Yes, From inside the "Office" we are not able to access our web sites (which are hosted internally).

From outside the sites work fine, but they "translation" is not happening from inside.

I feel like I maybe missing an internal NAT rule, but I am not sure what that would need to be exactly.

Yesd you are definitely missing NAT statements for u-turning the traffic.

Try this:

static (inside,inside) norandseq nailed

failover timeout -1

sysopt noproxyarp

same-security-traffic permit intra-interafce

nat (in) 10 0 0

global (in) 10 interface

and it should work after that.

P.S.- do rate helpful posts

Thanks,

Varun

Varun, thanks for the rely. unfortunately that did not fix my issue,  and part of your command was not recognized by the iOS (8.2)

#static (inside,inside) norandseq nailed <---

Could you alter your suggestion and perhaps provide me with some descriptions on each command that I am executing for future purposes?

Does "(in)" imply "(inside)", does it actually imply "(in)?"

thanks

Hi,

Well I guess the reason for it to not work is that you do not have a route for, you might wanna add this:

route inside

Moreover if you want to know the usage of the command, here is the command ref for ASA 8.2:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/s8.html#wp1512466

This command is very much available in ASA 8.2, not sure why you are not able to add them, did you try the commands in config mode??

And in means inside. when you enter it with "in" the ASA would autofill it to be inside, since you have an inside interface configured.

Hope this helps.

Thanks,

Varun

Could you pleas confirm if I understand this correctly?

static (inside,inside) norandseq nailed

failover timeout -1 I was not able find an explanation for applying the "-1" after the "failover timeout" coomand.

sysopt noproxyarp

same-security-traffic permit intra-interafce

nat (in) 10 0 0 You are asking me to create a new "NAT" with the NAT_ID of "10", but what do the trailing two "0" imply?

global (in) 10 interface And then apply "NAT_ID 10" to the "global policy" of the inside interface?

route inside

route 10.250.0.0 255.255.0.0 10.250.1.2 inside  (based my (inside LAN subnet)?

Hi,

Well the nat (inside) 10 0 0, here this statement and nat (inside) 10 0.0.0.0 0.What my statement means is if the traffic is being generated from inside interface and going to inside interface only (u-turning), then my source should patted to the inside interface.

The failover timeout command is always used with the nailed option, to get more details, here is the doc:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/ef.html#wp1931598

The nailed and failover command is always added in case of u-turning the traffic to eliminate any asymmetric routing issues, nothing more.

By the way, did you try the commands, did it work for yuo after adding the route, and yes the route statement seems correct.

Hope this helps,

Thanks,

Varun

Based: ASA 8.2

The syntax for creating the "route" is route inside 10.250.0.0 255.255.0.0 10.250.1.2, but the command requires more arguements.

<1-255>   Distance metric for this route, default is 1
  track     Install route depending on tracked item
  tunneled  Enable the default tunnel gateway option, metric is set to 255
 

I am not sure which of these three options to apply to the command as I would need it, or whether what I have is enough and I should ?

Because when I do "just hit enter" I get the following message "ERROR: Cannot add route, connected route exists"

I have partially executed some/most of the commands from your original post and I greatly appreciate your time in helping me with this matter.

I will establish the nat (inside) 10 0.0.0.0 0  I just need to investigate what the trailing "0" is implying  (unlimited?).

: Saved
:
ASA Version 8.2(4)
!
hostname companyFW1
enable password yI1seDbeR7X1IlFN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.71 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.250.1.2 255.255.0.0
!
interface Ethernet0/2
speed 100
duplex full
nameif wireless
security-level 75
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif dmz
security-level 15
ip address 172.16.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.180.1 255.255.255.0
management-only
!
banner exec
banner exec                 ** W A R N I N G **
banner exec Unauthorized access prohibited. All access is
banner exec monitored, and trespassers shall be prosecuted
banner exec to the fullest extent of the law.
banner login
banner login                 ** W A R N I N G **
banner login Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login to the fullest extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group service weblogic-services tcp
port-object eq 5001
port-object eq 6001
port-object eq 7001
port-object eq 9001
object-group service web-services tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_0 tcp
group-object weblogic-services
group-object web-services
object-group network ftp-servers
network-object host x.x.x.72
network-object host x.x.x.90
object-group network web-servers
network-object host x.x.x.117
network-object host x.x.x.121
network-object host x.x.x.73
network-object host x.x.x.74
network-object host x.x.x.82
network-object host x.x.x.83
network-object host x.x.x.87
network-object host x.x.x.92
network-object host x.x.x.88
network-object host x.x.x.89
network-object host x.x.x.66
object-group network terminal-servers
network-object host x.x.x.75
network-object host x.x.x.77
network-object host x.x.x.90
object-group network mail-servers
network-object host x.x.x.86
object-group network lotusnotes-server
network-object host x.x.x.66
object-group network weblogic-servers
network-object host x.x.x.79
object-group service ftp-services tcp
port-object eq ftp
port-object eq ftp-data
object-group service remotedesktop-services tcp
port-object eq 3389
object-group service lotus-services tcp
port-object eq lotusnotes
port-object eq smtp
object-group icmp-type ping-services
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object traceroute
object-group service DM_INLINE_TCP_1 tcp
group-object lotus-services
group-object web-services
object-group service DM_INLINE_TCP_2 tcp
group-object ftp-services
group-object remotedesktop-services
access-list outside extended permit tcp any object-group ftp-servers object-group ftp-services
access-list outside extended permit tcp any object-group mail-servers eq smtp
access-list outside extended permit tcp any object-group terminal-servers object-group remotedesktop-services
access-list outside extended permit tcp any object-group web-servers object-group web-services
access-list outside extended permit tcp any object-group weblogic-servers object-group DM_INLINE_TCP_0
access-list outside extended permit tcp any host x.x.x.66 eq lotusnotes
access-list outside extended permit tcp object-group mail-servers host x.x.x.66 object-group DM_INLINE_TCP_1
access-list outside extended permit tcp any host x.x.x.72 object-group web-services
access-list outside extended permit tcp any host x.x.x.73 object-group web-services
access-list outside extended permit tcp any host x.x.x.74 object-group web-services
access-list outside extended permit tcp any host x.x.x.75 object-group remotedesktop-services
access-list outside extended permit tcp any host x.x.x.77 object-group remotedesktop-services
access-list outside extended permit tcp any host x.x.x.79 object-group weblogic-services
access-list outside extended permit tcp any host x.x.x.80 object-group web-services
access-list outside extended permit tcp any host x.x.x.82 object-group web-services
access-list outside extended permit tcp any host x.x.x.83 object-group web-services
access-list outside extended permit tcp any host x.x.x.89 object-group web-services
access-list outside extended permit tcp any host x.x.x.87 object-group web-services
access-list outside extended permit tcp any host x.x.x.90 object-group DM_INLINE_TCP_2
access-list outside extended permit tcp any host x.x.x.92 object-group web-services
access-list outside extended permit tcp any host x.x.x.117 object-group web-services
access-list outside extended permit tcp any host x.x.x.121 object-group web-services
access-list outside extended permit icmp any any
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list inside extended permit tcp any any
pager lines 24
logging enable
logging asdm critical
logging from-address tech_services@companyservices.com
logging recipient-address first_last@companyservices.com level errors
mtu outside 1500
mtu inside 1500
mtu wireless 1500
mtu management 1500
mtu dmz 1500
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any wireless
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.67
nat (inside) 1 10.250.0.0 255.255.0.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (wireless) 1 192.168.50.0 255.255.255.0
static (inside,outside) x.x.x.86 10.250.1.6 netmask 255.255.255.255
static (inside,outside) x.x.x.90 10.250.1.90 netmask 255.255.255.255
static (inside,outside) x.x.x.66 10.250.1.62 netmask 255.255.255.255
static (inside,outside) x.x.x.73 10.250.1.101 netmask 255.255.255.255
static (inside,outside) x.x.x.89 10.250.1.103 netmask 255.255.255.255
static (inside,outside) x.x.x.82 10.250.1.106 netmask 255.255.255.255
static (inside,outside) x.x.x.83 10.250.1.107 netmask 255.255.255.255
static (inside,outside) x.x.x.92 10.250.1.108 netmask 255.255.255.255
static (inside,outside) x.x.x.79 10.250.1.109 netmask 255.255.255.255
static (inside,outside) x.x.x.117 10.250.1.110 netmask 255.255.255.255
static (inside,outside) x.x.x.87 10.250.1.111 netmask 255.255.255.255
static (inside,outside) x.x.x.74 10.250.1.112 netmask 255.255.255.255
static (inside,outside) x.x.x.121 10.250.1.113 netmask 255.255.255.255
static (inside,outside) x.x.x.80 10.250.1.100 netmask 255.255.255.255
static (inside,outside) x.x.x.75 10.250.1.75 netmask 255.255.255.255
static (inside,outside) x.x.x.77 10.250.1.77 netmask 255.255.255.255
static (inside,outside) x.x.x.72 10.250.1.105 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.180.0 255.255.255.0 management
snmp-server location Framingham, MA, USA
snmp-server contact Tech Services, 508-663-4433, tech_services@companyservices.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.250.0.0 255.255.0.0 inside
telnet timeout 60
ssh 10.250.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
management-access management
dhcpd address 192.168.180.11-192.168.180.20 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside 10.250.1.90 C:\TFTP-Root
webvpn
username cisco password sS5u3RUdRWfZ5jw2 encrypted
!
class-map inspection_default
match default-inspection-traffic
class-map class_pptp
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
class class_pptp
  inspect pptp
!
service-policy global_policy global
smtp-server x.x.x.86
prompt hostname context
Cryptochecksum:044036ed50cb110a0e4e5d48b769d947
: end
asdm image disk0:/asdm-635.bin
no asdm history enable

Hi,

Let me explain again.

nat (inside) 10 0 0 and nat (inside) 10 0.0.0.0 0.0.0.0 are same statements. The first octet of zero's mean any network and the second octetr means any subnet mask.

Now coming onto the config, I see two statements missing from your config:

global (inside) 10  0.0.0.0  0.0.0.0

and

static (inside,inside) norandseq nailed

and the syntax for routing is correct, could you just provide me the output for "show route", I guess there is already a route added on the ASA.

Hope this helps.

Thanks,

Varun

companyFW1(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is x.x.x.65 to network 0.0.0.0

C    192.168.180.0 255.255.255.0 is directly connected, management
C    x.x.x.64 255.255.255.192 is directly connected, outside
C    10.250.0.0 255.255.0.0 is directly connected, inside
C    192.168.50.0 255.255.255.0 is directly connected, wireless
S*   0.0.0.0 0.0.0.0 [1/0] via x.x.x.65, outside

C    10.250.0.0 255.255.0.0 is directly connected, inside

This network is directly connected, so you don't need a route for it. You can go ahead and add the two missing statements and test it.

Thanks,

Varun

OK

global (inside) 10  0.0.0.0  0.0.0.0

The suyntax for this command is failing it does not like the 0.0.0.0 netmask

static (inside,inside) norandseq nailed

ASA is advising me to use the "nail" option and instead use setup some sort of policy that would imlpy the same.

Hi,

I guess explaining about trailing 0's just got me off the track here , the globalcommand is:

global (inside) 10 interface

and could you paste the error emssage that you get.

Thanks,

Varun