cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1722
Views
0
Helpful
4
Replies

ASA5505 Cannot access Internet with Static NAT Translations

alexalexnhm
Level 1
Level 1

I have lan 10.100.10.0 network access the internet through ASA5505. The WAN IP is 203.86.x.21 255.255.255.248.

I tried to setup the static NAT internal 10.100.10.7 outside 203.86.x.19 and allow all trafice in and out. After the NAT rules create, 10.100.10.7 cannot access the internet and cannot ping the WAN gateway 203.86.x.22.

I tried to ping 203.86.x.19 from outside network, I can't see any log in ASA.

Please help, Any idea?

I using similar configuration in other site ASA5505, it working normally, only different is the ASA and ASDM version is different.

Here I use ASA Version 8.2(1).

Thanks a lot

4 Replies 4

handoko wiyanto
Level 3
Level 3

hi,

perhaps you can post the config here?

regards,

Config here, I filter something already.

Thanks!!

: Saved

:

ASA Version 8.2(1)

!

names

name 10.100.10.0 LOffice

name 10.6.0.0 ServerFarm

dns-guard

!

interface Vlan1

nameif inside

security-level 50

ip address 10.110.10.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 1

ip address 203.86.x.21 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

ftp mode passive

clock timezone HKST 8

dns domain-lookup inside

dns server-group DefaultDNS

retries 3

name-server 10.110.10.33

name-server 128.107.241.185

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_3

network-object host 10.110.10.48

network-object host 10.110.10.118

network-object host 10.110.10.39

network-object host 10.110.10.45

network-object host 10.110.10.56

object-group service DM_INLINE_TCP_1 tcp

port-object eq 3306

port-object eq www

port-object eq ssh

port-object eq ftp

port-object eq ftp-data

object-group service rdp tcp

port-object eq 3389

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

group-object rdp

object-group network DM_INLINE_NETWORK_4

network-object host 10.110.10.11

network-object host 10.110.10.5

network-object host 10.110.10.61

network-object host 10.110.10.65

network-object host 10.110.10.13

object-group network DM_INLINE_NETWORK_6

network-object host 10.110.10.71

network-object host 10.110.10.72

network-object host 10.110.10.73

network-object host 10.110.10.74

network-object host 10.110.10.75

network-object host 10.110.10.76

network-object host 203.86.x.21

object-group service DM_INLINE_TCPUDP_1 tcp-udp

port-object eq 1503

port-object eq 1720

port-object range 3230 3237

port-object eq 3603

port-object eq sip

object-group service DM_INLINE_TCP_3 tcp

port-object eq 8887

port-object eq 8888

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_8

network-object host 10.110.10.62

network-object host 10.10.5.11

network-object host 203.86.x.13

object-group network DM_INLINE_NETWORK_18

network-object TM2F 255.255.255.0

network-object TMPOLO 255.255.255.0

network-object TMOther 255.255.255.0

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object tcp range 1 65535

service-object icmp

service-object udp range 1 65535

object-group network DM_INLINE_NETWORK_14

network-object ServerFarm 255.255.0.0

object-group network DM_INLINE_NETWORK_13

network-object host 203.86.x.20

network-object host 203.86.x.21

object-group service smtp587 tcp

port-object eq 587

object-group network DM_INLINE_NETWORK_16

network-object ServerFarm 255.255.0.0

network-object LOffice 255.255.255.0

object-group service DM_INLINE_SERVICE_7

service-object ip

service-object tcp eq 3389

service-object tcp-udp eq domain

service-object tcp eq 3128

service-object tcp eq www

service-object tcp eq https

service-object tcp eq imap4

service-object tcp eq pop3

service-object tcp eq smtp

service-object tcp eq 587

service-object tcp eq 1433

service-object tcp eq 3306

service-object tcp eq 445

service-object tcp eq netbios-ssn

service-object tcp eq 5800

service-object tcp eq 5900

service-object tcp-udp eq 3306

object-group service DM_INLINE_SERVICE_8

service-object icmp

service-object icmp echo-reply

service-object tcp-udp eq echo

service-object tcp eq 3128

service-object tcp eq ftp

service-object tcp eq www

service-object tcp eq https

service-object tcp-udp eq domain

service-object tcp eq telnet

service-object tcp eq 8800

service-object tcp eq 993

service-object tcp eq imap4

service-object tcp eq 587

service-object tcp eq 3389

service-object tcp eq smtp

service-object tcp eq 3306

object-group service DM_INLINE_SERVICE_9

service-object icmp

service-object icmp6

service-object tcp eq www

service-object tcp eq https

object-group network DM_INLINE_NETWORK_22

network-object LOffice 255.255.255.0

network-object host 203.86.x.21

object-group service DM_INLINE_TCP_8 tcp

port-object eq www

port-object eq https

port-object eq telnet

object-group service DM_INLINE_SERVICE_10

service-object ip

service-object tcp range 1 65535

service-object udp range 1 65535

object-group service DM_INLINE_SERVICE_11

service-object ip

service-object tcp-udp range 1 65535

object-group network DM_INLINE_NETWORK_12

network-object host 10.110.10.63

network-object host 10.110.10.65

network-object host 10.110.10.60

object-group network DM_INLINE_NETWORK_23

network-object LOffice 255.255.255.0

network-object ServerFarm 255.255.0.0

object-group network DM_INLINE_NETWORK_25

network-object host 10.110.10.221

network-object host 203.86.x.21

object-group network DM_INLINE_NETWORK_28

network-object host 10.110.10.221

network-object host 203.86.x.21

object-group network DM_INLINE_NETWORK_31

network-object host 10.110.10.221

network-object host 203.86.x.21

object-group network DM_INLINE_NETWORK_11

network-object LOffice 255.255.255.0

network-object 10.110.10.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object LOffice 255.255.255.0

network-object 10.110.10.0 255.255.255.0

object-group network DM_INLINE_NETWORK_15

network-object host 10.110.10.13

network-object host 10.110.10.212

network-object host 203.86.x.21

object-group service DM_INLINE_TCP_5 tcp

port-object range 25558 25559

port-object eq 29009

object-group network DM_INLINE_NETWORK_5

network-object LOffice 255.255.255.0

network-object host 10.110.20.91

object-group network DM_INLINE_NETWORK_7

network-object LOffice 255.255.255.0

network-object host 10.110.20.91

object-group service DM_INLINE_TCP_4 tcp

port-object eq 55000

port-object eq 9000

port-object range 9100 9500

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object tcp eq ftp

object-group network DM_INLINE_NETWORK_21

network-object LOffice 255.255.255.0

network-object 203.86.x.16 255.255.255.248

object-group network DM_INLINE_NETWORK_1

network-object host 10.110.10.7

network-object host 203.86.x.19

object-group network DM_INLINE_NETWORK_10

network-object LOffice 255.255.255.0

network-object ServerFarm 255.255.0.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object tcp eq www

service-object tcp eq https

object-group network DM_INLINE_NETWORK_9

network-object host 10.110.10.7

network-object host 203.86.x.19

object-group service DM_INLINE_TCP_6 tcp

port-object range 29010 29011

port-object eq 29090

object-group network DM_INLINE_NETWORK_17

network-object host 203.86.x.19

network-object host 203.86.x.20

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_2

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_23 object-group DM_INLINE_NETWORK_16

access-list inside_access_in remark Polo FTP

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 host 10.110.10.28 any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_10 host 10.110.10.33 any

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_12 any

access-list inside_access_in extended permit tcp LOffice 255.255.255.0 host 10.110.10.12 object-group DM_INLINE_TCP_8

access-list inside_access_in extended permit object-group TCPUDP host 10.110.10.221 any eq 3306

access-list inside_access_in extended permit ip host 10.110.10.221 any

access-list inside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_25 eq 3306 inactive

access-list inside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_31 range 1 65535 inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_8 LOffice 255.255.255.0 any

access-list inside_access_in extended permit ip LOffice 255.255.255.0 any

access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_17

access-list outside_access_in extended permit ip host 203.86.x.20 any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_9

access-list outside_access_in extended permit ip host 203.86.x.19 any

access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_28 eq 3306

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_TCP_6

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 any host 10.110.10.33

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 any object-group DM_INLINE_NETWORK_22

access-list outside_access_in remark NOD Server

access-list outside_access_in extended permit tcp any host 10.110.10.9 eq 8888 log disable

access-list outside_access_in remark Booking

access-list outside_access_in extended permit tcp any host 203.86.x.21 object-group DM_INLINE_TCP_1

access-list outside_access_in remark BWDB

access-list outside_access_in extended permit tcp any host 203.86.x.21 object-group DM_INLINE_TCP_2

access-list outside_access_in remark Printer

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 range 9100 9102

access-list outside_access_in remark Polo FTP

access-list outside_access_in extended permit ip host 77.93.255.102 any

access-list outside_access_in remark Garek RDP

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group rdp

access-list outside_access_in remark NOD32

access-list outside_access_in extended permit tcp any host 10.110.10.17 object-group DM_INLINE_TCP_3

access-list outside_access_in remark PVX

access-list outside_access_in extended permit object-group TCPUDP any host 10.110.10.64 object-group DM_INLINE_TCPUDP_1

access-list outside_access_in remark IPCAM

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_6 range 20001 20010

access-list outside_access_in remark Licence for RMC

access-list outside_access_in extended permit tcp any host 10.110.10.18 object-group rdp

access-list outside_access_in remark Alex

access-list outside_access_in extended permit tcp any host 203.86.x.21 object-group DM_INLINE_TCP_5

access-list outside_access_in remark Alex

access-list outside_access_in extended permit tcp any LOffice 255.255.255.0 object-group rdp

access-list outside_access_in remark Alex

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_14 object-group rdp

access-list outside_access_in remark Alex

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_13 object-group rdp

access-list outside_access_in remark PABX

access-list outside_access_in extended permit object-group TCPUDP any host 10.110.10.239 eq 20000

access-list outside_access_in remark Client01 RDP

access-list outside_access_in extended permit object-group TCPUDP any any range 29001 29020

access-list outside_access_in extended permit tcp ServerFarm 255.255.0.0 host 10.110.10.18 eq 20000

access-list outside_access_in remark Alex

access-list inside_nat0_outbound extended permit ip LOffice 255.255.255.0 object-group DM_INLINE_NETWORK_10

access-list inside_nat0_outbound extended permit ip host 10.110.10.63 host 203.86.x.19

access-list outside_cryptomap_1 extended permit ip LOffice 255.255.255.0 10.110.30.0 255.255.255.0

access-list outside_cryptomap_3 extended permit ip LOffice 255.255.255.0 ServerFarm 255.255.0.0

access-list outside_cryptomap_2 extended permit ip LOffice 255.255.255.0 AirportOffice 255.255.255.0

access-list outside_cryptomap_4 extended permit ip LOffice 255.255.255.0 object-group DM_INLINE_NETWORK_18

access-list Wanbackup_access_in extended permit object-group DM_INLINE_SERVICE_5 any any inactive

access-list outside_cryptomap_5 extended permit ip LOffice 255.255.255.0 10.100.0.0 255.255.255.0

access-list outside_cryptomap_6 extended permit ip LOffice 255.255.255.0 10.100.20.0 255.255.255.0

access-list outside_cryptomap_7 extended permit ip LOffice 255.255.255.0 10.100.30.0 255.255.255.0

access-list global_mpc remark SunAcc

access-list global_mpc extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_TCP_4

access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_21 LOffice 255.255.255.0

access-list outside_cryptomap_9 extended permit ip LOffice 255.255.255.0 10.110.20.0 255.255.255.0

access-list outside_cryptomap extended permit ip LOffice 255.255.255.0 10.110.40.0 255.255.255.0

access-list outside_cryptomap_10 extended permit ip LOffice 255.255.255.0 10.10.103.0 255.255.255.0

access-list global_mpc_1 extended permit ip host 10.110.10.178 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

ip audit attack action alarm drop

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm history enable

arp timeout 14400

global (inside) 2 10.110.10.1-10.110.10.253 netmask 255.255.255.0

global (inside) 1 LOffice netmask 255.255.255.0

global (outside) 2 203.86.x.19-203.86.x.20 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 LOffice 255.255.255.0 dns

static (inside,outside) 203.86.x.20 10.10.110.60 netmask 255.255.255.255

static (outside,inside) 10.10.110.60 203.86.x.20 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 203.86.x.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server idle-timeout 5

http LOffice 255.255.255.0 inside

http 203.86.x.21 255.255.255.255 outside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment timeout 20 inside

sysopt noproxyarp inside

sysopt noproxyarp outside

service resetinbound interface inside

service resetinbound interface outside

no service resetoutbound interface inside

no service resetoutbound interface outside

: end

alexalexnhm
Level 1
Level 1

I solve the problems by Enable the outside interface Proxy ARP, but anyone can tell me why?

Thanks!

Double check your subnet masks...

Review Cisco Networking for a $25 gift card