Problems with NAT ASA 8.4(2)

zlbbehring · ‎08-23-2012

hello,

I have a ASA5520 with 4 Portchannel interfaces and ASA Version 8.4.(2). There are many vlan interfaces but in the DMZ I have one Server who has a Static NAT to all other interfaces.

original (security 50) DMZ 10.226.224.25

translatet (security 100) inside 10.226.31.10

the CLI for this is

nat(DMZ,inside) source static 10.226.224.25 10.226.31.10

Access Rules

any any - ICMP

Can someone tell me why the first ping works and the others doesn´t work ???

Regards

Erkan

saxenanitesh8522 · ‎08-23-2012

Hi,

you have access rule to only allow ICMP thats why only ping is working.

Nitesh

Please rate if helpful.

zlbbehring · ‎08-23-2012

No, you didn´t understand what I mean. The first ping has a reply and all other pings didn´t reply for this NAT entry...

saxenanitesh8522 · ‎08-23-2012

Hi

can you remove that NAT command and try to do the nat the 8.4 static way

please find the commands

object network obj-10.226.224.25

host 10.226.224.25

nat (DMZ,inside) static10.226.31.10

zlbbehring · ‎08-23-2012

Hi,

I have test it but it doesn´t work....its the same failure...

Julio Carvajal · ‎08-23-2012

Hello Erkran,

Can you provide the following output complete

packet-tracer input inside icmp 10.226.31.14 8 0 10.226.31.10

Let me know how it goes

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

zlbbehring · ‎08-23-2012

Hello Julio,

Here the output...

the first Output is what you provides

packet-tracer input inside icmp 10.226.31.14 8 0 10.226.31.10

the second is

packet-tracer input inside icmp 10.226.224.25 8 0 10.226.31.10

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MBRASA13# packet-tracer input inside icmp 10.226.31.14 8 0 10.226.31.10

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.226.16.0 255.255.240.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_3 in interface inside

access-list inside_access_in_3 extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 139046, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

MBRASA13#

++++++++++++++++++++++++++++++

MBRASA13# packet-tracer input inside icmp 10.226.224.25 8 0 10.226.31.10

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.226.16.0 255.255.240.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_3 in interface inside

access-list inside_access_in_3 extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 139111, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

MBRASA13#

Julio Carvajal · ‎08-23-2012

Hello,

Packet tracer one looks good

Now why are you doing this :

packet-tracer input inside icmp 10.226.224.25 8 0 10.226.31.10

I mean the host on the DMZ 10.226.31.10 is being translated to the inside to the IP address of 10.226.224.25 so I do not understand what are you sending traffic from the own global IP to itself.

Tell me what are you trying to acomplish with this nat

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

zlbbehring · ‎08-23-2012

Yes the packet tracer looks good...

okay now I understand what you have test...

Yes the 10.226.31.10 is the translated IP and the 10.226.224.25 is the original...

attched a drawing from our topologie

Julio Carvajal · ‎08-23-2012

Hello Erkan,

So just to make sure we are on the same page you are looking to make inside users access that DMZ server on the

10.226.31.10

Right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

zlbbehring · ‎08-23-2012

Hello Julio,

yes right, every User from Inside use this 10.226.31.10 to access to the DMZ Server MBLX74

zlbbehring · ‎08-24-2012

Julio is it possible that I have a problem with Portchannel and security Levels ?

All Vlans are connected via portchannel to this Firewall...I have 4 x 1 GB Ports connected to a redundant Nexus 5000 (2 Ports respectively) and inside have the security 100, DMZ have 50, and all other Vlans have 0.

thanks

Julio Carvajal · ‎08-24-2012

Hello Erkan,

The result of the packet tracer shows that there is no nat taking place, please paste the running-config

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC