04-21-2011 03:02 AM - edited 03-11-2019 01:24 PM
Hi,
I have an ASA 5510 working in Routed mode for a company with the following networks. everything works fine as desired.
Below are the interfaces, security and ip addresses .
Ethernet0/0 DC_SERVER security-level 100
ip address 172.16.11.12 255.255.255.0
Ethernet0/1 Branches security-level 50
ip address 172.16.1.254 255.255.255.0
Ethernet0/2 DC_ADMIN security-level 70
ip address 172.16.25.254 255.255.255.0
Now Customer has taken a DSL connection. I have configured the port E0/3 in PPPoE mode and I do get a public IP address.
Ethernet0/3
description broadband connection
nameif Internet
security-level 0
pppoe client vpdn group bsnl
ip address pppoe setroute
I Enable NAT so that the DC_SERVER and DC_ADMIN can access internet, they are able to access the internet. BUT Now my DC_SERVER,
DC_ADMIN and Branches networks are unable to communicate with each other. Nothings works , Ping drops at this point.
Below are the NAT commands to enable internet
NAT (DC_ADMIN) 100 172.16.25.0 255.255.255.0
NAT (DC_SERVER) 100 172.16.11.0 255.255.255.0
Global (Internet) 100 interface
If at this moment I disable NAT , now the Internal Networks are able to communicate with each other.
I don't understand where I am making a mistake. Pls help .\
Below is the firewall configuration. without NAT enabled. I only add the obove NAT statements for internet access.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password cGBMrLCcjheJaVE/ encrypted
passwd cGBMrLCcjheJaVE/ encrypted
names
name 172.16.11.1 App1 description Application server 1
name 172.16.11.2 App2 description Application server 2
name 172.16.11.3 App3 description Application server 3
name 172.16.11.4 App4 description Application server 4
name 172.16.11.16 Additional_DC description Replication DC
name 172.16.11.18 Antivirus_Server description Antivirus_Server
name 172.16.11.7 DB1 description database server1
name 172.16.11.8 DB2 description Database server 2
name 172.16.11.20 Domain_Controller description Main Domain controller
name 172.16.11.5 MIS description MIS server
name 172.16.11.6 Test_Server description Test Server
!
interface Ethernet0/0
description servers are connected to this port
nameif DC_SERVER
security-level 100
ip address 172.16.11.12 255.255.255.0
!
interface Ethernet0/1
description All branches are connected to this port
nameif Branches
security-level 50
ip address 172.16.1.254 255.255.255.0
!
interface Ethernet0/2
description Administrator users connected to this port
nameif DC_ADMIN
security-level 70
ip address 172.16.25.254 255.255.255.0
!
interface Ethernet0/3
description broadband connection
nameif Internet
security-level 0
pppoe client vpdn group bsnl
ip address pppoe setroute
!
interface Management0/0
nameif mgmt
security-level 50
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object-group service rdp tcp
port-object eq 3389
object-group network All_Servers
description All servers group for branch access
network-object host Additional_DC
network-object host Antivirus_Server
network-object host App1
network-object host Domain_Controller
network-object host App2
network-object host App3
network-object host App4
network-object host MIS
network-object host Test_Server
network-object host DB1
network-object host DB2
access-list Internet_access_in extended permit icmp any any
access-list DC_access_in extended permit icmp any any
access-list DC_access_in extended permit ip any object-group All_Servers
access-list DC_ADMIN_access_in extended permit tcp any any object-group rdp
access-list DC_ADMIN_access_in extended permit icmp any any
access-list DC_ADMIN_access_in extended permit ip any object-group All_Servers
pager lines 24
mtu DC_SERVER 1500
mtu Branches 1500
mtu DC_ADMIN 1500
mtu Internet 1492
mtu mgmt 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location App2 255.255.255.255 DC_SERVER
asdm location App3 255.255.255.255 DC_SERVER
asdm location App4 255.255.255.255 DC_SERVER
asdm location MIS 255.255.255.255 DC_SERVER
asdm location Test_Server 255.255.255.255 DC_SERVER
asdm location DB1 255.255.255.255 DC_SERVER
asdm location DB2 255.255.255.255 DC_SERVER
asdm location Additional_DC 255.255.255.255 DC_SERVER
asdm location Antivirus_Server 255.255.255.255 DC_SERVER
asdm location Domain_Controller 255.255.255.255 DC_SERVER
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
access-group DC_access_in in interface Branches
access-group DC_ADMIN_access_in in interface DC_ADMIN
access-group Internet_access_in in interface Internet
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 mgmt
http 172.168.25.0 255.255.255.0 DC_ADMIN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 172.16.25.0 255.255.255.0 DC_ADMIN
telnet 0.0.0.0 0.0.0.0 mgmt
telnet 192.16.1.0 255.255.255.0 mgmt
telnet timeout 30
ssh timeout 5
console timeout 0
vpdn group bsnl request dialout pppoe
vpdn group bsnl localname tmucbl
vpdn group bsnl ppp authentication chap
vpdn username tmucbl password 2731087
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password hmTyXifrd1RbLFWE encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a61843bd133114d24d618a26aee5423
: end
04-21-2011 05:25 AM
Hi Favol,
The problem is that you haven't configured NAT rules for the traffic between DC_SERVER, DC_ADMIN and Branches
Your NAT configuration is:
NAT (DC_ADMIN) 100 172.16.25.0 255.255.255.0
NAT (DC_SERVER) 100 172.16.11.0 255.255.255.0
Global (Internet) 100 interface
So when traffic from DC_ADMIN tries to go to Branches, it will match the NAT (DC_ADMIN) 100 but it has no matching Global for the Branches interface and hence gets dropped.
There are two options for you to solve this problem.
1. configure PAT for other interfaces as well. global (Branches) 100 interface
This way, Admin and Server can contact Branches easily
2. Configure NAT exempt for these traffic so that they are not natted at all.
access-list DC_SERVER_EXEMPT permit ip 172.16.11.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list DC_SERVER_EXEMPT permit ip 172.16.11.0 255.255.255.0 172.16.25.0 255.255.255.0
access-list DC_ADMIN_EXEMPT permit ip 172.16.25.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (DC_SERVER) 0 access-list DC_SERVER_EXEMPT
nat (DC_ADMIN) 0 access-list DC_ADMIN_EXEMPT
This way traffic travelling between Server -> Admin,Branches; and Admin-> Branches will be nat exempted.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide