside interface).

Also remove any other nat created earlier for this traffic to work and add the below one:

object network obj-10.0.50.0

subnet 10.0.50.0 255.255.255.0

nat(inside,outside) dynamic interface

If you are using the same switch to connect eth0/0 and eth0/1 then make sure that eth0/0 and ISP modem is in vlan 2 and eth0/1 and server in vlan 1

Perform packet-tracer and paste the output here if that doesn't work :

packet-tracer input inside tcp 10.0.50.50 12345 8.8.8.8 80 detail

Hope it helps:

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

Aditya Ganjoo · ‎03-12-2016

Hi Mat,

Config seems fine.

Could you share the output of packet-tracer ?

What traffic are you testing ?

packet-tracer input inside tcp 10.0.50.2 6767 4.2.2.2 80 detailed

Regards,

Aditya

Please rate helpful posts

MediaNetMat · ‎03-12-2016

I'm getting:

myLAB# packet-tracer input inside tcp 10.0.50.2 6767 4.2.2.2 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in     0.0.0.0        0.0.0.0

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcbe0f6f0, priority=1, domain=nat-per-session, deny=true
     hits=513, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
         src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
         input_ifc=any, output_ifc=any

Phase: 3
Type: IP-OPTION
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc0a9c48, priority=0, domain=inspect-ip-options, deny=true
     hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
         src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
         input_ifc=inside, output_ifc=any

Phase: 4
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc0f6480, priority=0, domain=host-limit, deny=false
     hits=8, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
         src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
         input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcbe0f6f0, priority=1, domain=nat-per-session, deny=true
     hits=515, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
         src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
         input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTION
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc0e85d0, priority=0, domain=inspect-ip-options, deny=true
     hits=140, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
         src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
         input_ifc=outside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
 New flow created with id 149, packet dispatched to next module
 Module information for forward flow ...
 snp_pf_tracer_drop
 snp_pf_inspect_ip_options
 snp_pf_tcp_normalizer
 snp_pf_translate
 snp_pf_adjacency
 snp_pf_fragment
 snp_pf_stat

 Module information for reverse flow ...
 snp_pf_tracer_drop
 snp_pf_inspect_ip_options
 snp_pf_translate
 snp_pf_tcp_normalizer
 snp_pf_adjacency
 snp_pf_fragment
 snp_pf_stat

 Result:
 input-interface: inside
 input-status: up
 input-line-status: up
 output-interface: outside
 output-status: up
 output-line-status: up
 Action: allow

Aditya Ganjoo · ‎03-12-2016

Hi,

I do not see NAT statement being hit in the packet tracer.

Could you try creating a manual NAT statement and then test ?

nat (inside,outside) 1 source dynamic INSIDE-SUBNET interface

Regards,

Aditya

Please rate helpful posts.

MediaNetMat · ‎03-12-2016

Now I'm getting:

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded.

So what I did then is:

object network inside
subnet 10.0.50.0 255.255.255.0
nat (inside,outside) 1 source dynamic inside interface

but I still can't get any internet access on 10.0.50.1/24 subnet (on the server connected to port 1)

MediaNetMat · ‎03-12-2016

any idea how to fix this issue?

Marius Gunnerud · ‎03-12-2016

Try doing the NAT in section 2 (auto NAT).

object network inside

subnet 10.0.50.0 255.255.255.0

nat (inside,outside) dynamic interface

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

MediaNetMat · ‎03-13-2016

Still not working :(

It should be so simple - but I spend on it few hours and I still can't make that work...

Akshay Rastogi · ‎03-13-2016

Hi,

Can you please try from any other device in the same subnet of inside interface if that is able to reach internet or not?

Also check the routing table of that Server(it might be having one persistent default route on the Server pointing to some other ip than ASA inside interface).

Also remove any other nat created earlier for this traffic to work and add the below one:

object network obj-10.0.50.0

subnet 10.0.50.0 255.255.255.0

nat(inside,outside) dynamic interface

If you are using the same switch to connect eth0/0 and eth0/1 then make sure that eth0/0 and ISP modem is in vlan 2 and eth0/1 and server in vlan 1

Perform packet-tracer and paste the output here if that doesn't work :

packet-tracer input inside tcp 10.0.50.50 12345 8.8.8.8 80 detail

Hope it helps:

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Aditya Ganjoo · ‎03-12-2016

Hi,

My bad.

Try this:

object network INSIDE-SUBNET
subnet 10.0.50.0 255.255.255.0
nat (inside,outside) 1 source dynamic inside interface

Regards,

Aditya

Please rate helpful posts.

MediaNetMat · ‎03-13-2016

Still nothing :(

Configuration on the server looks good to me + I can ping the firewall:

IP:10.0.50.50

NETMASK:255.255.255.0

GATEWAY:10.0.50.1

Not sure if that will help but I'm using Cisco ASA 5505.

I can access internet from my firewall without any problem. The problems starts when I'm trying to access internet from my server on interface 0/1

Aditya Ganjoo · ‎03-13-2016

Hi,

To enable ping responses on the test PC enable ICMP inspection on the ASA.

fixup protocol icmp

Also check your DNS settings on the PC, try a global DNS server like 4.2.2.2.

And can you share the show run nat config of your ASA ?

Regards,

Aditya

Please rate helpful posts.

Marius Gunnerud · ‎03-13-2016

Fixup command is legacy and the new command is inspect icmp under the golbal inspection policy...But having said that, will also add the inspect icmp to the inspection policy. just saying :-)

Could you run a new packet tracer with the inside server as the source and 4.2.2.2 as destination please.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts