cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3852
Views
50
Helpful
47
Replies

Local NAT on ASA 5505

LSAEleander
Level 1
Level 1

Hello,

I'm quit new to these boards so I'll try to explain my problem as best as I can.

If something is missing or incorrect pls inform me so I can update.

I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.

Here you have the config as it is on the ASA right now.

Local server IP: 10.0.74.5

Required NAT address: 192.168.222.1

Customer range: 10.10.10.0/24

VPN Config:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 200.200.200.200

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key "key"

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT

I'm allowing this first before I start narrowing it down to only ftp!

access-list outside_access_in extended permit tcp any host 192.168.222.1

access-list outside_access_in extended permit ip any host 192.168.222.1

access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list outboundnat2

nat (inside) 1 0.0.0.0 0.0.0.0

Any help would be grately appreciated!

Kind regards,

Eleander

47 Replies 47

Jon,

I've made several changes, but the customer also has a ISDN router, on that router I just added the needed entries. (completely forgot about that one)

Get out on your MTB and go out there.

I thank you a lot for your help allready and really appreciate it.

If I can't solve it I'll repost in here.

Tomorrow is another day.

btw I'm situated in Belgium so on the GMT+1 time.

Have fun and hopefully i'll see you around.

Thx again!

"Have fun and hopefully i'll see you around"

Will do. I'm in UK so it's dark by about 4:00 (2:30 at the moment) so i'll check later or tomorrow morning.

Jon

Jon,

I've tested with inspect ftp (enabled or disable) -> no reslut!

I can see that L2L is active within the ASDM logging. (there are only 2 L2L configs on this ASA and they semm both active)

FTP from one site works well. (but the data is exempted)

When checking the log I see SYN Timeouts for this connection.

Added the 10.10.10.0 network within my Cisco 800 router to pass by the firewall (10.0.74.252) to be sure.

I'm quit in the dark here. I'm overseeing something or I'm misunderstanding somthing.

The sysopt is still active though.

Just let me know when you're back so we look any further!

Thx

Okay. Quick test to see if it is the outside acl that is the problem. Can reenable sysopt connection permit-vpn ie.

asa(config)# sysopt connection permit-vpn

and then retest and let me know. If it works at least we can concentrate on the acl.

Jon

Good mornig Jon,

Hope you had a nice ride yesterday.

I've changed the sysopt again and awaiting confirmation from the other side.

In attachement the current running & working config for our customer.

I've exempted trafic from one site and everything works well for them, but to the other site (due to sec reasons) I an only allow ftp! (STill not working)

Getting SYN timeouts within the log but I see the translation is made! Really don't get it.

Kind regards,

Eleander

Morning. Yes had a good ride. I have to go out in a minute and won't be around until about 12:00 (it's 9:00 now).

But key things to try

1) remove "no sysopt connection permit-vpn" as discussed

2) Have you determined which ftp is in use ie. passive or active. The fixup is there for the active ftp so you don't have to open up all random ports.

If after reenabling sysopt connection permit-vpn it still doesn't work then it looks like it could be an application issue. Do you know if the site that works uses ftp and if they do are they using the same ftp client as the site that isn't working.

Apolgies for not being around this morning. Considering your new to the forums don't think i'm representing them very well.

Jon

Jon,

Doesn't matter. I haven't had this much support from people in a while. For forum support I'm very very pleased so it doesn't matter!

Everyone tries to help out people on a free basis in their own free time so don't worry really.

The problem is looked into and that's the most important thing. It isn't that I have a network down issue so, and then again there are other solutions for that! :)

I'll see your response when your back.

Kind regards,

Eleander

Jon,

removed the no sysopt & still awaiting the test after the ftp fixup change. (update -> still no luck with the fixup enabled or disabled)

The ftp transfer is a "default" ftp so it's the "active" one.

These are the logs I'm getting:

2008-11-20 11:50:03 Local4.Info 10.0.74.252 Nov 20 2008 13:39:04: %ASA-6-302013: Built outbound TCP connection 19941 for outside:10.10.10.87/21 (10.10.10.87/21) to inside:10.0.74.5/5066 (192.168.222.1/5066)

2008-11-20 11:50:33 Local4.Info 10.0.74.252 Nov 20 2008 13:39:34: %ASA-6-302014: Teardown TCP connection 19941 for outside:10.10.10.87/21 to inside:10.0.74.5/5066 duration 0:00:30 bytes 0 SYN Timeout

If I'm getting this right traffic comes in from port 21 but gets translated to a '1024+x' which isn't active on my servers! This means that my NAT isn't right??

I'm getting lost here with my interpretation of the logs!!

Due to sec reasons I constantly needed to alter the IP-adressess in the files I've put only but I thought it might be worth mentioning that the servers I connect to also use a "public" range namely 143.97.x.x! Maybe this can cause problems on NAT settings!

Kind regards,

Eleander

Eleander

Back now and you have my full attention !

Can you post the config you are working with at the moment.

Jon

Like I allready said, no problem Jon, I'm verry thankfull that your willing to help me out! Whish one day my knowledge within Cisco products will grow to your level though.. :)

In attachement you can find my current config.

Bare in mind that I altered the public IP's and that, as mentioned in anothe post, the customers internal range is also a 143.x.x.x network.

As you can see I just changed the ACL for the L2L where the ftp is failing. To do another test.

I changed the ACL from these errors:

2008-11-20 11:50:03 Local4.Info 10.0.74.252 Nov 20 2008 13:39:04: %ASA-6-302013: Built outbound TCP connection 19941 for outside:10.10.10.87/21 (10.10.10.87/21) to inside:10.0.74.5/5066 (192.168.222.1/5066)

2008-11-20 11:50:33 Local4.Info 10.0.74.252 Nov 20 2008 13:39:34: %ASA-6-302014: Teardown TCP connection 19941 for outside:10.10.10.87/21 to inside:10.0.74.5/5066 duration 0:00:30 bytes 0 SYN Timeout

Kind regards,

Eleander

Okay, i'm going through the config now and there are a few things that are not clear.

1) There are a couple of access-lists that don't seem to be used anywhere eg.

outside_2_cryptomap

outboundnat2 (although it looks like you have removed this ??)

2) You have this global statement

global (outside) 2 192.168.222.10-192.168.222.20 netmask 255.255.255.0

but there is not corresponding NAT statement.

Could you also clarify exactly where the FTP is coming to and going from for both the site that works and the site that doesn't.

Thanks

Jon

Indeed I removed the outboundnat2!

The global was in there for a test and I'll delete it! (done)

The outside_2_crytomap is a typo and should be outside_cryptomap_2! (changed)

Because now I don't have any ACL on the outside_cryptomap_2!

In attachement the altered config!

FTP is comming from 10.10.10.x (defined servers in my wrong ACL's) and going to the 192.168.222.1 which is than NAT'ed to the 10.0.74.5. This is the one that is NOT working!

FTP comming an going to 194.78.124.x gives no problems at all!

Thanks for update.

access-list outside_cryptomap_2 extended permit ip host 192.168.222.1 Statoil 255.255.255.0

the above is the first line of outside_cryptomap_2. Can't see where Statoil is defined ?

You don't need the rest of this access-list and it is recommended that you do not use TCP ports in your crypto map access-lists. So really you just want the first line but you need to make sure either

a) Statoil relates to something using the "name" command

OR

b) Just use the network subnet

Now because you have now said

access-list outside_cryptomap_2 extended permit ip host 192.168.222.1 Statoil 255.255.255.0

that means to control the traffic you will indeed need to hit the outside acl. So you will have to remove sysopt connection permit-vpn eg.

asa(config)# no sysopt connection permit-vpn

By removing this you will need to ensure that your other site still works but i believe the line

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

will do the job.

However this line also means the Statoil network has full access so you need to modify your outside acl to -

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

*** new line

access-list outside_access_in deny ip 10.10.10.0 255.255.255.0 any

***

where 10.10.10.0 is the Statoil remote subnet.

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

If Statoil are using active FTP then you will need the fixup for FTP.

Sorry for all the edits but the simpler we can make the config the easier to troubleshoot.

Jon

Jon,

No problem at all, I'm getting to better understand everything.

I've changed as you proposed. In the attachement you can now find the new config.

The "statoil" referes indeed to the 10.10.10.x subnet

Inspect FTP is active.

I added all these ACL's because the customer only wants to see the allowed servers and not the complete subnet! :)

Kind regards,

Eleander

okay, we are getting there.

nat (inside) 0 access-list inside_nat0_outbound_1

You also have a nat0_outbound acl which doesn't seem to be referenced anywhere. If it isn't then you can remove it.

The change made to the outside access-list. You have

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

But you need the additional line before the last 2 lines in your acl. If you do a "sh running-config access-list outside_access_in" then it should give you the line numbers. So you can remove the last line (because it is in the wrong order)

no access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

and then insert it by using the line number eg lets say line 5 puts it's above the last 2 lines

access-list outside_access_in line 5 deny ip Statoil 255.255.255.0 any

You still haven't defined Statoil so best just make the line

access-list outside_access_in line 5 deny ip 10.10.10.0 255.255.255.0 any

As to your last point. If you only want to include individual IP addresses and not the whole subnet then object-groups are the way to go. So lets say you only want to allow

10.10.10.53, 57 & 87

object-group network Statoil_ips

network-object host 10.10.10.53

network-object host 10.10.10.57

network-object host 10.10.10.87

and then your outside access list looks like

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

** change the following 2 lines ***

access-list outside_access_in extended

permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

** to ***

access-list outside_access_in extended permit tcp object-group Statoil_ips host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp object-group Statoil_ips host 192.168.222.1 eq ftp-data

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

** move this line up above the 2 before it **

access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

You can then modify just the object-group in future if you need to add another Statoil IP or remove one of the existing ones.

Jon

Review Cisco Networking for a $25 gift card