08-22-2013 12:13 AM - edited 03-11-2019 07:29 PM
Good day.
Today, i've noticed strange issue, while configuring nat in ASA 8.4
I've local router (ip - 10.0.102.2) - which is connected to ASA (locainside - 10.0.102.1). Asa is connected to ISP (outside - 172.16.1.2)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
switchport access vlan 10
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.248
!
interface Vlan10
nameif inside_local
security-level 100
ip address 10.0.102.1 255.255.255.252
ospf cost 100
ospf priority 100
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any
object network obj_any
nat (inside_local,outside) dynamic interface
access-group ALLOW_LAN in interface outside
But translation didnt work
here some sh commands
Auto NAT Policies (Section 2)
1 (inside_local) to (outside) source dynamic obj_any interface
translate_hits = 3, untranslate_hits = 15
Source - Origin: 0.0.0.0/0, Translated:172.16.1.2/29
show xlate
1 in use, 207 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
ICMP PAT from inside_local:10.0.102.2/17 to outside:172.16.1.2/17 flags ri idle 0:00:00 timeout 0:00:30
On my local router i dont receive none of icmp packets
Why is this happen? Can you tell please?
08-22-2013 12:27 AM
Here is some debug nat
nat: translation - inside_local:10.0.102.2/19 to outside:172.16.1.2/19
nat: untranslation - outside:172.16.1.2/19 to inside_local:10.0.102.2/19
nat: untranslation - outside:172.16.1.2/19 to inside_local:10.0.102.2/19
nat: untranslation - outside:172.16.1.2/19 to inside_local:10.0.102.2/19
nat: untranslation - outside:172.16.1.2/19 to inside_local:10.0.102.2/19
08-22-2013 01:02 AM
Hey Dmitri
Try this
first remove the accesslist
no access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any
then replace it with
access-list ALLOW_LAN extended permit ip any 10.0.0.0 255.0.0.0
thanks
vishaw
08-22-2013 01:09 AM
Hi,
The LAN interface ACL seems to be correct so no need to change it. You have a subnets of 10.0.0.0/8 behind the "inside_local" interface I presume.
Please issue the following command
packet-tracer input inside_local tcp 10.0.102.2 12345 8.8.8.8 80
And copy/paste the complete output here.
As we can see your whole configuration we can't tell if there is perhaps some routing related problems or other configurations causing problem.
The above output should tell us more though.
If you are testing with ICMP add the following
fixup protocol icmp
fixup protocol icmp error
Or in another way if you have a pretty default config
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni
08-22-2013 01:44 AM
here is packet tracert
packet-tracer input inside_local tcp 10.0.102.2 12345 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ALLOW_LAN in interface inside_local
access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_lan
nat (inside_local,outside) dynamic interface
Additional Information:
Dynamic translate 10.0.102.2/12345 to 37.203.241.10/12345
Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5131, packet dispatched to next module
Result:
input-interface: inside_local
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
It's seem that nat is ok...but i still cant send icmp from local router through ASA (and i dont even have). Also i've done this
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
But it didnt help...
08-22-2013 02:04 AM
Hi,
Can you share the complete configuration (while removing any sensitive information)
The above output tells us that the simulated packet would pass the ASA. That would indicate possibly problem with some other devices or perhaps some problems with regards to return routing.
Though if you have generated traffic from the directly connected network behind the ASA (the link network) then there should not be a problem
- Jouni
08-22-2013 02:36 AM
Here is my full config
ASA Version 8.4(4)1
!
hostname GWD-FW-MAIN-2
domain-name GWD-FW-MAIN-2
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 100
shutdown
!
interface Ethernet0/2
switchport access vlan 100
shutdown
!
interface Ethernet0/3
switchport access vlan 100
shutdown
!
interface Ethernet0/4
switchport access vlan 1000
!
interface Ethernet0/5
switchport access vlan 100
shutdown
!
interface Ethernet0/6
switchport access vlan 100
shutdown
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan2
nameif outside
security-level 0
ip address172.16.1.2 255.255.255.248
!
interface Vlan10
nameif inside_local
security-level 100
ip address 10.0.102.1 255.255.255.252
ospf cost 100
ospf priority 100
!
interface Vlan100
shutdown
no nameif
no security-level
no ip address
!
interface Vlan1000
nameif TRUNK_TO_ASA
security-level 100
ip address 10.10.10.1 255.255.255.252
ospf cost 1000
!
ftp mode passive
dns server-group DefaultDNS
domain-name GWD-FW-MAIN-1
object network inside_lan
subnet 10.0.0.0 255.0.0.0
access-list ALLOW_LAN extended permit icmp 192.168.0.0 255.255.0.0 any
access-list ALLOW_LAN extended permit icmp 10.0.0.0 255.0.0.0 any
access-list ALLOW_LAN extended permit icmp 172.16.0.0 255.255.0.0 any
access-list ALLOW_LAN extended permit ip 192.168.0.0 255.255.0.0 any
access-list ALLOW_LAN extended permit ip 172.16.0.0 255.255.255.0 any
access-list ALLOW_LAN extended permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
logging recipient-address popkov@gwd.ru level errors
mtu outside 1500
mtu inside_local 1500
mtu TRUNK_TO_ASA 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
!
object network inside_lan
nat (inside_local,outside) dynamic interface
access-group ALLOW_LAN in interface outside
!
router ospf 1
router-id 172.30.0.2
network 10.0.102.0 255.255.255.252 area 2.2.2.2
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside_local
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside_local
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.245 prefer
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
anyconnect-essentials
username DarK_ password CofDAesx0m/lvYOZ encrypted privilege 15
!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
policy-map global-policy
class class-default
user-statistics accounting
!
service-policy global-policy global
smtp-server 192.168.1.224
prompt hostname context
no call-home reporting anonymous
08-22-2013 02:46 AM
Hi,
What does the output of
show route
Show for the ASA?
- Jouni
08-22-2013 08:47 AM
Hi,
Why are you pinging from local router to ASA's outside interface? ... The packet tracer shows that your router can reach outside hosts successfully. If you want to ping the ASA itself whether from inside or outside, you have to use the icmp command.
icmp permit 10.0.102.2 255.255.255.252 outside
But this command assumes that you are an outside host tries to ping the outside interface directly.
My question is, What exactly you want to achieve here? Is it an internet access problem? .. If want to test address translations, the most obvious way is to surf the internet. Also, i can see translation hits, this means that NAT is working and it is an access control issue. Try to ping from local router to a known outside host instead.
Regards,
AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide