11-08-2013 04:45 AM - edited 03-11-2019 08:02 PM
Hello,
I think I have misconfigured NAT, I can not make internet ping from the LAN, or connections such as a Telnet
Can anyone help??
thanks
: Saved
:
ASA Version 8.4(3)
!
hostname ASA
enable password
passwd
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.26.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.0.2.2 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj-172.26.0.0
subnet 172.26.0.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.224
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.26.0.0_24
subnet 172.26.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.224
object network AS400
host 172.26.0.250
object network Puerto8001tcp
host 172.26.0.249
description Administración cámaras puerto 8001 tcp
object network Puerto8001udp
host 172.26.0.249
description Administración cámaras puerto 8001 udp
object network puerto8000tcp
host 172.26.0.249
description Aministración camaras puerto 8000 tcp
object network puerto8000udp
host 172.26.0.249
description Administración camaras puerto 8000 udp
object-group service DM_INLINE_TCPUDP_1 tcp-udp
port-object eq 8000
port-object eq 8001
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list TRABAJADORESVPN_splitTunnelAcl standard permit 172.26.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 192.168.1.0 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list TRABAJADOREXTERNO_splitTunnelAcl standard permit host 172.26.0.250
access-list outside_access_in extended permit object-group TCPUDP any any object-group DM_INLINE_TCPUDP_1
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.1.10-192.168.1.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-172.26.0.0 obj-172.26.0.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_172.26.0.0_24 NETWORK_OBJ_172.26.0.0_24 destination static NETWORK_OBJ_192.168.1.0_27 NETWORK_OBJ_192.168.1.0_27 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network Puerto8001tcp
nat (inside,outside) static interface service tcp 8001 8001
object network Puerto8001udp
nat (inside,outside) static interface service udp 8001 8001
object network puerto8000tcp
nat (inside,outside) static interface service tcp 8000 8000
object network puerto8000udp
nat (inside,outside) static interface service udp 8000 8000
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.26.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.26.0.33-172.26.0.100 inside
dhcpd dns 80.58.61.250 80.58.61.254 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy TRABAJADOREXTERNO internal
group-policy TRABAJADOREXTERNO attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TRABAJADOREXTERNO_splitTunnelAcl
group-policy TRABAJADORESVPN internal
group-policy TRABAJADORESVPN attributes
dns-server value 8.8.8.8 80.58.61.250
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TRABAJADORESVPN_splitTunnelAcl
user-authentication-idle-timeout none
username
username
username
tunnel-group TRABAJADOR type remote-access
tunnel-group TRABAJADOR general-attributes
address-pool vpn_pool
default-group-policy TRABAJADOR
tunnel-group TRABAJADORESVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TRABAJADOREXTERNO type remote-access
tunnel-group TRABAJADOREXTERNO general-attributes
address-pool vpn_pool
default-group-policy TRABAJADOREXTERNO
tunnel-group TRABAJADOREXTERNO ipsec-attributes
ikev1 pre-shared-key *****
!
!
11-08-2013 04:56 AM
Hi,
Do you mean you can't connect to anything on the WAN from the LAN?
I don't see any NAT configuration that should stop that.
To me it seems though that from the external network the connections for your configured Static PAT (Port Forward) will fail because of the below configuration
no nat (inside,outside) source dynamic any interface
You could remove it since you already have this that does the same thing without causing problems
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
You can test the connectivity from "inside" to "outside" with "packet-tracer" command
packet-tracer input inside tcp 172.26.0.100 12345 8.8.8.8 80
The output should tell us if there is any problems. But at the moment I can't see anything else wrong than what I mentioned.
You can also modify the above command to simulate the connections that dont work at the moment. Version of ICMP would be
packet-tracer input inside icmp 172.26.0.100 8 0 8.8.8.8
You could naturally make sure you have ICMP Inspection enabled
You could issue commands like
fixup protocol icmp
fixup protocol icmp error
As I cant see your "policy-map" configurations I can't tell if they are already configured.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide