cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1029
Views
0
Helpful
12
Replies
Highlighted
Beginner

Problems with NAT ASA 8.4(2)

hello,

I have a ASA5520 with 4 Portchannel interfaces and ASA Version 8.4.(2). There are many vlan interfaces but in the DMZ I have one Server who has a Static NAT to all other interfaces.

original (security 50) DMZ  10.226.224.25

translatet  (security 100) inside 10.226.31.10

the CLI for this is

nat(DMZ,inside) source static 10.226.224.25 10.226.31.10

Access Rules

any any - ICMP

Can someone tell me why the first ping works and the others doesn´t work ???

Regards

Erkan

Everyone's tags (4)
12 REPLIES 12
Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Hi,

you have access rule to only allow ICMP thats why only ping is working.

Nitesh

Please rate if helpful.

Highlighted
Beginner

Problems with NAT ASA 8.4(2)

No, you didn´t understand what I mean. The first ping has a reply and all other pings didn´t reply for this NAT entry...

Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Hi

can you remove that NAT command and try to do the nat the 8.4 static way

please find the commands

object network obj-10.226.224.25

   host 10.226.224.25

   nat (DMZ,inside) static10.226.31.10

Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Hi,

I have test it but it doesn´t work....its the same failure...

Highlighted

Problems with NAT ASA 8.4(2)

Hello Erkran,

Can you provide the following output complete

packet-tracer input inside icmp 10.226.31.14 8 0  10.226.31.10

Let me know how it goes

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Hello Julio,

Here the output...

the first Output is what you provides

packet-tracer input inside icmp 10.226.31.14 8 0  10.226.31.10

the second is

packet-tracer input inside icmp 10.226.224.25 8 0  10.226.31.10

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MBRASA13# packet-tracer input inside icmp 10.226.31.14 8 0 10.226.31.10

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.226.16.0     255.255.240.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_3 in interface inside

access-list inside_access_in_3 extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 139046, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

MBRASA13#

++++++++++++++++++++++++++++++

MBRASA13# packet-tracer input inside icmp 10.226.224.25 8 0 10.226.31.10

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.226.16.0     255.255.240.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_3 in interface inside

access-list inside_access_in_3 extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 139111, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

MBRASA13#

Highlighted

Problems with NAT ASA 8.4(2)

Hello,

Packet tracer one looks good

Now why are you doing this :

packet-tracer input inside icmp 10.226.224.25 8 0 10.226.31.10

I mean the host on the DMZ 10.226.31.10 is being translated to the inside to the IP address of 10.226.224.25 so I do not understand what are you sending traffic from the own global IP to itself.

Tell me what are you trying to acomplish with this nat

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Yes the packet tracer looks good...

okay now I understand what you have test...

Yes the 10.226.31.10 is the translated IP and the 10.226.224.25 is the original...

attched a drawing from our topologie

Highlighted

Problems with NAT ASA 8.4(2)

Hello Erkan,

So just to make sure we are on the same page you are looking to make inside users access that DMZ server on the

10.226.31.10

Right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Hello Julio,

yes right, every User from Inside use this 10.226.31.10 to access to the DMZ Server MBLX74

Highlighted
Beginner

Problems with NAT ASA 8.4(2)

Julio is it possible that I have a problem with Portchannel and security Levels ?

All Vlans are connected via portchannel to this Firewall...I have 4 x 1 GB Ports connected to a redundant Nexus 5000 (2 Ports respectively) and inside have the security 100, DMZ have 50, and all other Vlans have 0.

thanks

Highlighted

Problems with NAT ASA 8.4(2)

Hello Erkan,

The result of the packet tracer shows that there is no nat taking place, please paste the running-config

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC