05-11-2019 08:09 PM
I've got an ASA 5516 that I'm having issues with NAT on. Currently it seems to work except for when I try to access a public IP on my subnet. The outside interface has a public IP that is part of a /26. From the inside interface if I try to ping, access, or get snmp data from any other IP on our /26 it doesn't pass.
I've done the packet Trace tool and it says "(no-adjacency) No valid adjacency" for the results.
An example of where it's broke would be trying to ping from 10.15.2.50 to 1.2.3.126
Here is my config
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.2.3.66 255.255.255.192
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.15.2.251 255.255.255.0
!
interface GigabitEthernet1/3
nameif voice
security-level 90
ip address 192.168.20.251 255.255.255.0
!
interface GigabitEthernet1/4
description Corp WiFi Interface
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4.33
description Printer
vlan 33
nameif Printers
security-level 100
ip address 10.15.33.251 255.255.255.0
!
interface GigabitEthernet1/5
nameif LW_WiFi
security-level 100
ip address 10.15.3.251 255.255.255.0
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6.4
description HR Department
vlan 4
nameif HR_Dept
security-level 100
ip address 10.15.4.251 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif To_5516
security-level 0
ip address 192.168.95.2 255.255.255.252
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup voice
dns domain-lookup LW_WiFi
dns domain-lookup HR_Dept
dns server-group DefaultDNS
domain-name company.corp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN_IP_Pool
subnet 10.245.245.0 255.255.255.0
object network company_Internal_Range
subnet 10.15.2.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ScreenConnect
object network 1.2.3.86
host 1.2.3.86
object network 1.2.3.67
host 1.2.3.67
object network 1.2.3.94
host 1.2.3.94
object service aamon
service tcp destination eq 10101
object service aamob1
service udp destination eq isakmp
description AA Mobility
object service aamob2
service udp destination eq 4500
description AA Mobility
object network ForecastTool
host 10.15.2.54
description Internal Address of Forecast Tool
object network ForecastTool-Ext
host 1.2.3.69
description External Address of Forecast Tool
object service forecasttl
service tcp destination eq www
description Allow port 7171 on forecast tool
object network NETWORK_OBJ_10.245.245.0_24
subnet 10.245.245.0 255.255.255.0
object network Spiceworks
host 10.15.2.183
description Internal Address of Spiceworks Site
<--- More ---> object network Printer-External-IP
host 1.2.3.70
description Printer IP
object service Spiceworks-9675
service tcp destination eq 9675
description Permit TCP 9675
object network company_Voice_Range
subnet 192.168.20.0 255.255.255.0
description voice IP range
object network Voice_NAT
host 1.2.3.71
description Voice_NAT
object network Google_DNS_1
host 8.8.8.8
description Google_DNS_1
object network Google_DNS_2
host 8.8.4.4
description Google_DNS_2
object service DHCP_Relay
service udp destination eq bootps
object service GoverLAN-agents
service tcp destination eq 15155
description Allow GoverLAN agents to 15155
object network DMZ_NAT_IP
<--- More ---> host 1.2.3.79
object network DMZ_Internal_Range
subnet 192.168.10.0 255.255.255.0
object network DMZ-2_Internal_Range
subnet 172.16.52.0 255.255.255.0
object network DMZ-2_NAT_IP
host 1.2.3.81
object network Nextiva_Block_1
subnet 208.73.144.0 255.255.248.0
object network DMZ_Radius
host 192.168.10.254
object service RDP-Service
service tcp source eq 3395
object network nextiva_background_images
subnet 151.101.48.0 255.255.255.0
description website
object network Nextiva_Block_2
subnet 208.89.108.0 255.255.252.0
object service LWNAS_443
service tcp source range 1 65000 destination eq https
description LWNAS
object network LWNAS
host 10.15.2.55
object network LWNAS-EXT
<--- More ---> host 1.2.3.74
description External Address of LWNAS
object network VPN
host 1.2.3.66
description VPN public IP
object network LW_WiFi
subnet 10.15.3.0 255.255.255.0
description LW_WiFi
object network HR_Dept
subnet 10.15.4.0 255.255.255.0
description HR department
object network HR_Public_IP
host 1.2.3.68
description HR
object service Radius
service udp source range 0 50000 destination eq 1814
object network NETWORK_OBJ_10.30.97.0_24
subnet 10.30.97.0 255.255.255.0
object network NETWORK_OBJ_10.15.2.0_24
subnet 10.15.2.0 255.255.255.0
object network Printers
subnet 10.15.33.0 255.255.255.0
description Printer VLAN
object network ICTDC01
<--- More ---> host 10.15.2.1
description ICTDC01
object network ICTDC03
host 10.15.2.3
description ICTDC03
object network ICTDC06
host 10.15.2.6
description ICTDC06
object network HR_Nat
subnet 10.15.4.0 255.255.255.0
description HR Dept
object network Corp_WiFi
subnet 10.15.3.0 255.255.255.0
description LW Corp WiFi
object network Voice
subnet 192.168.20.0 255.255.255.0
description Voice
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp-udp
port-object eq 3389
object-group network Google_DNS_Group
network-object object Google_DNS_1
network-object object Google_DNS_2
object-group service DM_INLINE_TCP_20 tcp
port-object eq ftp
port-object eq ftp-data
object-group network DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_12
service-object icmp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group network PrivateNetworks
network-object 10.0.0.0 255.0.0.0
object-group network USG_Networks_To_Block
description Guest - Networks to block
network-object object company_Voice_Range
network-object object VPN_IP_Pool
network-object 10.15.3.0 255.255.255.0
network-object 10.15.4.0 255.255.255.0
network-object object HR_Dept
network-object object HR_Public_IP
network-object 10.0.0.0 255.0.0.0
network-object object company_Internal_Range
object-group service time-servers udp
port-object eq ntp
object-group network Nextiva_IP_Ranges
network-object object Nextiva_Block_1
group-object Google_DNS_Group
network-object object Nextiva_Block_2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq sip
service-object udp destination eq sip
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp
service-object object LWNAS_443
object-group service mDNS udp
description udp 5353
port-object eq 5353
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network Domain_Controllers
description ICT Domain Controllers
network-object object ICTDC01
network-object object ICTDC03
network-object object ICTDC06
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
access-list inside_nat0_outbound extended permit ip any object VPN_IP_Pool
access-list outside_access_in extended deny udp any object DMZ_Radius eq 5353
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any 10.15.2.0 255.255.255.0
access-list outside_access_in extended permit object forecasttl any4 object ForecastTool
access-list outside_access_in extended permit ip any object LWNAS
access-list 110 extended permit ip 10.0.0.0 255.0.0.0 object VPN_IP_Pool
access-list inside_access_in_1 extended permit ip 10.15.2.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list ASA-Sourcefire extended permit ip any any inactive
access-list company-VPN-Split-Tunnel standard permit 10.15.0.0 255.255.0.0
access-list voice_access_in extended deny ip object-group PrivateNetworks any
access-list voice_access_in extended permit tcp 192.168.20.0 255.255.255.0 object nextiva_background_images object-group DM_INLINE_TCP_1
access-list voice_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.20.0 255.255.255.0 any
access-list voice_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.20.0 255.255.255.0 object-group Nextiva_IP_Ranges
access-list voice_access_in extended permit udp any any eq ntp
access-list voice_access_in extended deny ip any any log debugging
access-list voice_access_in extended deny icmp any any inactive
access-list To_5516_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any object-group Domain_Controllers
access-list To_5516_access_in extended permit object-group TCPUDP any object-group Domain_Controllers eq domain
access-list To_5516_access_in extended deny object-group DM_INLINE_PROTOCOL_5 any any
access-list To_5516_access_in extended deny tcp any any object-group DM_INLINE_TCP_2
access-list To_5516_access_in extended deny tcp any any eq lpd
access-list DMZ_access_in extended permit ip any any
access-list DMZ-2_access_in extended deny ip any any inactive
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list from_outside extended permit icmp any any echo
access-list LW_WiFi_access_in extended deny ip any 192.168.20.0 255.255.255.0
access-list LW_WiFi_access_in extended deny ip any 10.15.4.0 255.255.255.0
access-list LW_WiFi_access_in extended permit ip any any
access-list HR_Dept_access_in extended deny ip any 192.168.100.0 255.255.255.0
access-list HR_Dept_access_in extended deny ip any 192.168.20.0 255.255.255.0
access-list HR_Dept_access_in extended deny ip any 10.15.3.0 255.255.255.0
access-list HR_Dept_access_in extended permit ip any any
access-list Printers_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
Any ideas where I've gone wrong?
thank you
Solved! Go to Solution.
05-11-2019 08:40 PM
05-11-2019 08:40 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide