02-19-2012 04:09 PM - edited 03-07-2019 05:01 AM
I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.
From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues. Any thoughts?
Here's my config:
ASA Version 8.4(3)
!
hostname gw
domain-name internal.mycompany.com
enable password asdf encrypted
passwd asdf encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.x.x.x 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name internal.mycompany.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network public_dc
subnet 204.x.x.x 255.255.255.224
object network subnet_a
subnet 192.168.20.0 255.255.255.0
object network subnet_a_wireless
subnet 192.168.21.0 255.255.255.0
object network subnet_b
subnet 192.168.10.0 255.255.255.0
object network subnet_b_wireless
subnet 192.168.11.0 255.255.255.0
object network subnet_c
subnet 192.168.30.0 255.255.255.0
object network subnet_c_wireless
subnet 192.168.31.0 255.255.255.0
object network subnet_dc
subnet 10.10.10.0 255.255.255.192
object network subnet_server
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network subnet_primary
subnet 192.168.0.0 255.255.255.0
object network EXTERNAL_PAT
host 216.x.x.x
object-group network internal_lan_trusted
network-object object subnet_a
network-object object subnet_b
network-object object subnet_c
network-object object subnet_server
network-object object subnet_primary
object-group network internal_lan_wireless
network-object object subnet_b_wireless
network-object object subnet_c_wireless
network-object object subnet_a_wireless
object-group network mycompany_trusted_lan
network-object object subnet_a
network-object object subnet_b
network-object object subnet_c
network-object object subnet_server
network-object object subnet_dc
network-object object subnet_primary
object-group network mycompany_lan
network-object object subnet_a
network-object object subnet_a_wireless
network-object object subnet_b
network-object object subnet_b_wireless
network-object object subnet_c
network-object object subnet_c_wireless
network-object object subnet_dc
network-object object subnet_primary
network-object object subnet_server
object-group network mycompany_lan_internal
network-object object subnet_a
network-object object subnet_a_wireless
network-object object subnet_b
network-object object subnet_b_wireless
network-object object subnet_c
network-object object subnet_c_wireless
network-object object subnet_primary
network-object object subnet_server
access-list inside_access_in extended permit ip any any log disable
access-list global_access extended permit icmp any any log disable
access-list global_access extended permit ip any any log disable
access-list outside_access_in extended permit ip any any log disable
access-list outside_access_in extended permit icmp any any log disable
access-list split_tunnel extended permit ip object-group mycompany_lan any log disable
access-list DC_VPN_TRAFFIC extended permit ip object-group mycompany_trusted_lan object subnet_dc log disable
access-list DC_VPN_TRAFFIC extended permit icmp object-group mycompany_trusted_lan object subnet_dc log disable
access-list inside_access extended permit ip any any
access-list inside_acl extended permit ip object-group mycompany_lan any
access-list inside_acl extended permit icmp object-group mycompany_lan any
access-list outside_access_out extended permit ip any any log disable
access-list outside_access_out extended permit icmp any any log disable
no pager
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu temporary 1500
ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static mycompany_lan mycompany_lan destination static mycompany_lan mycompany_lan
nat (inside,outside) after-auto source dynamic mycompany_lan_internal interface
!
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_acl in interface inside
access-group inside_acl out interface inside
access-group global_access global
!
router eigrp 10
network 192.168.0.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
route inside 192.168.5.0 255.255.255.0 192.168.0.6 1
route inside 192.168.10.0 255.255.255.0 192.168.0.10 1
route inside 192.168.11.0 255.255.255.0 192.168.0.10 1
route inside 192.168.20.0 255.255.255.0 192.168.0.20 1
route inside 192.168.21.0 255.255.255.0 192.168.0.20 1
route inside 192.168.30.0 255.255.255.0 192.168.0.30 1
route inside 192.168.31.0 255.255.255.0 192.168.0.30 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server mycompany protocol radius
aaa-server mycompany (inside) host 192.168.5.29
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec fragmentation after-encryption outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC
crypto map DC_VPN_MAP 1 set pfs
crypto map DC_VPN_MAP 1 set peer 204.x.x.x
crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA
crypto map DC_VPN_MAP interface outside
crypto ca trustpoint anyconnect_trustpoint
enrollment self
subject-name CN=gw
crl configure
crypto ca certificate chain anyconnect_trustpoint
certificate 48733d4f
308201e3 3082014c a0030201 02020448 733d4f30 0d06092a 864886f7 0d010105
05003036 310b3009 06035504 03130267 77312730 2506092a 864886f7 0d010902
16186777 2e696e74 65726e61 6c2e7370 61726b66 756e2e63 6f6d301e 170d3132
30323136 32323331 30375a17 0d323230 32313332 32333130 375a3036 310b3009
06035504 03130267 77312730 2506092a 864886f7 0d010902 16186777 2e696e74
65726e61 6c2e7370 61726b66 756e2e63 6f6d3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100dd c12be975 8e68594c 3d3f2e20 2deab59b
5a584d62 f1dc0a2f 34bfbf7b a3cda514 c9b8cd7a 371920b4 20460ff8 0bc15eea
8ce801d1 96745f83 c6218cee d87d0d47 8b1eb05a f2f65367 069a99ff 3af5bd3a
4a1bbb79 b0229e81 1a507670 bb7aa46e 9224791c a9e353ec 60a262ea 7a262909
56afa944 536864b5 4e93a19d b77df302 03010001 300d0609 2a864886 f70d0101
05050003 81810078 7c5c652a 3f1b296d 72cca5f8 a8ba36f3 110a21bc 6c501c88
22eed1db 086dac0a 90d1cecd e870c113 b1614445 fc0e3505 1b569c1a c196d1d1
6af0efff f8c6e76a eb269b7f bae0cbf0 5cb4f010 f35496a3 504c8001 f81c3b7f
e98a2cae 6610bdd7 2a25ccba ac5d735a 71c72069 53653a7a c0ef0121 0adfe7b6
58798f08 0750d8
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint anyconnect_trustpoint
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
dhcpd address 192.168.0.20-192.168.0.100 inside
dhcpd dns 192.168.5.47 interface inside
dhcpd wins 192.168.5.29 interface inside
dhcpd ping_timeout 20 interface inside
dhcpd domain internal.mycompany.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 91.189.94.4 source outside prefer
ssl trust-point anyconnect_trustpoint outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-2.5.3054-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4
anyconnect profiles mycompany_anyconnect_client_profile disk0:/mycompany_anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.5.29
dns-server value 192.168.5.46
vpn-tunnel-protocol ikev1 ikev2 ssl-client
password-storage enable
split-tunnel-network-list value split_tunnel
default-domain value internal.mycompany.com
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value internal.mycompany.com
group-policy mycompany internal
group-policy mycompany attributes
wins-server value 192.168.5.29
dns-server value 192.168.5.46
vpn-tunnel-protocol ikev1
split-tunnel-network-list value split_tunnel
default-domain value internal.mycompany.com
group-policy GroupPolicy_mycompany_anyconnect internal
group-policy GroupPolicy_mycompany_anyconnect attributes
wins-server value 192.168.5.29
dns-server value 192.168.5.46
vpn-tunnel-protocol ikev2 ssl-client
password-storage enable
split-tunnel-network-list value split_tunnel
default-domain value internal.mycompany.com
webvpn
anyconnect profiles value mycompany_anyconnect_client_profile type user
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
authentication-server-group (temporary) mycompany LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (temporary) mycompany LOCAL
tunnel-group mycompany_anyconnect type remote-access
tunnel-group mycompany_anyconnect general-attributes
address-pool vpn_pool
authentication-server-group (temporary) mycompany LOCAL
default-group-policy GroupPolicy_mycompany_anyconnect
tunnel-group mycompany_anyconnect webvpn-attributes
group-alias mycompany_anyconnect enable
tunnel-group mycompany type remote-access
tunnel-group mycompany general-attributes
address-pool vpn_pool
authentication-server-group (temporary) mycompany LOCAL
default-group-policy mycompany
tunnel-group mycompany ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DC_VPN type ipsec-l2l
tunnel-group 204.x.x.x type ipsec-l2l
tunnel-group 204.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
Cryptochecksum:3a10facef4d0c6fe63bf34d5899274f9
: end
02-19-2012 04:48 PM
What is connected to ASA on the internal side?
Are u running EIGRP with that device?
Sent from Cisco Technical Support iPhone App
02-19-2012 04:52 PM
Routers on the 192.168.0.0/24 network are connected via a switch. All internal 192.168.0.0/16 hosts are able to communicate with each other.
EIGRP is running on all devices, though I was having some issues so I added static routes on the ASA
02-20-2012 02:33 AM
Hi,
what is packet-tracer telling you ?
maybe you could do a packet capture on inside and outside interfaces and post it here too.
Regards.
Alain
02-20-2012 06:54 AM
Packet tracer output:
gw# packet-tracer input inside tcp 192.168.5.1 4900 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip object-group mycompany_lan any
object-group network mycompany_lan
network-object object subnet_a
network-object object subnet_a_wireless
network-object object subnet_b
network-object object subnet_b_wireless
network-object object subnet_c
network-object object subnet_c_wireless
network-object object subnet_dc
network-object object subnet_primary
network-object object subnet_server
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic mycompany_lan_internal interface
Additional Information:
Dynamic translate 192.168.5.1/4900 to 216.x.x.x/4900
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log disable
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 49776, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
02-20-2012 02:45 AM
Did you try to change the network statement in eigrp to include other subnets too?
router eigrp 10
network 192.168.0.0 255.255.0.0
Also can you post the output of "sh ip route"
02-20-2012 06:59 AM
I did try setting the ASA's EIGRP network to /16, which didn't seem to make a difference.
gw# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 216.x.x.x to network 0.0.0.0
S 192.168.31.0 255.255.255.0 [1/0] via 192.168.0.30, inside
S 192.168.30.0 255.255.255.0 [1/0] via 192.168.0.30, inside
S 192.168.10.0 255.255.255.0 [1/0] via 192.168.0.10, inside
S 192.168.11.0 255.255.255.0 [1/0] via 192.168.0.10, inside
C 216.x.x.x 255.255.255.224 is directly connected, outside
S 192.168.21.0 255.255.255.0 [1/0] via 192.168.0.20, inside
S 192.168.20.0 255.255.255.0 [1/0] via 192.168.0.20, inside
S 192.168.5.0 255.255.255.0 [1/0] via 192.168.0.6, inside
S 192.168.0.104 255.255.255.255 [1/0] via 216.x.x.x, outside <--- Not sure why this is here..?
C 192.168.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 216.x.x.x, outside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: