11-19-2016 10:14 AM - edited 03-12-2019 01:33 AM
Hello, I´m setting up an ASA 5540 from scratch. Right now is only for testing and understanding purposes, so the configuration is very simple. My problem is that I have a PC in my LAN that can´t reach internet through the ASA. I can´t see what I´m missing, like I said the configuration is very simple so this shouldn´t be an issue. Here´s the configuration:
ciscoasa# show running-config
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password X encrypted
passwd X encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 200.X.X.194 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.227.225.1 255.255.252.0
!
interface GigabitEthernet0/2
nameif FTTH
security-level 50
ip address 10.229.0.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif CMTS
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.22 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
same-security-traffic permit intra-interface
object network CACTI
host 10.227.224.11
object network ip120
host 200.X.X.120
object network ip101
host 200.X.X.101
object network ip102
host 200.X.X.102
object network ip121
host 200.X.X.121
object network ip122
host 200.X.X.122
object network ip123
host 200.X.X.123
object network ip124
host 200.X.X.124
object network ip125
host 200.X.X.125
object network ip126
host 200.X.X.126
object network ip127
host 200.X.X.127
object network Caja_Hipodromo
host 10.227.225.29
object network Farma_Eco_NI
host 10.227.255.3
object network Gas_Holanda
host 10.227.225.41
object network Gasolinera_CM
host 10.227.225.22
object network Gasolinera_Samantha
host 10.227.225.21
object network Notigram
host 10.227.224.225
object network Odoo
host 10.227.224.226
object network AutopartesStgo_SucNI_81
host 10.227.225.12
object network AutopartesStgo_SucNI_554
host 10.227.225.12
object network AutopartesStgo_SucNI_8000
host 10.227.225.12
access-list INSIDE_nat_outbound extended permit ip 10.227.224.0 255.255.252.0 any
access-list OUTSIDE_access_in remark Cacti
access-list OUTSIDE_access_in extended permit ip any object ip120 log disable
access-list OUTSIDE_access_in remark Caja Hipodromo
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.123 log disable
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10443 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10500 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 14500 inactive
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.102
access-list OUTSIDE_access_in remark puerto Ferrepisos NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 13389
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.127 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10081 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10554 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 18000 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10587 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10110
access-list OUTSIDE_access_in extended permit udp 200.X.X.0 255.255.255.0 any range 10000 20000 log disable
access-list OUTSIDE_access_in remark Odoo Felipe
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.121 log disable
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.101 log disable
access-list OUTSIDE_access_in remark Servidor Notigram
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.122 log disable
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.124 log disable
access-list CMTS_nat_outbound extended permit ip 10.39.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_1 extended permit ip 10.27.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_2 extended permit ip 10.25.0.0 255.255.0.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.229.0.0 255.255.255.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.228.0.0 255.255.240.0 any
access-list INSIDE_access_in extended permit ip 10.227.224.0 255.255.252.0 any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu FTTH 1500
mtu CMTS 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network AutopartesStgo_SucNI_81
nat (INSIDE,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_SucNI_554
nat (INSIDE,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_SucNI_8000
nat (INSIDE,OUTSIDE) static interface service tcp 8000 18000
!
nat (INSIDE,OUTSIDE) after-auto source static CACTI ip120
nat (INSIDE,OUTSIDE) after-auto source static Gas_Holanda ip101
nat (INSIDE,OUTSIDE) after-auto source static Farma_Eco_NI ip102
nat (INSIDE,OUTSIDE) after-auto source static Odoo ip121
nat (INSIDE,OUTSIDE) after-auto source static Notigram ip122
nat (INSIDE,OUTSIDE) after-auto source static Caja_Hipodromo ip123
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_CM ip124
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_Samantha ip127
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.X.X.193 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route FTTH 10.228.0.0 255.255.240.0 10.229.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server location X
snmp-server contact X
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username X password X encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:X
: end
Right now I'm only using INSIDE and OUTSIDE interfaces, the rest are disconnected. PC have ip address 10.227.224.228, Mask 255.255.252.0, GW 10.227.225.1, DNS publics. PC can ping INSIDE interface 10.227.225.1. Any ideas what I´m doing wrong??? Can anybody help please??
Solved! Go to Solution.
11-20-2016 04:17 AM
Looks like a NAT issue. You have multiple static NAT rules configured but in case your source ip does not match the address specified in your nat rules it will not translate to the ip address of your outside interface.
You may configure PAT to NAT all traffic from inside to your outside interface ip address
nat (inside,outside) dynamic interface
As cofee has already pointed out you may want to check your translation table using show xlate to verify your traffic is correctly NATed and use the packet-tracer command to simulate a flow to verify which ACL and which NAT rule would match.
11-22-2016 08:02 AM
I tried what you both told me, without any luck. Firstly I removed nat (INSIDE,OUTSIDE) static interface service tcp 81 10081 and then show xlate, here's the result:
ciscoasa(config)# show xlate
10 in use, 11 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from INSIDE:10.227.225.12 554-554 to OUTSIDE:200.X.X.194 10554-10554
flags sr idle 92:13:11 timeout 0:00:00
TCP PAT from INSIDE:10.227.225.12 8000-8000 to OUTSIDE:200.X.X.194 18000-18000
flags sr idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.224.11 to OUTSIDE:200.X.X.120
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.41 to OUTSIDE:200.X.X.101
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.255.3 to OUTSIDE:200.X.X.102
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.224.226 to OUTSIDE:200.X.X.121
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.224.225 to OUTSIDE:200.X.X.122
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.29 to OUTSIDE:200.X.X.123
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.22 to OUTSIDE:200.X.X.124
flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.21 to OUTSIDE:200.X.X.127
flags s idle 92:13:11 timeout 0:00:00
After that I tried packet-tracer. Here's the result:
ciscoasa(config)# packet-tracer input inSIDE tcp 10.227.224.228 1024 8.8.8.8 8080
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit ip 10.227.224.0 255.255.252.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32580, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
I tried to do nat (inSIDE,ouTSIDE) source dynamic interface but returns error. I also tried "logging on" and "logging console 7" but nothing happens.
I have public DNS configured in my PC.
Any other ideas please?
11-22-2016 08:32 AM
Nat syntax:
nat (inside,outside) source dynamic pc interface (pc is object that you need create and call it. like I said you can name it whatever)
Create object network PC (you can name it whatever):
object network pc
subnet 10.227.224.0 255.255.252.0
Instead of subnet you can also just specify a single node with host command. Also check the logs to see if you see any deny when you generate traffic for outside from the pc. Can you do a nslookup from the pc and make sure it can resolve things like yahoo and google.com
11-22-2016 09:15 AM
Excellent my friend!!! now is working fine... Cause this is for testing I'll run one more test, this time changing the outside interface. Keep in touch.
BR,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide