Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3322
Views
50
Helpful
47
Replies

Local NAT on ASA 5505

LSAEleander
Level 1
Level 1

‎11-19-2008 01:57 AM - edited ‎03-11-2019 07:15 AM

Hello,

I'm quit new to these boards so I'll try to explain my problem as best as I can.

If something is missing or incorrect pls inform me so I can update.

I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.

Here you have the config as it is on the ASA right now.

Local server IP: 10.0.74.5

Required NAT address: 192.168.222.1

Customer range: 10.10.10.0/24

VPN Config:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 200.200.200.200

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key "key"

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT

I'm allowing this first before I start narrowing it down to only ftp!

access-list outside_access_in extended permit tcp any host 192.168.222.1

access-list outside_access_in extended permit ip any host 192.168.222.1

access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list outboundnat2

nat (inside) 1 0.0.0.0 0.0.0.0

Any help would be grately appreciated!

Kind regards,

Eleander

Labels:
0 Helpful
47 Replies 47

LSAEleander
Level 1
Level 1
In response to Jon Marshall

‎11-28-2008 06:22 AM

Jon,

Sorry for the late reply, but somewhere packets still get dropped.

Can you tell me how to capture/monitor the traffic! (or what the right document to read in this case?) Tried the packet tracer within the ASDM but doesn't tell me much. (packect gets dropped after the NAT resolution)

Kind regards,

ELeander

0 Helpful

francisco_1
Level 7
Level 7
In response to LSAEleander

‎11-28-2008 06:51 AM

Cisco ASA can act as a sniffer to gather information about the packets passing through the interfaces. This is important if you want to confirm that traffic from a particular host or network is reaching the interfaces. You can use an ACL to identify the type of traffic and bind it to an interface by using the capture command.

In Example below, an ACL, called inside-capture, is set up to identify packets sourced from 209.165.202.130 and destined for 209.165.200.230. The security appliance is using this ACL to capture the identified traffic on the inside interface using a capture list named cap-inside.

To view the captured packets, use the show capture command followed by the name of the capture list or export capture to a sniifer application like ethereal or wireshark. The security appliance captured 15 packets that matched the ACL on the inside interface. The highlighted entry shows that it is a TCP SYN (shown as S after the destination port) packet sourced from 209.165.202.130 with a source port of 11084 and it is destined for 209.165.200.230 on destination port 23. The TCP window size is 4128 while the Maximum Segment Size (MSS) is set to 536 bytes.

Example Packet Capturing

Chicago(config)# access-list inside-capture permit ip host 209.165.202.130 host

209.165.200.230

Chicago(config)# capture cap-inside access-list inside-capture interface inside

Chicago(config)# show capture cap-inside

15 packets captured

1: 02:12:47.142189 209.165.202.130.11084 > 209.165.200.230.23: S

433720059:433720059(0) win 4128

2: 02:12:47.163489 209.165.202.130.11084 > 209.165.200.230.23:. ack 1033049551

win 4128

!Output omitted for brevity

15 packets shown

Note

When the capture command is enabled, the security appliance allocates memory right away. The default memory allocation is 512 KB. The security appliance can overwrite content from the beginning in this buffer space when it is full. The capture command has minimal CPU impact and therefore it is one of the most important troubleshooting tools available in Cisco ASA.

Tip

The output of the capture command can be exported into pcap format, which can be imported into a sniffing tool such as Ethereal or TCPDUMP for further analysis.

LSAEleander
Level 1
Level 1
In response to Jon Marshall

‎11-20-2008 05:19 AM

I Jon,

The ACL typo allready changed a lot! (this is why you need an external to look at the messages! :) )

Now I'm getting these error messages:

2008-11-20 13:42:51 Local4.Info 10.0.74.252 Nov 20 2008 13:42:40: %ASA-6-106015: Deny TCP (no connection) from 10.0.74.5/21 to 10.10.10.87/44276 flags SYN ACK on interface inside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card