Solved: yes off course The 10.0.0.0

nkladakis · ‎06-07-2014

Hello

I Want a router (887) behind ASA with a public address, to get to inet without been NATED from the ASA.

Everything else is working

so this is the setup

10.0.0.0/8 0.0.0.0/0

| |

border router(877W) ---79.x.x.112/29----> Asa firewall ----79.x.x.120/29-----> router(887) ----------10.0.0.0/24---->client

those are the nat rules

1st

nat (inside,outside) source static inside-network inside-network destination static ALL ALL (not Working)

2nd

nat (inside,outside) source static DEFAULT-PAT-SOURCE DEFAULT-PAT-SOURCE destination static DEFAULT-PAT-SOURCE DEFAULT-PAT-SOURCE (Working)

3rd

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface destination static ALL ALL (Working)

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network DEFAULT-PAT-SOURCE

network-object object 172ari

network-object object 192ari

network-object object dekari

object network 172ari

subnet 172.16.32.0 255.255.255.0

object network 192ari

subnet 192.168.0.0 255.255.0.0

object network dekari

subnet 10.0.0.0 255.0.0.0

object network inside-network

subnet 79.x.x.120 255.255.255.248

1st nat rule not working

can not go anyware from network 79.x.x.120/29

any ideas?

Julio Carvajal · ‎06-09-2014

Did you create both?

Does not look like.

Anyway as you can see traffic is going through the firewall but the ISP is not routing back the traffic to you.

Make sure the border router(877W) has a route to the internal Public subnet.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Marius Gunnerud · ‎06-09-2014

The boarder router also needs a riute back to the 179.x.x.120/29 network

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-08-2014

So you want the inside-network to reach the internet?

If so I would change the NAT and object groups as follows:

network object obj_any
subnet 0.0.0.0 0.0.0.0

nat (inside,outside) source static inside-network inside-network destination static obj_any obj_any

Please also issue a packet tracer

packet-tracer input inside tcp 79.x.x.122 12345 4.2.2.2 80

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

nkladakis · ‎06-09-2014

Thank you for your answer :)

This is the packet tracer before and after the change but either way I can't reach the internet

before:

ciscoasa# packet-tracer input inside tcp 79.x.x.123 12345 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network destination static ALL ALL
Additional Information:
NAT divert to egress interface outside
Untranslate 4.2.2.2/80 to 4.2.2.2/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ICMPACL in interface inside
access-list ICMPACL extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network destination static ALL ALL
Additional Information:
Static translate 79.x.x.123/12345 to 79.x.x.123/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network destination static ALL ALL
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 310409, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

After:

ciscoasa# packet-tracer input inside tcp 79.x.x.123 12345 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network destination static obj_any obj_any
Additional Information:
NAT divert to egress interface outside
Untranslate 4.2.2.2/80 to 4.2.2.2/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ICMPACL in interface inside
access-list ICMPACL extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network destination static obj_any obj_any
Additional Information:
Static translate 79.x.x.123/12345 to 79.x.x.123/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network destination static obj_any obj_any
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 312548, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Julio Carvajal · ‎06-09-2014

Hello,

Is the ISP routing to that network?

what's the Routers IP address (Internal router) on that subnet?

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nkladakis · ‎06-09-2014

yes off course The 10.0.0.0/24--clientσ reach the internet after been Nated from the ASA.

79.x.x.112/29 and 79.x.x.120/29 are parts of the same block

Julio Carvajal · ‎06-09-2014

Part of the same block where? I mean they are /29.

They are 2 different subnet ranges (U subnetted what the ISP gave you).

So here is what I want u to do.

cap capout interface outside match icmp host x.x.x.x (Internal router IP address) host 4.2.2.2

cap capin interface inside match icmp host x.x.x.x (Internal router IP address) host 4.2.2.2

Then ping to 4.2.2.2 from the router (internal as said before) and provide

show cap capin

show cap capout

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nkladakis · ‎06-09-2014

I subnetted a /28 in two /29

ok

here is the output

ciscoasa# show cap capout

10 packets captured

1: 13:00:40.483510 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

2: 13:00:42.483754 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

3: 13:00:44.483587 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

4: 13:00:46.483892 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

5: 13:00:48.483754 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

6: 13:00:52.434669 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

7: 13:00:54.432198 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

8: 13:00:56.432045 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

9: 13:00:58.432106 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

10: 13:01:00.432167 802.1Q vlan#2 P0 79.x.x.121 > 4.2.2.2: icmp: echo request

10 packets shown

ciscoasa# show cap capin

ERROR: Capture <capin> does not exist

Julio Carvajal · ‎06-09-2014

Did you create both?

Does not look like.

Anyway as you can see traffic is going through the firewall but the ISP is not routing back the traffic to you.

Make sure the border router(877W) has a route to the internal Public subnet.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marius Gunnerud · ‎06-09-2014

The boarder router also needs a riute back to the 179.x.x.120/29 network

--
Please remember to select a correct answer and rate helpful posts

nkladakis · ‎06-09-2014

""The boarder router also needs a route back to the 179.x.x.120/29 network""

That was the problem. I am so embarrassed!!

Thank you

Julio Carvajal · ‎06-09-2014

Yeah,

That's why I told you to take the capture and then confirm it after telling you

Anyway as you can see traffic is going through the firewall but the ISP is not routing back the traffic to you.

Make sure the border router(877W) has a route to the internal Public subnet.

Anyway glad to know it's working

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

NAT EXEMPTION on ASA 9.0