- Cisco Community
- Technology and Support
- Security
- Network Security
- Re: Problem with NAT on ASA5520
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Problem with NAT on ASA5520
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2010 07:10 AM - edited 03-11-2019 10:04 AM
Hi everyone,
I have 4 interfaces. 1 outside interface and 3 inside interfaces (DMZ20, LAN2, LAN3). I need permit traffic between all inside interfaces at least for the beginning - this works fine now, NAT for internet from all inside interfaces to outside also works fine.
But I have BIG problem with acces from internet to local LAN services (ftp, ssh, www, dns, ntp, smtp, https, ldaps...) with another my global IP adress from my internet provider than 193.22.83.82 from outside interface.
"
access-list outside_access_in extended permit tcp any host 193.22.83.76 eq www (with 193.22.83.82 works fine)
static (DMZ20,outside) tcp 193.22.83.76 www 192.168.20.72 www netmask 255.255.255.255 (with 193.22.83.82 works fine)
access-group outside_access_in in interface outside
"
Also I would not use "same-security-traffic permit inter-interface" for permit between inside interfaces, but I have problem with ACL. Also I don´t have time for settings:( Better would be to change DMZ20 interface to DMZ zone with for example security-level 30.
Thank's a lot for your help,
Jan
!
ASA Version 7.0(6)
!
hostname asa13
domain-name netlinx.com
enable password dKd2d5d67dG encrypted
names
name 192.168.20.0 LAN_dmz
name 192.66.0.0 LAN_old
name 10.0.0.0 LAN_ba1
name 10.1.0.0 LAN_ba2
name 10.2.0.0 LAN_bb
name 10.16.0.0 LAN_new
name 10.17.0.0 LAN_havirov
name 10.20.0.0 LAN_brno
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.22.83.82 255.255.255.224
!
interface GigabitEthernet0/1
nameif DMZ20
security-level 100
ip address 192.168.20.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif LAN2
security-level 100
ip address 192.66.16.3 255.255.0.0
!
interface GigabitEthernet0/3
nameif LAN3
security-level 100
ip address 10.16.4.222 255.255.0.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd dKd2d5d67dG encrypted
no ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
same-security-traffic permit inter-interface
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_old 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_ba1 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_ba2 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_bb 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_new 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_havirov 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_brno 255.255.0.0
access-list natdmz20 extended deny ip any any log
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_old 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_dmz 255.255.255.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_ba1 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_ba2 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_bb 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_havirov 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_brno 255.255.0.0
access-list natlan3 extended deny ip any any log
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_dmz 255.255.255.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_ba1 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_ba2 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_bb 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_new 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_havirov 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_brno 255.255.0.0
access-list natlan2 extended deny ip any any log
pager lines 24
logging enable
logging trap notifications
logging asdm notifications
logging host DMZ20 192.168.20.19
mtu outside 1500
mtu DMZ20 1500
mtu LAN3 1500
mtu LAN2 1500
no failover
monitor-interface outside
monitor-interface DMZ20
monitor-interface LAN3
monitor-interface LAN2
icmp deny any outside
icmp permit any DMZ20
icmp permit any LAN3
icmp permit any LAN2
asdm image disk0:/asdm506.bin
asdm location LAN_ba1 255.255.0.0 DMZ20
asdm location LAN_ba2 255.255.0.0 DMZ20
asdm location LAN_bb 255.255.0.0 DMZ20
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DMZ20) 0 access-list natdmz20
nat (DMZ20) 1 LAN_dmz 255.255.255.0
nat (LAN3) 0 access-list natlan3
nat (LAN3) 1 LAN_new 255.255.0.0
nat (LAN2) 0 access-list natlan2
nat (LAN2) 1 LAN_old 255.255.0.0
route outside 0.0.0.0 0.0.0.0 193.22.83.65 1
route DMZ20 LAN_bb 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_ba2 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_ba1 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_havirov 255.255.0.0 192.168.20.251 1
route DMZ20 LAN_brno 255.255.0.0 192.168.20.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http LAN_dmz 255.255.255.0 DMZ20
http LAN_new 255.255.0.0 LAN3
http LAN_old 255.255.0.0 LAN2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet LAN_dmz 255.255.255.0 DMZ20
telnet 16.16.0.0 255.255.0.0 LAN3
telnet LAN_old 255.255.0.0 LAN2
telnet timeout 5
ssh scopy enable
ssh LAN_dmz 255.255.255.0 DMZ20
ssh LAN_new 255.255.0.0 LAN3
ssh LAN_old 255.255.0.0 LAN2
ssh timeout 60
console timeout 0
ntp server 192.168.20.11 source LAN2
tftp-server LAN2 192.66.21.10 /tmp
smtp-server 192.66.19.4
Cryptochecksum:e04d0c33b9fc078f6913f72ef75965a4
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2010 07:17 AM
Hi Jan
Can you post the "show static" output from the firewall ?
Are you saying everything works fine with 83.82 IP (outside IP) ? and not with other IPs given by the ISP ? For outside access to your server farm, you need to have dedicated IPs NATted to the outside, and rules allowing access from outside to inside..
Regards
Raj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2010 01:30 PM
Hi Raj,
"show static" don´t work, but "show nat" yes. Now I have much more rules then before in discussion, for example "name 193.22.83.80 GTS80, name 193.22.83.94 GTS94, ..." This rules with more ISP IP I have on another same ASA 5520 with contexts, where works fine. In this ASA worked only once and I don't know why, because next day I had same problem again But when i used only one ISP adress from outside interface (PAT), rules works fine.
Do you think, that this rules isn't enought? But on another ASA works fine.
access-list outside_access_in extended permit tcp any host 193.22.83.76 eq www
static (DMZ20,outside) tcp 193.22.83.76 www 192.168.20.72 www netmask 255.255.255.255
access-group outside_access_in in interface outside
Please show me exaple of "rules allowing access from outside to inside" I'm still cisco beginner
Thank's very much!
Jan
Show nat:
NAT policies on Interface DMZ20:
match tcp DMZ20 host zavazadlo eq 5222 outside any
static translation to GTS80/5222
translate_hits = 4, untranslate_hits = 4825
match tcp DMZ20 host zavazadlo eq 5223 outside any
static translation to GTS80/5223
translate_hits = 0, untranslate_hits = 2
match tcp DMZ20 host zavazadlo eq 5269 outside any
static translation to GTS80/5269
translate_hits = 0, untranslate_hits = 0
match tcp DMZ20 host srv110 eq 389 outside any
static translation to GTS80/389
translate_hits = 0, untranslate_hits = 7
match tcp DMZ20 host srv110 eq 636 outside any
static translation to GTS80/636
translate_hits = 0, untranslate_hits = 0
match tcp DMZ20 host srv110 eq 3268 outside any
static translation to GTS80/3268
translate_hits = 0, untranslate_hits = 0
match tcp DMZ20 host srv110 eq 3269 outside any
static translation to GTS80/3269
translate_hits = 0, untranslate_hits = 0
match udp DMZ20 host mrakoplas-DNS eq 53 outside any
static translation to GTS94/53
translate_hits = 0, untranslate_hits = 259
match tcp DMZ20 host mrakoplas-DNS eq 53 outside any
static translation to GTS94/53
translate_hits = 0, untranslate_hits = 0
match tcp DMZ20 host sadmin eq 22 outside any
static translation to GTS80/3178
translate_hits = 0, untranslate_hits = 3
match tcp DMZ20 host pinda eq 8888 outside any
static translation to GTS80/80
translate_hits = 0, untranslate_hits = 39
match tcp DMZ20 host pinda eq 8443 outside any
static translation to GTS80/443
translate_hits = 0, untranslate_hits = 122
match tcp DMZ20 host LB-SK eq 80 outside any
static translation to GTS75/80
translate_hits = 0, untranslate_hits = 0
match tcp DMZ20 host LB-CZ eq 80 outside any
static translation to GTS81/80
translate_hits = 1023, untranslate_hits = 9492
match tcp DMZ20 host 192.168.20.151 eq 80 outside any
static translation to GTS87/80
translate_hits = 0, untranslate_hits = 63
match tcp DMZ20 host 192.168.20.151 eq 443 outside any
static translation to GTS87/443
translate_hits = 0, untranslate_hits = 0
match ip DMZ20 host 192.168.20.22 outside any
static translation to GTS92
translate_hits = 0, untranslate_hits = 31
match ip DMZ20 host 192.168.20.23 outside any
static translation to GTS91
translate_hits = 557, untranslate_hits = 221
match ip DMZ20 host 192.168.20.24 outside any
static translation to GTS90
translate_hits = 0, untranslate_hits = 0
match ip DMZ20 host 192.168.20.25 outside any
static translation to GTS78
translate_hits = 0, untranslate_hits = 42
match ip DMZ20 host 192.168.20.26 outside any
static translation to GTS68
translate_hits = 0, untranslate_hits = 37
match ip DMZ20 host 192.168.20.27 outside any
static translation to GTS73
translate_hits = 0, untranslate_hits = 5
match ip DMZ20 host 192.168.20.28 outside any
static translation to GTS67
translate_hits = 0, untranslate_hits = 0
match ip DMZ20 LAN_dmz 255.255.255.0 outside any
dynamic translation to pool 1 (GTS82 [Interface PAT])
translate_hits = 23, untranslate_hits = 19
match ip DMZ20 LAN_dmz 255.255.255.0 DMZ20 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip DMZ20 LAN_dmz 255.255.255.0 LAN2 any
dynamic translation to pool 1 (No matching global)
translate_hits = 20561, untranslate_hits = 0
match ip DMZ20 LAN_dmz 255.255.255.0 LAN3 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip DMZ20 any outside any
no translation group, implicit deny
policy_hits = 275938
NAT policies on Interface LAN2:
match ip LAN2 LAN_old 255.255.0.0 outside any
dynamic translation to pool 1 (GTS82 [Interface PAT])
translate_hits = 45570, untranslate_hits = 1240
match ip LAN2 LAN_old 255.255.0.0 DMZ20 any
dynamic translation to pool 1 (No matching global)
translate_hits = 5851, untranslate_hits = 0
match ip LAN2 LAN_old 255.255.0.0 LAN2 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip LAN2 LAN_old 255.255.0.0 LAN3 any
dynamic translation to pool 1 (No matching global)
translate_hits = 2737, untranslate_hits = 0
match ip LAN2 any outside any
no translation group, implicit deny
policy_hits = 49896
NAT policies on Interface LAN3:
match tcp LAN3 host 10.16.4.223 eq 3389 outside any
static translation to GTS85/3389
translate_hits = 0, untranslate_hits = 0
match ip LAN3 LAN_new 255.255.0.0 outside any
dynamic translation to pool 1 (GTS82 [Interface PAT])
translate_hits = 9156, untranslate_hits = 413
match ip LAN3 LAN_new 255.255.0.0 DMZ20 any
dynamic translation to pool 1 (No matching global)
translate_hits = 612, untranslate_hits = 0
match ip LAN3 LAN_new 255.255.0.0 LAN2 any
dynamic translation to pool 1 (No matching global)
translate_hits = 705, untranslate_hits = 0
match ip LAN3 LAN_new 255.255.0.0 LAN3 any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip LAN3 any outside any
no translation group, implicit deny
policy_hits = 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2010 01:40 PM
Hi Jan
show nat will show you all nat xlation connections, even dynamic nats.. show static will show you specific one-to-one static NATs configured.. if you want to access a server from outside... YES .. you need to define 1) static NATs & 2) access-list to allow traffic from outside to DMZ...
eg,, if your DMZ server is a web-server and has an IP address 192.168.20.72 (from your example).. you would need to build a static NAT first:
static (DMZ20,outside) 193.22.83.76 192.168.20.72 netmask 255.255.255.255
This will make sure your packets are translated.. you dont need to give a source and destination port of www.. first try this and then you can restrict based on port numbers..
You need to then build access-lists
access-list outside_access_in externded permit tcp any host 193.22.83.76 eq www
access-group outside access_in in interface outside
(these are right)..
if you have more services, you need to have more static/ACLs buit...
static (DMZ20,outside) 193.22.83.77 192.168.20.73 netmask 255.255.255.255
access-list outside_access_in externded permit tcp any host 193.22.83.77 eq ftp (example)
If you have specific queries in this, let us know..
Hope this helps.. all the best..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
