Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
3
Replies

Translations Fail After Updating IP Addresses

mumbles202
Level 5
Level 5

‎07-26-2012 10:35 AM - edited ‎03-11-2019 04:35 PM

I'm working on an ASA that currently sits behind another device that the ISP equipment terminates on.  The device has the real external addresses for the network (A.B.C.100) and it has a private range of 10.0.0.100 for the internal network.  The ASA in turn has an outside address of 10.0.0.101 and it's default route sends all traffic to the 0.100 address which forwards it on.  I've been asked to remove the extra device and just have the ISP terminate directly on the ASA.  When I do this and assign the ASA the public address my internal clients are all able to get out as normal.  I removed the outside_in access-list and recreated it, substituting A.B.C. in any place that 10.0.0. was previously.  I also did the same with the static translations and I did a "clear xlate" and a "clear local-host all" after removing the old translations and adding the new ones.  For some reason at least 3 of the servers that have a 1-to-1 translation are no longer able to access the internet once I add the static translation.  I've included the nat and global statements and the access-lists they reference in case it helps.  I can post the entire sanitized config if needed.

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.225 255.255.0.0

global (outside) 1 interface
global (outside) 2 A.B.C.180 netmask 255.255.255.255
nat (outside) 0 access-list outsidenat
nat (outside) 2 access-list vpnnat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0


access-list outside_in remark Websense Email Security Filter
access-list outside_in extended permit tcp any host A.B.C.190 eq smtp
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list extended extended deny ip 192.168.10.0 255.255.255.240 192.168.0.0 255.255.0.0
access-list vpnnat extended permit ip 192.168.10.0 255.255.255.240 any

access-list outsidenat extended permit ip 192.168.10.0 255.255.255.240 192.168.0.0 255.255.0.0

access-group outside_in in interface outside

static (inside,outside) A.B.C.190 192.168.0.25 netmask 255.255.255.255

The server has a switch as it's gateway, but that switch has it's default route as the ASA (all our internal clients are set this way, but I can change the server if needed).

Labels:
0 Helpful
3 Replies 3

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-30-2012 03:13 AM

Hi Bro

Can you add these lines and tell me what works and what doesn't

access-list inside permit ip any any

access-group inside in interface inside

no global (outside) 2 A.B.C.180 netmask 255.255.255.255
no nat (outside) 0 access-list outsidenat
no nat (outside) 2 access-list vpnnat

P/S: If yo think this comment is useful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

mumbles202
Level 5
Level 5
In response to Ramraj Sivagnanam Sivajanam

‎08-02-2012 07:33 AM

I had tried removing the nat (outside) statements and it didn't work as far as I remember.  I know the 2nd nat statement is used for their vpn clients to have access to the internet through the ASA.  I'll try to add the access-list entry the next time I make an attempt at this as well.  After reverting the changes last time I was made aware that there is a 4-port Linksys switch upstream of the load-balancer and ASA; so the connection goes ISP --> Linksys --> Load-Balancer (to be removed) --> ASA.  I was thinking next time I will reboot the Linksys in case it has any stale mac entries referencing the load balancer.  This config only has the inside and outside and the inside hosts are translated to their outside address via static statements (just did a 1-to-1 since there are available ips and this is how it presently is set up).

0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-30-2012 07:23 AM

Hi David,

When you give sh xlate or sh nat is there everything shows correctly. I mean the translated hits for the servers like smtp ????

does they resides in a separate zone??? like dmz.

for smtp if it sits in the inside zone then you can do a static nat

static (inside,outside) a.b.c.180 25 25

Please do rate if the given information helps.

By

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card