Solved: NAT Configuration on ASA 9.1(1)

dharmendra2shah · ‎01-22-2013

I recently installed an ASA firewall for one of our customer. I am trying to map the web server’s private address to the public address:

The private address is 192.168.207.15

The public address is 71.x.x.51

Here is the NAT configuration. For some reason this configuration is not working. I am not sure what is wrong with this configuration.

object network inside-out

nat (any,outside) static interface

object network new-www

nat (inside,outside) static 71.x.x.51

access-group inside_access_in in interface inside

access-group global_access global

NOTE: Inside network users can access Internet just fine. But I just cannot get natting to work.

Ds

Jouni Forss · ‎01-24-2013

Hi,

The only thing that caught my eye on a fast scroll through the configuration was this

sysopt noproxyarp outside

I think the above command might prevent the ASA from responding to ARP requests related to the configuration Static NAT public IP address.

This NAT configuration also seems wierd to me

object network inside-out

nat (any,outside) static interface

If the above is meant to be the Default NAT rule for Internet traffic I would change it to

nat (any,outside) after-auto source dynamic any interface

- Jouni

View solution in original post

Jouni Forss · ‎01-22-2013

Hi,

I would recomend the following format for NAT configurations

Default PAT

object-group network DEFAULT-PAT-SOURCE

network-object

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Static NAT

object network WWW

host 192.168.207.15

nat (inside,outside) static 71.x.x.51

access-list outside_access_in permit tcp any4 object WWW eq www

access-group outside_access_in in interface outside

I see you have some "global" ACLs configured. I would recomend using 1 ACL per interface instead of global. OR only using global ACLs

But the above should handle your needs. "outside_access_in" ACL name can naturally be something else.

Did you have an ACL permitting the "www" traffic from Internet to the server? Or was there some other problems?

- Jouni

dharmendra2shah · ‎01-22-2013

Yes. I do have ACL permitting the www traffic:

access-list global_access extended permit icmp any object new-www

access-list global_access extended permit tcp any object new-www eq www

Ds

Jouni Forss · ‎01-22-2013

Hi,

I'm just wondering why you seem to have an ACL attached to an interface but also a "global" attached ACL that controls traffic through all interfaces.

I havent used 9.x software myself yet so I'm wondering what the ACL format is regarding "any". I remember seeing "any4" and "any6". It would seem "any" still exists there still?

To test the actual firewall rules, could you use the "packet-tracer" command to simulate someone connecting to the Web server.

packet-tracer input outside tcp 71.x.x.51 80

Then copy/paste the output here to see what would happen to connection with the above information.

- Jouni

dharmendra2shah · ‎01-23-2013

Thanks Jouni. I'll try the packet-tracer today and let you know the output. I am also going to remove the global ACL and try the other ACL you recommended.

My hunch is most likely removing the global ACL and putting the other ACL you recommended should resolve the issue.

Ds

dharmendra2shah · ‎01-24-2013

Jouni-

I believe I have the correct ACLs and the NAT rule but still it is not working.

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object inside-network object-group DM_INLINE_NETWORK_3

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list XXXX-Systems-Subnet standard permit 192.168.207.0 255.255.255.0

access-list outside_access_in extended permit tcp any4 object www-out eq www

nat (inside,outside) source static inside-network inside-network destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup

object network inside-out

nat (any,outside) static interface

object network www-out

nat (inside,outside) static 71.x.x.51

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Here is the output of packet-tracker:

packet-tracer input outside tcp 157.166.249.10 4444 71.x.x.51 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks for your help

Ds

Jouni Forss · ‎01-24-2013

Hi,

Can you show your "inside" and "outside" interface configurations?

- Jouni

dharmendra2shah · ‎01-24-2013

ASA Version 9.1(1)

!

hostname as-ciscoasa-5515

!

interface GigabitEthernet0/0

description Outside Interface of new firewall

nameif outside

security-level 0

ip address 71.x.x.50 255.255.255.248

!

interface GigabitEthernet0/1

description inside interface of new firewall

nameif inside

security-level 100

ip address 192.168.207.254 255.255.255.0

Jouni Forss · ‎01-24-2013

I just changed my own ASA to software 9.1(1)

I configured a simply Static NAT and made the ACL and then did the packet-tracer

And everything seems to be working ok.

I don't know why its showing the above result in the packet-tracer for you. I imagine there must be some configuration preventing this from working.

In my case I see "UN-NAT" phase at the start.

- Jouni

dharmendra2shah · ‎01-24-2013

We do have a site to site vpn with our business partner. But that is working fine.Here is configuration for your review. Let me know if I am missing anything:

as-ciscoasa-5515# show run

: Saved

:

ASA Version 9.1(1)

!

hostname as-ciscoasa-5515

domain-name *****************.com

enable password IwcadQrUfCKovNfC encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPN-DHCP-Pool 192.168.206.10-192.168.206.50 mask 255.255.255.0

!

interface GigabitEthernet0/0

description Outside Interface of new firewall

nameif outside

security-level 0

ip address 71.x.x.50 255.255.255.248

!

interface GigabitEthernet0/1

description inside interface of new firewall

nameif inside

security-level 100

ip address 192.168.207.254 255.255.255.0

!

interface GigabitEthernet0/2

description DMZ interface for Web & Ftp server

nameif dmz

security-level 50

ip address 10.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Out of Band Management Interface

management-only

nameif management

security-level 90

ip address 192.168.1.1 255.255.255.0

!

time-range 24x7

!

banner login *********************************************************

banner login THIS SYSTEM IS FOR ***************** SYSTEMS INC. USE ONLY !!!!!

banner login Unauthorized access to and/or use of this computer system

banner login is violation of law and is punishable under provisions of

banner login applicable statutes. Use of this system constitutes consent

banner login to security testing and monitoring.

banner login *********************************************************

banner asdm *********************************************************

banner asdm THIS SYSTEM IS FOR ***************** SYSTEMS INC. USE ONLY !!!!!

banner asdm Unauthorized access to and/or use of this computer system

banner asdm is violation of law and is punishable under provisions of

banner asdm applicable statutes. Use of this system constitutes consent

banner asdm to security testing and monitoring.

banner asdm *********************************************************

boot system disk0:/asa911-smp-k8.bin

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.115.71.53

name-server 24.196.64.53

domain-name *****************.com

object network dotsubnet218

subnet 10.147.218.0 255.255.254.0

object network dotsubnet4

subnet 10.147.4.0 255.255.255.0

object network dotsubnet50

subnet 10.147.50.0 255.255.254.0

object network dotsubnet7

subnet 10.147.7.0 255.255.255.0

object network dotsubnet90

subnet 10.147.90.0 255.255.254.0

object network inside-network

subnet 192.168.207.0 255.255.255.0

description inside network

object network inside-out

subnet 192.168.207.0 255.255.255.0

object network oraop01

host 10.147.90.56

object service www

service tcp source eq www destination eq www

object network webserver

host 71.13.8.51

description Web Server IP Address (Inside)

object network new-www

host 192.168.207.235

object network www1

host 192.168.207.92

description www Server

object network www11

host 192.168.207.92

object network 192.168.207.15

host 192.168.207.15

object network www2

host 192.168.207.15

object network 192.168.207.16

host 192.168.207.16

object network 192.168.207.15-new

host 192.168.207.15

object network 5515-new-web

host 192.168.207.15

object network www-out

host 192.168.207.15

object-group network DM_INLINE_NETWORK_1

network-object object dotsubnet7

network-object object dotsubnet90

network-object object dotsubnet4

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group network DM_INLINE_NETWORK_2

network-object object dotsubnet4

network-object object dotsubnet7

network-object object dotsubnet90

network-object object oraop01

object-group network DM_INLINE_NETWORK_3

network-object object dotsubnet4

network-object object dotsubnet7

network-object object dotsubnet90

network-object object oraop01

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object inside-network object-group DM_INLINE_NETWORK_3

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list *****************-Systems-Subnet remark Allow Access to ***************** Network

access-list *****************-Systems-Subnet standard permit 192.168.207.0 255.255.255.0

access-list outside_access_in extended permit tcp any4 object www-out eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1400

mtu inside 1500

mtu dmz 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.147.0.0 255.255.0.0 outside

icmp permit any outside

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static inside-network inside-network destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup

!

object network inside-out

nat (any,outside) static interface

object network www-out

nat (inside,outside) static 71.13.8.51

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 71.13.8.49 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:12:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http server idle-timeout 60

http 192.168.1.0 255.255.255.0 management

http 192.168.207.0 255.255.255.0 inside

http 69.130.253.199 255.255.255.255 outside

no snmp-server location

no snmp-server contact

<--- More --->

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection tcpmss 1350

sysopt connection preserve-vpn-flows

sysopt noproxyarp outside

sysopt noproxyarp inside

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association pmtu-aging infinite

crypto ipsec df-bit clear-df outside

crypto ipsec df-bit clear-df inside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 10.147.34.2

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 43200

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime none

telnet timeout 5

ssh 69.130.253.199 255.255.255.255 outside

ssh 192.168.207.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.207.21-192.168.207.200 inside

dhcpd dns 192.168.207.18 68.115.71.53 interface inside

dhcpd ping_timeout 750 interface inside

dhcpd domain *****************.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-md5

webvpn

csd image disk0:/csd_3.5.2008-k9.pkg

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3

group-policy GroupPolicy_10.147.34.2 internal

group-policy GroupPolicy_10.147.34.2 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1

group-policy RemoteAccessVPN-*****************-Inc-Group-Policy internal

group-policy RemoteAccessVPN-*****************-Inc-Group-Policy attributes

banner value *********************************************************

banner value THIS SYSTEM IS FOR ***************** SYSTEMS INC. USE ONLY !!!!!

banner value Unauthorized access to and/or use of this computer system

banner value is violation of law and is punishable under provisions of

banner value applicable statutes. Use of this system constitutes consent

banner value to security testing and monitoring.

banner value *********************************************************

dns-server value 192.168.207.235

vpn-access-hours value 24x7

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter value *****************-Systems-Subnet

vpn-tunnel-protocol ikev1

password-storage enable

ip-comp enable

re-xauth enable

group-lock value RemoteAccessVPN-*****************-Inc

pfs enable

ipsec-udp enable

split-tunnel-policy tunnelall

default-domain value *****************.com

username milind password ASZJyNjPKDhBt550 encrypted

username milind attributes

vpn-group-policy RemoteAccessVPN-*****************-Inc-Group-Policy

group-lock value RemoteAccessVPN-*****************-Inc

username admin password xybduiDZ39uOf5jx encrypted privilege 15

username garyl password iS0J9AX.XdOV.UtO encrypted

username garyl attributes

vpn-group-policy RemoteAccessVPN-*****************-Inc-Group-Policy

group-lock value RemoteAccessVPN-*****************-Inc

username dshah password QFCzXoiTw/uLllIy encrypted privilege 15

tunnel-group 10.147.34.2 type ipsec-l2l

tunnel-group 10.147.34.2 general-attributes

default-group-policy GroupPolicy_10.147.34.2

tunnel-group 10.147.34.2 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group RemoteAccessVPN-*****************-Inc type remote-access

tunnel-group RemoteAccessVPN-*****************-Inc general-attributes

address-pool VPN-DHCP-Pool

default-group-policy RemoteAccessVPN-*****************-Inc-Group-Policy

tunnel-group RemoteAccessVPN-*****************-Inc ipsec-attributes

ikev1 pre-shared-key *****

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 13

subscribe-to-alert-group configuration periodic monthly 13

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:aeb9b9074cc624acdb9f2b996ae1198c

: end

as-ciscoasa-5515#

as-ciscoasa-5515# exit

Logoff

Jouni Forss · ‎01-24-2013

Hi,

The only thing that caught my eye on a fast scroll through the configuration was this

sysopt noproxyarp outside

I think the above command might prevent the ASA from responding to ARP requests related to the configuration Static NAT public IP address.

This NAT configuration also seems wierd to me

object network inside-out

nat (any,outside) static interface

If the above is meant to be the Default NAT rule for Internet traffic I would change it to

nat (any,outside) after-auto source dynamic any interface

- Jouni

dharmendra2shah · ‎01-24-2013

Thanks Jouni-

I think it might be :

sysopt noproxyarp outside.

I was troublshooting application performance for site to site VPN. I might have enabled that command. Things did not break until we rebooted the ISP modem. It all makes sense now because the ISP was also saying that the arp is incomplete for the web server IP.

I will try disabling the command and see if that fixes the problem. This time I am quite positive.

Ds

Jouni Forss · ‎01-25-2013

Hi,

Did you get this working? Did the changing of the "proxyarp" setting help at all?

- Jouni

dharmendra2shah · ‎01-25-2013

Jouni-

I have not tried yet. I will try that later in the afternoon. I will let you know right away.

Ds

dharmendra2shah · ‎01-25-2013

That was it Jouni. As soon as I added "no sysopt noproxyarp outside"

The web site started working from outside world.

Ds