Are these public IP's?Is

BRAD VAUGHN · ‎04-20-2015

I thought I had done my last PIX to ASA conversion, but I was sadly mistaken. Here's the problem I'm having.

I currently have an install with a pix515 we are trying to replace with an ASA5525x. I tried replacing it after going through and updating the configuration because the language change between the two. This has worked for me in the past. When it didn't work this time, at first I wrote off the problem as my syntax. After testing, it looks like something else.

In this office, they have a block of static IPs from AAA.BBB.CCC.1 to AAA.BBB.CCC.31 and are using the following with the pix:
AAA.BBB.CCC.2 - Outside interface
AAA.BBB.CCC.3 - Outside PAT shared between most desktops
AAA.BBB.CCC.6 - Website Nat-ed to inside number
AAA.BBB.CCC.7 - Website Nat-ed to inside number
AAA.BBB.CCC.8 - SMTP Nat-ed to inside number
AAA.BBB.CCC.13 - Video-Conf Nat-ed to inside number
I don't know why they skipped some numbers but they used to have pcAnywhere so that may be it. Only a few external host ranges can talk to the smtp and websites for security reasons.

Assuming I had badly converted the syntax for the PAT, the static NATs and the permit/deny statements, I started over on the ASA and rewrote everything from scratch. As a test I built some dummy servers and used the following numbers so I could test live:
AAA.BBB.CCC.15 - Outside interface
AAA.BBB.CCC.16 - Outside PAT shared between most desktops
AAA.BBB.CCC.17 - Website Nat-ed to inside number
AAA.BBB.CCC.19 - SMTP Nat-ed to inside number

I made the asa inside interface the gateway on my test pc for a bit. I was then able to test the syntax of my statements for https and smtp as well as the general surfing over the PAT. I planned to just switch the numbers after the fact and put it in.

I got it all to work. When I switch to the real outside numbers it no longer works. As a test I left all my numbers in the teens and just changed the Outside pat to AAA.BBB.CCC.3 and it doesn't work. I switch back to .16 and it pops back up. I have removed everything except the phone company's inside device from the equation so I'm left with calling att to see if they have some mapping that is forcing these lower numbers to .2 My question is, is there anywhere else I should look that could cause this? ATT is not very helpful in the past on things like this.

Thanks for your help.

ryancisco01 · ‎04-21-2015

Are these public IP's?

Is there a possible you changed the IP in the nat statements, but not in the access-lists for no-nats or policy nats?

Also you should have packet-tracer available on your ASA box so just run the simulated packet through and it will tell you exactly where it is going wrong.

BRAD VAUGHN · ‎04-27-2015

I have simplified the config text and what follows is the text that works. I make the inside address my PC's gateway and I can surf anywhere and see that my pat'ed address is 13.146.62.16.

WORKING CONFIG

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 13.146.62.15 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.35.206 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.30.1 255.255.255.0
management-only
object network outpat1
host 13.146.62.16
object network obj1958
host 172.16.19.58
object-group network emlvndr
network-object host 14.25.6.3
network-object host 15.58.5.2
access-list inside_access_in extended permit ip object obj1958 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp object-group emlvndr object obj1958 eq smtp
!
object network obj1958
nat (any,any) static 13.146.62.18
!
13.146.62.16
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 13.146.62.1 1
route inside 10.1.1.240 255.255.255.255 172.16.25.27 1
route inside 192.168.1.0 255.255.255.255 172.16.25.27 1

http server enable
http 192.168.30.0 255.255.255.0 management
dhcpd address 192.168.30.2-192.168.30.254 management
dhcpd enable management

After I change two addresses - the outside interface and the outpat1 as follows, I can no longer surf.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 13.146.62.2 255.255.255.224
!

object network outpat1
host 13.146.62.3

This above works on the current pix firewall. As to the packet tracer, it says neither should work and says it was dropped due to a rule and it gives you this line

"nat (inside,outside) after-auto source dynamic any outpat1"

As the cause. On a whim, I deleted the whole config today and ran the wizard this time in Adsm and it wrote the code lines practically word for word as I did by hand. It has this result in packet tracer as well.

One video I stumbled across suggested you had to use vlans now rather than putting the ip address directly on the if. He was using a 5505 though so I think that may have been incorrect info.

Any ideas on what to check next? Thanks again for your help.

ryancisco01 · ‎04-27-2015

This working config doesn't make much sense then, You say your PC's natted address becomes 13.146.62.16?

That would indicate this nat is not doing anything then:

object network obj1958
nat (any,any) static 13.146.62.18

and you must have another nat statement somewhere?

generally, you want to nat all your inside host IP's to the outside interface (PAT) for internet access, so you do this:

object network INTERNAL_NETS 
 subnet 0.0.0.0 0.0.0.0
!
nat (inside,outside) source dynamic INETRNAL_NETS interface

Can you just confirm, what you are exactly trying ot achieve in the end game, do you want your internal host to be static natted? or dynamically patted to the interface IP address? The packet tracer is telling you that your traffic is not hitting the static NAT. In order to static NAT 172.16.19.58 to 13.146.62.16 (regardless of what the IP on outside interface is, then this is the syntax:

object network outpat1
host 13.146.62.3
object network obj1958
host 172.16.19.58
nat (inside,any) static outpat1

I would kill off this line:

nat (inside,outside) after-auto source dynamic any outpat1

If you add the PAT I pasted above, and the static NAT above then everything should be working..

BRAD VAUGHN · ‎04-28-2015

Thanks for the reply. As to my goal, I try in each city to mimic what they had on the pix. That is found in the first post. it is basically:

13.146.62.2 - Outside interface
13.146.62.3 - Outside PAT shared between most desktops 172.16.0.0
13.146.62.6 - Website static Nat-ed to inside number 172.16.20.12
13.146.62.7 - Website static Nat-ed to inside number 172.16.20.45
13.146.62.8 - SMTP static Nat-ed to inside number 172.16.19.58
13.146.62.13 - Video-Conf static Nat-ed to inside number 172.16.20.25

I'm not sure why they chose to have .3 be the PAT instead of the outside IF which is .2 but it's been that way for a while. I guess if necessary, I could make the outside IF .3 and pat interface. The static NATs are servers that are open to a set list of IPs on the internet.

If I can get the overall PAT that 99% of the users use to surf and the static NAT through to the SMTP, I can just mimic the static with different ports/services allowed to add the http and vid. conf.

As to the info I posted above, a bit got cut off. That line you suggest killing off was supposed to PAT anything other than the SMTP static NAT to outpat1 which is 13.146.62.3.

The SMTP static NAT was to be 172.16.19.58(inside) to 13.146.62.18(outside). Looking at it now, it should be 13.146.62.8 though that's really not important until the normal surfing is up and running.

Hopefully this clarifies my goal a bit. Thanks for all your help on this.

BRAD VAUGHN · ‎04-28-2015