Re: problem with static nat

network770 · ‎11-05-2011

HI,

I am running an ASA 8.2 code. I have a public ip address defined on one of my interfaces and all internal traffic is pat'd to that, it works well. we asked for another public scope from the isp and we defined that on another interface of the firewall. on this new interface we have a device with an ip address within the new (public scope) but the problem it cannot be accessed from the internet, we know it's now an isp issue.

we can ping this device from the new interface but not from the old public ip interface. i am pretty sure we are missing a static nat that allows traffic to communicate from the new to the old public segment defined on two different interfaces.

pls help

Julio Carvajal · ‎11-05-2011

Hello Ronni Ronni,

They are both outside interface so I guess they have the same security level.

Do you have configured the same-security-level permit inter-interface

If you like you can post the running configuration and we can take a deeper look on this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

network770 · ‎11-06-2011

yes I have same-security-level permit inter-interface.

Here is the config, I removed all the unncessary info such as vpn tunnels... if you see eth0/0 is our primary path to the internet and it has a public ip and eth0/3 is the 2nd one. I have a bunch of allowed acl's to allow traffic to eth0/0 from the outside but removed those acl's from here, but i do have a permit ip any any to all outside traffic going the sip interface whitch is eth0/3

we have no issues with eth0/0 but when i connect a device to eth0/3 with an ip of the same segment it is not accessible from the internet. note that there is no need to nat anything because the device has also a pulbic ip

!
interface Ethernet0/0
description primary internet
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
description internal network
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/3
description secondary internet
speed 100
duplex full
nameif sip
security-level 0
ip address 2.2.2.2 255.255.255.248
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

!
tcp-map allow-probes
tcp-options range 76 78 allow

mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu sip 1500

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any sip
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group sip_traffic in interface sip
route outside 0.0.0.0 0.0.0.0 1.1.1.2

access-list sip_traffic extended permit ip any any

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!
class-map tcp-traffic
match access-list tcp-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect http
inspect sip
class tcp-traffic
set connection advanced-options allow-probes
!
service-policy global_policy global

i also added the following acl on the incoming to the outside access-group acl

permit ip any 2.2.2.0 255.255.255.248 and i can see the hitct going up when i ping from the outside, but pings fail

i think i am missing a static nat, pretty sure. also note that eth0/0 has a cable to the isp and eth0/3 is connected to some internal device with this pub ip segment, so everything has to go through eth0/0 for internet access, incoming and outgoing

Another point in my troubleshooting. I run a packet capture and I see traffic hitting the eth0/0 int and eth0/3 but it's one way.

zulqurnain · ‎11-06-2011

hi ,

Turn on syslog and see the error then adjust as necessary

Sent from Cisco Technical Support iPad App

network770 · ‎11-06-2011

I see nothing in the logs, but the capture files show that the traffic is one way.

i am missing a nat i think but not sure

zulqurnain · ‎11-06-2011

Hi,

I have two simple question before I can answer ur question

1. Can you post your ACL ?

2. Where is your static which defines that the new devices on this new subnet is published to outside through the SIP interface.

Also your default route is pointing to "outside" so all traffic will go out that interface regardless where it is coming from , maybe your capture is saying one way for this reason.

Sent from Cisco Technical Support iPad App

network770 · ‎11-06-2011

1.

access-group acl_in in interface outside

access-group sip in interface sip

access-list sip extended permit ip any any

!

access-list acl_in extended permit ip any 66.209.62.136 255.255.255.248

int outside is my eth0/0 which is connected to the isp

int sip is my eth0/3 which is the new segment - to that interface i have a device with a pub ip defined in that vlan

when i ping both the firewall interface (sip) and the device of that interface i see the sip acl hitcnt going up

by the way the device off the sip interface can access teh interent, but problem it is not accessed from the outside

2.

i don't have any stat nats, i tried this but it didn't work

static (sip,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.248

in other words, all traffic hitting the outside int but destined to the sip interface, dont' nat it. It did not work.

my default route is going to the outside as instructed by the isp

zulqurnain · ‎11-06-2011

From your ACL what I understood is that you don't have any ACL applied to your outside interface , correct ?

Also from your explanation I can understand that your ISP has provided you with two set of subnets ip address and both having same gateway that is why you only have default route pointing to interface "outside" , this is strange for me I.e. two subnets having same gateway.

Good thing is that you can access the Internet from this devices . In our case we will try this first

You need the following on your FW to allow access to your device from outside,

Static (inside, outside)

Access-group out-in in interface outside

Sent from Cisco Technical Support iPad App

network770 · ‎11-06-2011

i have the permit acl from the outside, but i am missing the static nat.

can you please send me the exact static nat i need to apply to allow traffic from the outside

to this new public segment on my eth0/3 interface.

zulqurnain · ‎11-06-2011

Hi,

I did write it in my post above , dunno any it got truncated , here goes again

Static (inside, outside) (public ip-address) (inside device ip-address ) netmask 255.255.255.255

Sent from Cisco Technical Support iPad App

zulqurnain · ‎11-06-2011

iPad app has a bug

Sent from Cisco Technical Support iPad App