01-30-2014 11:50 AM - edited 03-11-2019 08:38 PM
I have an ASA5510 that is connected to Internet by interface named Outside, also is connected to LAN by Interface Inside and also is connected to a router by interface Outside1. This router has 3 connected interfaces within the subnet 172.1.x.0 that connects to branch offices. I cannot pass any kind of traffic between Lan and subnet 172.1.x.0 (Traffic suppoused not to have NAT). Here's the configuration
: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.X.162 255.255.255.248
!
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host X.X.X.163 eq smtp
access-list 100 extended permit udp any host X.X.X.163 eq domain
access-list 100 extended permit tcp any host X.X.X.163 eq https
access-list 100 extended permit tcp any host X.X.X.163 eq www
access-list 100 extended permit tcp any host X.X.X.163 eq 3000
access-list 100 extended permit tcp any host X.X.X.163 eq 1000
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.32.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) X.X.X.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 X.X.X.161 20
route Inside 172.1.1.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8a0d1c3ab10209f6b7071cc6f6b415f
: end
Can somebody help?. Want Diagram?
Eduardo
Solved! Go to Solution.
01-30-2014 12:02 PM
Hi,
Am I correct to assume that traffic from "inside" to "outside1" needs to go without NAT?
If so then the reason for connectivity problem might be the Dynamic PAT configuration. This is a very common problem with the older 8.2 (and below) software levels.
Essentially what happens is that your traffic from "inside" will match that interfaces "nat" command and will try to find a matching "global" for the destination interface which is determined by the routing table.
In your setup this would seem to make sense as you have no "global" towards that interface. You also dont have any Static Identity NAT configuration to avoid matching to the "nat" command.
You could therefore try Static Identity NAT or NAT0 configuration for the traffic from "inside" to "outside1"
For example
static (Outside1,Inside) 172.1.x.0 172.1.x.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.y.0 172.1.y.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.z.0 172.1.z.0 netmask 255.255.255.0
Or perhaps (if you configure this dont configure the above Static Identity NAT)
access-list INSIDE-NAT0 remark NAT0 for traffic
access-list INSIDE-NAT0 permit ip
access-list INSIDE-NAT0 permit ip
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
Also, notice that you dont have any "route" commands pointing towards these networks to the "Outside1" interface. You will need to add the needed "route" commands.
- Jouni
01-30-2014 12:02 PM
Hi,
Am I correct to assume that traffic from "inside" to "outside1" needs to go without NAT?
If so then the reason for connectivity problem might be the Dynamic PAT configuration. This is a very common problem with the older 8.2 (and below) software levels.
Essentially what happens is that your traffic from "inside" will match that interfaces "nat" command and will try to find a matching "global" for the destination interface which is determined by the routing table.
In your setup this would seem to make sense as you have no "global" towards that interface. You also dont have any Static Identity NAT configuration to avoid matching to the "nat" command.
You could therefore try Static Identity NAT or NAT0 configuration for the traffic from "inside" to "outside1"
For example
static (Outside1,Inside) 172.1.x.0 172.1.x.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.y.0 172.1.y.0 netmask 255.255.255.0
static (Outside1,Inside) 172.1.z.0 172.1.z.0 netmask 255.255.255.0
Or perhaps (if you configure this dont configure the above Static Identity NAT)
access-list INSIDE-NAT0 remark NAT0 for traffic
access-list INSIDE-NAT0 permit ip
access-list INSIDE-NAT0 permit ip
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
Also, notice that you dont have any "route" commands pointing towards these networks to the "Outside1" interface. You will need to add the needed "route" commands.
- Jouni
01-30-2014 12:19 PM
Dear Jouni, with the solution you are give lines below, can LAN connected to Inside connect Internet by Outside also?. I mean i will not lost connectivity to the internet?
Eduardo
01-30-2014 12:23 PM
Hi,
Neither of the above configurations (only one of the options needed, Identity NAT or the NAT0) should affect any traffic heading to your "outside" interface.
If the 3 networks 172.1.x.0/24 are located behind "outside1" then it affects only them.
You would also need the routes for the 172.1.x.0/24 networks towards the "outside1"
The default route you have in place for "outside" should still forward Internet traffic like usual.
- Jouni
01-30-2014 01:33 PM
Dear Jouni, I tried doing access-list, here's the conf, but still dropping. I tried doing a packet tracer (At the end of this Q is the result)
: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name farmaciachavez.com.bo
enable password 6Jfo5anznhoG00fM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address X.X.X.162 255.255.255.248
!
interface Ethernet0/1
nameif Outside1
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name farmaciachavez.com.bo
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list Inside extended permit ip any any
access-list Inside extended permit icmp any any
access-list 100 extended permit tcp any host X.X.X.163 eq smtp
access-list 100 extended permit udp any host X.X.X.163 eq domain
access-list 100 extended permit tcp any host X.X.X.163 eq https
access-list 100 extended permit tcp any host X.X.X.163 eq www
access-list 100 extended permit tcp any host X.X.X.163 eq 3000
access-list 100 extended permit tcp any host X.X.X.163 eq 1000
access-list INSIDE-NAT0 remark NAT0 for traffic
access-list INSIDE-NAT0 extended permit ip 192.168.0.0 255.255.255.0 172.1.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Outside1 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Outside1
icmp permit 192.168.2.0 255.255.255.0 Inside
icmp permit 192.168.0.0 255.255.255.0 Inside
icmp permit 172.16.32.0 255.255.255.0 Inside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside1) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list INSIDE-NAT0
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) X.X.X.163 172.16.31.0 netmask 255.255.255.255
static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group 100 in interface Outside
access-group dmz_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 X.X.X.161 20
route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c37b6a1bd46b2df0fa432e98c8dc6998
: end
Packet Tracer:
packet-tracer input Outside1 tcp 172.1.1.5 9823 192.168.0.2 80 detail
Result:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7f4878, priority=1, domain=permit, deny=false
hits=259385, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
match ip Inside 192.168.0.0 255.255.255.0 Outside1 any
static translation to 192.168.0.0
translate_hits = 78, untranslate_hits = 31840
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.0.0/0 to 192.168.0.0/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7f50e0, priority=2, domain=permit, deny=false
hits=31856, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7f7088, priority=0, domain=permit-ip-option, deny=true
hits=230918, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab942728, priority=6, domain=nat-exempt-reverse, deny=false
hits=1, user_data=0xa76aa6c0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=0
src ip=172.1.1.0, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (Outside1) 101 0.0.0.0 0.0.0.0
match ip Outside1 any Inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 2, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab4b62c0, priority=1, domain=nat, deny=false
hits=1, user_data=0xab9403c8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Outside1
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I am doing something else wrong?
01-30-2014 01:45 PM
Hi,
Seems I might have looked the situation a bit wrong.
I think you actually need the Static Identity NAT configuration that I mentioned in the earlier post and you should remove the NAT0 configuration.
Can you test with the "static" command that I suggested. With that there should be no NAT drop to my understanding. Your tested traffic is now matching a NAT for its destination address but seems that it also looks for a source address translation, though seems the NAT0 doesnt apply in this situation.
- Jouni
01-30-2014 02:07 PM
Yes Jouni,you are right, after i posted last Q, i tried identity nat and was correct answer. Thanks a lot. I have another small q related to identity NAT.
Let's suppouse 172.1.x.0 are about 50 networks (X = from1 to 50), Do I have to configure Static Identity NAT for each one? or is there any way to group those networks in one pool?
Thanks a lot
Eduardo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: