Problems with NAT-ASA5505-ESXi

Rafael Jimenez · ‎03-26-2013

I have a ASA5505 with 1GB of RAM and the latest version of software.

I have several ESXi with vSphere 5.1. I want to put a VM with CentOS 5.x in the DMZ. The Centos machine works well if I define a PAT WITH the outside interface.

But when I configure static NAT 190.x.x.215 <-NAT-> 192.168.111.215 I have packet loss.

I also tried with Windows 7 and is exactly the same issue.

I tested with wireshark installed on the centos and all I see are out of sequence, lost packets and retransmissions.

The physical configuration is:

Internet <-> ASA <-> inside <-> UC520 <-dot1qtrunk-> ws-3560 <-dot1qtrunk->vswitch<->ESXi.

The problem is not in the vm, I'm 99% sure it's something in the ASA.

Also discard the IP checksum offload both Linux and Windows.

I dont see any key message in the asa asdm log

Fragment of my config...

!

ASA Version 9.0(2)

!

hostname aaabbbcc

names

!

interface Ethernet0/0

description to ISP2 Modem (Claro)

switchport access vlan 200

speed 100

duplex full

!

interface Ethernet0/3

description Uplink to UC500

switchport access vlan 172

speed 100

duplex full

!

interface Vlan172

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan200

nameif claro

security-level 0

ip address 190.x.x.64 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

!

object network 172.16.1.x-network

subnet 172.16.1.0 255.255.255.0

!

object network 192.168.100.x-network

subnet 192.168.100.0 255.255.255.0

!

object network 172.16.1.x-claro-PAT-network

subnet 172.16.1.0 255.255.255.0

!

object network 192.168.100.x-claro-PAT-network

subnet 192.168.100.0 255.255.255.0

!

object network www-host

host 192.168.111.215

!

object network www-host

nat (inside,claro) static 190.x.x.215

!

object-group protocol tcp-udp

protocol-object tcp

protocol-object udp

!

object-group service web-mail-services tcp-udp

port-object eq domain

port-object eq www

!

access-list in-claro extended permit object-group tcp-udp any object www-host object-group web-mail-services

!

ip verify reverse-path interface inside

ip verify reverse-path interface claro

!

no arp permit-nonconnected

!

object network 172.16.1.x-claro-PAT-network

nat (inside,claro) dynamic interface

!

object network 192.168.100.x-claro-PAT-network

nat (inside,claro) static interface

!

access-group in-claro in interface claro

!

route claro 0.0.0.0 0.0.0.0 190.x.x.1 1

route inside 192.168.100.0 255.255.255.0 172.16.1.254 1

route inside 192.168.111.0 255.255.255.0 172.16.1.254 1

!

http server enable

http 172.16.1.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

!

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

service resetinbound interface claro

!

telnet 172.16.1.0 255.255.255.0 inside

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

I need some help, otherwise I had to take out the dmz and put a phisical server directly on internet.

Thanks.

Andrew Phirsov · ‎03-26-2013

Do the capture CAP1 type asp-drop all and you should see in that capture file what pakets asa drops and why it does so. Probably you'll be able to get smth from that.

Andrew Phirsov · ‎03-27-2013

Also i would disable scanning threat-detection and threat detection statistics, cause I assume ASA should be pretty much loaded performing those two.