I am performing NAT on the ASA and on the 3825; ISP -> ASA 10.1.1.0/27 -> Router 192.168.1.0/26
- Ping from ASA to ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward192.168.1.60ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward does not work, another issue, here's the ASA log as it scrolls;
- Denied ICMP type=0, code=0 from 10.1.1.1 on interface inside
- Denied ICMP type=0, from laddr 10.1.1.1 on interface inside to 10.1.1.30: no matching session
- Built inbound ICMP connection for faddr 10.1.1.1/0 gaddr 10.1.1.30/29878 laddr 10.1.1.30/29878
- Built outbound ICMP connection for faddr 192.168.1.60/0 gaddr 10.1.1.30/29878 laddr 10.1.1.30/29878
- Built local-host inside:192.168.1.60
- FF# packet-tracer input outside tcp 8.8.8.8 26154 192.168.1.60 22222 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb14fb28, priority=1, domain=permit, deny=false
hits=78854759, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.192 inside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group ACL-OUTSIDE-IN in interface outside
access-list ACL-OUTSIDE-IN extended deny ip any any log
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcad35bd0, priority=13, domain=permit, deny=true
hits=821, user_data=0xc9187dd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- show conn and show xlate
Running these commands resulted in very long outputs with no reference to 192.168.1.60 when initiating an SFTP connection from 'outside'.
- FF# sho route
Gateway of last resort is 24.120.120.1 to network 0.0.0.0
O 172.16.1.0 255.255.255.240 [110/11] via 10.1.1.1, 290:33:34, inside
C 24.120.120.0 255.255.240.0 is directly connected, outside
C 10.1.1.0 255.255.255.224 is directly connected, inside
O 192.168.1.0 255.255.255.192 [110/11] via 10.1.1.1, 290:33:34, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 24.120.120.1, outside
- please verify that you can reach internet from ASA, ping next-hop, 8.8.8.8
I cannot ping internally or externally from the ASA but I do have internet connection as the ASA is currently connected and I have no connectivity issues.
- I am not really certain what you meant by hiding the public IP and the different signs so I just manipulated the public IP's. I am including the config for the ASA and the 3825 below, thanks again for your help and please let me know what else I need to provide...
ASA Version 9.0(2)
!
hostname FF
enable password 4.x70RVTq0ba.OJq encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd 1KFQnaNQdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 5
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan5
mac-address 001c.71a5.fa40
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 10.1.1.30 255.255.255.224
!
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 198.153.192.40
name-server 198.153.194.40
object network DNAT_3825
object network INTERNAL_LAN
subnet 10.1.1.0 255.255.255.224
object network NAS_SFTP
host 192.168.1.60
description NAS SFTP - Port 2222
object service PORT_2222
service tcp source eq 2222 destination eq 2222
description NAS SFTP - Port 2222
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list ACL-OUTSIDE-IN extended permit tcp any object NAS_SFTP eq 2222 log
access-list ACL-OUTSIDE-IN extended deny ip any any log
access-list ACL-INSIDE-IN extended permit ip any any log
access-list ACL-INSIDE-IN extended permit icmp any any echo-reply log
access-list ACL-INSIDE-IN extended permit icmp any any echo log
access-list ACL-INSIDE-IN extended permit icmp any any log
access-list ACL-INSIDE-OUT extended permit icmp any any echo-reply log
access-list ACL-INSIDE-OUT extended permit icmp any any echo log
access-list ACL-INSIDE-OUT extended permit icmp any any log
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network NAS_SFTP
nat (inside,outside) static interface no-proxy-arp service tcp 2222 2222
!
nat (inside,outside) after-auto source dynamic any interface dns
access-group ACL-OUTSIDE-IN in interface outside
access-group ACL-INSIDE-IN in interface inside
access-group ACL-INSIDE-OUT out interface inside
!
router ospf 1
network 10.1.1.0 255.255.255.224 area 0
network 192.168.1.0 255.255.255.192 area 0
log-adj-changes
default-information originate always metric 1
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http server idle-timeout 60
http server session-timeout 90
http 192.168.1.0 255.255.255.192 inside
http 10.1.1.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.192 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.1.1 source inside
ntp server 129.6.15.29 source outside prefer
webvpn
anyconnect-essentials
username cisco password vAf1q1H.ah.rqbDS encrypted privilege 15
username lab password n/pkFOGPjV0mLSxt encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:1271f9da71948856f63e44e7268f48fa
: end
__________________________________________________________________________________
Cisco Router 3825
version 15.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RR
!
boot-start-marker
boot system flash:c3825-adventerprisek9_ivs-mz.151-4.M6.bin
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 51200
logging console critical
enable secret 4 1hdl2t2GTwuAChFnEIcCj0Iz7JBCJX01rwUvTaQTL7k
enable password 7 1057990D5505120F0801
!
no aaa new-model
!
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
no ip source-route
!
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.1.51 192.168.1.62
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.1.14
!
ip dhcp pool DHCP_192.168.1.0/26
network 192.168.1.0 255.255.255.192
dns-server 192.168.1.1
default-router 192.168.1.1
domain-name ciscolab.local
!
ip dhcp pool VOICE_LAN
import all
network 172.16.1.0 255.255.255.240
default-router 172.16.1.1
dns-server 192.168.1.1
domain-name ciscolab.local
option 150 ip 172.16.1.1
!
!
no ip bootp server
ip domain name ciscolab.local
ip name-server 198.153.192.40
ip name-server 198.153.194.40
ip inspect log drop-pkt
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
parameter-map type inspect global
log dropped-packets enable
parameter-map type ooo global
tcp reassembly queue length 64
tcp reassembly memory limit 4096
tcp reassembly alarm off
!
voice-card 0
!
!
voice service voip
ip address trusted list
ipv4 64.237.39.42
ipv4 64.237.39.30
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
no supplementary-service h450.7
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
no supplementary-service sip handle-replaces
redirect ip2ip
sip
bind control source-interface GigabitEthernet0/1.20
bind media source-interface GigabitEthernet0/1.20
session transport tcp
registrar server
!
voice class codec 1
codec preference 1 g711ulaw
!
!
voice register global
mode cme
source-address 172.16.1.1 port 5060
max-dn 25
max-pool 25
load 7960-7940 P0S3-8-12-00
authenticate register
tftp-path flash:
create profile sync 0020174213302002
!
voice register dn 1
number 1001
name EXT1
label EXT1
!
voice register dn 2
number 1002
name EXT2
label EXT2
!
voice register pool 1
id mac 000F.BA70.EABD
type 7960
number 1 dn 1
username EXT1 password 1234
!
voice register pool 2
id mac 000C.AC60.EC61
type 7960
number 1 dn 2
username EXT2 password 1234
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2466671023
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2466671023
revocation-check none
rsakeypair TP-self-signed-2466671023
!
!
crypto pki certificate chain TP-self-signed-2466671023
certificate self-signed 01
!
!
license udi pid CISCO3825 sn FTI1017A0NT
archive
log config
hidekeys
username cisco privilege 15 password 7 0701282A1E1D310F12
username lab privilege 15 password 7 071111581C1B1A041317
!
redundancy
!
!
ip tcp synwait-time 10
!
!
interface Loopback0
description $FW_INSIDE$
ip address 99.99.99.99 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description OUTSIDE TO ASA$ETH-WAN$
ip address 10.1.1.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.10
description DATA_VLAN$ETH-LAN$
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1460
!
interface GigabitEthernet0/1.20
description VOICE_VLAN$ETH-LAN$
encapsulation dot1Q 20
ip address 172.16.1.1 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip flow egress
!
router ospf 1
network 10.1.1.0 0.0.0.31 area 0
network 172.16.1.0 0.0.0.15 area 0
network 192.168.1.0 0.0.0.63 area 0
default-information originate
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat pool DHCP_192.168.1.0/26 192.168.1.1 192.168.1.62 netmask 255.255.255.192
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_OSPF
remark CCP_ACL Category=1
permit ospf any any
!
logging trap debugging
logging 192.168.1.60
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.63
!
!
tftp-server flash:/P0S3-8-12-00/P0S3-8-12-00.loads alias P0S3-8-12-00.loads
tftp-server flash:/P0S3-8-12-00/P0S3-8-12-00.sb2 alias P0S3-8-12-00.sb2
tftp-server flash:/P0S3-8-12-00/P003-8-12-00.bin alias P003-8-12-00.bin
tftp-server flash:/P0S3-8-12-00/P003-8-12-00.sbn alias P003-8-12-00.sbn
tftp-server flash:/SIP/SEP000DBC80EABD.cnf alias SEP000DBC80EABD.cnf
tftp-server flash:/SIP/SEP000DBC80EB61.cnf alias SEP000DBC80EB61.cnf
tftp-server flash:/SIP/XMLDefault.cnf alias XMLDefault.cnf
!
control-plane
!
!
mgcp fax t38 ecm
!
mgcp profile default
!
!
sip-ua
credentials number 13141234123 username GV13141234123 password 7 14123B1F26140672742E37252140 realm GVGW
authentication username GV13141234123 password 7 021E11674B2C56714A4A191A56
registrar dns:gvgw3.simonics.com:5070 expires 1800 tcp
sip-server dns:gvgw3.simonics.com:5070
!
!
gatekeeper
shutdown
!
!
telephony-service
no auto-reg-ephone
pin 0000 override
max-dn 25
ip source-address 172.16.1.1 port 2000
max-redirect 5
system message ciscolab
cnf-file location flash:
max-conferences 12 gain -6
web admin system name cisco secret 5 $0$LEFH$00Kx0vw4FlNCZvO2KypRh.
transfer-system full-consult
create cnf-files version-stamp 7960 Apr 14 2013 02:39:02
!
!
line con 0
exec-timeout 0 0
password 7 067366111F5A581710
logging synchronous
line aux 0
line vty 0 4
access-class 102 in
exec-timeout 0 0
privilege level 15
password 7 10400F005501131509
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server time.nist.gov prefer
end
