Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
999
Views
0
Helpful
3
Replies

NAT Rule Blocking Traffic?

iglablues
Level 1
Level 1

‎11-15-2010 09:36 AM - edited ‎03-11-2019 12:09 PM

I am pretty confused about a firewall setup I inherited that is causing me some problems. It's an ASA 5505 configured with the standard Inside and Outside networks, plus a DMZ and a Test LAN. I am trying to get a backup solution configured that of course requires agents installed on the hosts to talk to the central console. The central console is installed on the DMZ in the 192.168.10.0/24 network. The server with the agent is installed on the 192.168.100.0/24 Test network. I added an ACL via the ADSM as follows:

access-list TEST_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_2 host 192.168.10.4 any 
  access-list TEST_access_in line 3 extended permit ip host 192.168.10.4 any 
  access-list TEST_access_in line 3 extended permit icmp host 192.168.10.4 any
  access-list TEST_access_in line 3 extended permit tcp host 192.168.10.4 any

When I tested this through the packet trace tool, it failed. It says it failed due to the following:

nat (TEST) 1 0.0.0.0 0.0.0.0
nat-control
match ip TEST any inside any
dynamic translation to pool 1 (192.168.20.1 [Interface PAT])
translate_hits=2, untranslate_hits=0

I have asolutely no idea what this means. I thought NAT just determined what kind of address translation you have for your unrouteable IPs. I don't know why it would be blocking access between two networks. Can anyone give me some ideas or information about what this is referring to and what I might be doing wrong?

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-15-2010 10:39 AM

Please post the interface and nat configuration. This is a natting issue. Also, it would be nice if you could post the packet tracer output and the ip addresses you are testing from.

PK

0 Helpful

iglablues
Level 1
Level 1
In response to Panos Kampanakis

‎11-15-2010 12:42 PM

Thanks! Here is the config of the interfaces:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 155.212.203.186 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan13
 nameif TEST
 security-level 100
 ip address 192.168.100.1 255.255.255.0

Here are the NAT statetements:

access-list dmz_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.100.0 255.255.255.0
*********************************
nat-control
global (inside) 1 interface
global (outside) 1 interface
global (dmz) 2 interface
global (TEST) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (TEST) 1 0.0.0.0 0.0.0.0
static (TEST,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 dns
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,TEST) 192.168.100.0 192.168.20.0 netmask 255.255.255.0
static (TEST,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
***************************
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group TEST_access_in in interface TEST

I am trying to connect from IP 192.168.10.4 in the DMZ network to 192.168.20.220 on the inside LAN. With no changes to the configuration from me I do a packet trace from the DMZ. The output is this

I perform the same test on the inside interface, no change made to the existing config, and I get this:

So, I figure I need to add an ACL to prevent the implicit deny rule. I create a rule permitting source 192.168.10.4 to 192.168.20.220, protocols IP and TCP, and apply it to the inside of the inside interface. I do the same test as before and I get this:

Having thought about this since my post, I do need to mention that the source IP (192.168.10.4) has a static NAT to a public IP in the config. So, presumably when traffic from that host leaves the ASA it gets translated to the public IP. I did try changing my ACLs to the public IP instead, but that also didn't work so I doubt that I'm barking up the right tree.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to iglablues

‎11-15-2010 12:50 PM

You are not running packet tracer for  the return traffic properly.

If you run it for traffic hitting the inside the sourced will be 192.168.20./24 destined to 192.168.10.4.

The config looks good for this flow..

PK

0 Helpful
Review Cisco Networking for a $25 gift card
Top