06-18-2012 05:32 AM - edited 03-11-2019 04:20 PM
Hi all,
I try to convert a CISCO ASA 8.2 version to 8.4 BUT, I have a small or "little" problem :
On Cisco ASA 8.2.x, i have a possibility to create multi-line global with different subnet.
Example :
global (outside) 2 217.1.x.65-217.x.x.66 netmask 255.255.255.240
global (outside) 1 interface <-- Ip interface is other subnet : 217.3.x.3
global (outside) 2 217.1.x.67 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz2) 2 192.168.4.0 255.255.255.0
What is the method or solution to translate multi-global in 8.4 ?
In same idea : with static translation in 8.4 : i try to use different server in inside's zone, but not in same network on outside. In 8.2 Firmware, it's very easy to use that, but in 8.3-8.4 version, i don't have some idea to manipulate ...
interface Vlan1
description Lien vers reseau Interne Client
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.99.16 255.255.255.0
object network rdp-test
host 192.168.0.3
nat (inside,outside) static 192.168.99.17
object network rdp-test1
host 192.168.0.4
nat (inside,inside) static 192.168.98.17
It's not a filter problem, it's probably a problem between nat and arp .... but where ???
Please, help me !!!
Have a nice day
JB
Solved! Go to Solution.
06-18-2012 08:10 AM
There is a change in the behaviour on how ASA response to ARP, but it doesn't start until version 8.4.3, and you are running 8.4.2.
But here is the change for your reference:
06-18-2012 06:14 AM
Here is the direct conversion:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
object network obj_inside
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
For this:
global (outside) 2 217.1.x.65-217.x.x.66 netmask 255.255.255.240
global (outside) 2 217.1.x.67 netmask 255.255.255.240
nat (dmz2) 2 192.168.4.0 255.255.255.0
object network obj-217.1.x.65-217.x.x.66
range 217.1.x.65 217.x.x.66
object network obj-217.1.x.67
host 217.1.x.67
object-group network 217.1.x.6x-group
network-object object obj-217.1.x.65-217.x.x.66
network-object object obj-217.1.x.67
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
nat (dmz,outside) dynamic 217.1.x.6x-group
06-18-2012 06:22 AM
Thank Jenifer,
For First part, perfect ! thanks a lot, but for 2nd request : Have you a idea ??
interface Vlan1
description Lien vers reseau Interne Client
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.99.16 255.255.255.0
object network rdp-test
host 192.168.0.3
nat (inside,outside) static 192.168.99.17
object network rdp-test1
host 192.168.0.4
nat (inside,inside) static 192.168.98.17
If i try this lines, the second translation doesn't work... Have a you a idea to create static with different subnet on outside ?
Thank you
06-18-2012 06:27 AM
what did you have configured before on version 8.2 and below?
BTW, do you have typo:
object network rdp-test1
host 192.168.0.4
nat (inside,inside) static 192.168.98.17
shouldn't it be "nat (inside,outside) static 192.168.98.17" ??
06-18-2012 06:38 AM
For test only,
I would like use on Outside zone, 2 ip on differents subnets (in my example, 192.168.99.x and 192.168.98.x).
I test with rdp server in Inside zone on ip 192.168.0.3 with nat 192.168.99.17, it's all right for this nat.
It's a error from me : nat (inside, OUTSIDE) static 192.168.98.17 (keyboard error from me...)
But with ip inside 192.168.0.4, i would like from outside, to connect on rdp server in inside by ip outside 192.168.98.17
If i used wizard to test configuration, everything looks good... but in test, ... problem...
In 8.2 version, the static command in different ip running correctly but with twice nat, i don't see the good syntax...
Thank you very much for your help and excuse me poor english
06-18-2012 07:04 AM
and what does your access-list say on the outside interface?
access-list from version 8.3 onwards need to refer to the real IP, not NATed IP anymore, so access-list should say:
access-list
06-18-2012 07:10 AM
I have this rule exactly :
access-list
I test with asa5505 and 3 pc to test this, for 3 hours, i don't have find a solution.... ?? very strange
Would you like all configuration ?
interface Vlan1
description Lien vers reseau Interne Client
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
description Lien pppoe vers Wanadoo-Orange
nameif outside
security-level 0
ip address 192.168.99.16 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name orange.fr
same-security-traffic permit intra-interface
object network Reseau-Interne
subnet 192.168.99.0 255.255.255.0
object network rdp-test
host 192.168.0.3
object network rdp-test1
host 192.168.0.4
object network Ext-9817
host 192.168.98.17
access-list ACL_OUT extended permit tcp any object rdp-test eq 3389
access-list ACL_OUT extended permit tcp any object rdp-test1 eq 3389
access-list ACL_OUT extended permit icmp any any
access-list ACL_INT extended permit icmp any any
access-list ACL_INT extended permit tcp any any
access-list ACL_INT extended permit udp any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
!
object network rdp-test
nat (inside,outside) static 192.168.99.17
!
object network rdp-test1
nat (inside,outside) static 192.168.98.17
!
nat (inside,outside) after-auto source dynamic any interface
access-group ACL_INT in interface inside
access-group ACL_OUT in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.99.1 1
06-18-2012 07:12 AM
yes pls, all config would be great.
06-18-2012 07:13 AM
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name orange.fr
enable password Yn8Esq3NcXIHL35v encrypted
passwd Yn8Esq3NcXIHL35v encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description Lien vers reseau Interne Client
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
description Lien pppoe vers Wanadoo-Orange
nameif outside
security-level 0
ip address 192.168.99.16 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name orange.fr
same-security-traffic permit intra-interface
object network Reseau-Interne
subnet 192.168.99.0 255.255.255.0
object network rdp-test
host 192.168.0.3
object network rdp-test1
host 192.168.0.4
object network Ext-9817
host 192.168.98.17
access-list ACL_OUT extended permit tcp any object rdp-test eq 3389
access-list ACL_OUT extended permit tcp any object rdp-test1 eq 3389
access-list ACL_OUT extended permit icmp any any
access-list ACL_INT extended permit icmp any any
access-list ACL_INT extended permit tcp any any
access-list ACL_INT extended permit udp any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
object network rdp-test
nat (inside,outside) static 192.168.99.17
!
object network rdp-test1
nat (inside,outside) static 192.168.98.17
!
nat (inside,outside) after-auto source dynamic any interface
access-group ACL_INT in interface inside
access-group ACL_OUT in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.99.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.99.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.99.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
06-18-2012 07:16 AM
Thank you for your help, it's very nice !
06-18-2012 07:20 AM
Can you please remove the following 2 lines:
nat (outside,inside) source static any any destination static Ext-9817 rdp-test1
nat (inside,outside) source static rdp-test1 Ext-9817 unidirectional inactive
Then "clear xlate"
Also, i believe that you have route for the 192.168.98.x pointing towards the ASA outside interface IP?
06-18-2012 07:25 AM
Sorry for me, this 2 lines are a test. I remove this 2 lines, and clear xlate, clear arp, but without success...
My network map :
Outside
192.168.99.16
192.168.99.1 (router) ------------+---------------------ASA-------------------Pc 192.168.0.3 (rdp)
| +-----Pc 192.168.0.4 (rdp1)
|
other PC 192.168.98.2
to test from outside rdp1.
06-18-2012 07:32 AM
Hmm, don't think it works like that.
On your router, configure a route for 192.168.98.0/24 to point to the ASA 192.168.99.16.
Configure a PC in the 192.168.99.x subnet with the router being the default gateway and test to access 192.168.98.17
.
06-18-2012 08:01 AM
Why ?
My opinion is a problem with ARP - Static on ASA.
In 8.2 version, this network map running correctly.
When i improve log level (debugging) on CISCO ASA, i see the request from my PC 192.168.98.2 try to join rdp server. I see SYN connection (but without sync + ack and ack...). I same time, when i try to ping from 192.168.98.2 to 192.168.98.17, i see "echo request" from CISCO ASA and "echo reply" !!! but on PC, icmp don't reply...
Have you a possibility to check this configuration on your side ?
I try to add route on router but i'm septic.
06-18-2012 08:10 AM
I finish the test to add new route....
And amazing... it's allright !!! it's ok !!
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACL_OUT; 3 elements; name hash: 0x21ec8810
access-list ACL_OUT line 1 extended permit tcp any object rdp-test eq 3389 (hitcnt=0) 0x63af37f1
access-list ACL_OUT line 1 extended permit tcp any host 192.168.0.3 eq 3389 (hitcnt=0) 0x63af37f1
access-list ACL_OUT line 2 extended permit tcp any object rdp-test1 eq 3389 (hitcnt=0) 0xc1209d8a
access-list ACL_OUT line 2 extended permit tcp any host 192.168.0.4 eq 3389 (hitcnt=1) 0xc1209d8a
access-list ACL_OUT line 3 extended permit icmp any any (hitcnt=0) 0x7ea87995
access-list ACL_INT; 3 elements; name hash: 0x88ae4fa9
access-list ACL_INT line 1 extended permit icmp any any (hitcnt=1) 0x01029607
access-list ACL_INT line 2 extended permit tcp any any (hitcnt=2) 0xe6887ad7
access-list ACL_INT line 3 extended permit udp any any (hitcnt=2) 0xba134485
ciscoasa(config)# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static rdp-test 192.168.99.17
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static rdp-test1 192.168.98.17
translate_hits = 5, untranslate_hits = 1
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Thank you for your help Jenifer.
But can you explain me if i put my PC 192.168.98.3 on outside, (and i don't add a route), why this don't running ? The PC and NAT translation are in same network, in this case, i don't want a route.
What do you think ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide