Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
1
Replies

Routing/NAT Question

craigie1977
Level 1
Level 1

‎02-03-2011 09:27 AM - edited ‎03-06-2019 03:20 PM

I was wondering if someone could point me in the right direction.

We have 4 x Cisco ASA 5510 Firewalls, we can ignore two as they are in Active/Passive mode.

I'm trying to get from LAN 10.37.23.0/24 to DMZ 172.16.1.0/24 which fails on IMCP or HTTPS, however when performing Packet Tracer this shows no issues.

If I go on the DMZ 172.16.1.0/24 I can get to the LAN 10.37.23.0/24 without any issues.

For routing I have EIGRP in place and the LAN ASA's are also performing the NAT'ing to the Outside world.

What I have tried so far:

- Permitted IP Any Any on the Access Lists in place.

- Added IP Verify reverse-path interface statements

- Created the following No NAT enteries:

LAN ASA - nat (LAN,any) source static LAN LAN destination static DMZ DMZ

DMZ ASA - nat (DMZ,any) source static DMZ DMZ destination static LAN LAN

I can ping the ASA on the Outside Interface on 192.168.101.252 and connect to via SSH.

Below is an extract off the configs and a diagram, any pointers would be appreciated!

LAN ASA

ASA Version 8.3(1)
!
hostname BGF-ASA01
domain-name x.co.uk
enable password dzR/i52oKB2qKunT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description LAN
nameif LAN
security-level 100
ip address 10.37.23.254 255.255.255.0 standby 10.37.23.253
!
interface Ethernet0/1
description ToDMZ
nameif ToDMZ
security-level 50
ip address 192.168.101.254 255.255.255.0 standby 192.168.101.253
!
interface Ethernet0/2
description Outside
nameif Outside
security-level 0
ip address 192.168.1.5 255.255.255.0 standby 192.168.1.6
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN Failover Interface
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name x.co.uk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network BGF-EX01
host 10.37.23.11
object network LAN
subnet 10.37.23.0 255.255.255.0
object network MessageLabs01
subnet 216.82.240.0 255.255.240.0
object network MessageLabs02
subnet 67.219.240.0 255.255.240.0
object network MessageLabs03
subnet 85.158.136.0 255.255.248.0
object network MessageLabs04
subnet 95.131.104.0 255.255.248.0
object network MessageLabs05
subnet 117.120.16.0 255.255.248.0
object network MessageLabs06
subnet 193.109.254.0 255.255.254.0
object network MessageLabs07
subnet 194.106.220.0 255.255.254.0
object network MessageLabs08
subnet 194.245.230.0 255.255.254.0
object network MessageLabs09
host 195.245.230.51
object network MessageLabs10
host 195.245.230.83
object network MessageLabs11
host 85.158.136.83
object network BGF-SSL01
host 172.16.1.252
object network BGF-SSLVPNUsers
range 172.16.1.50 172.16.1.150
object network MirusPublicIP
range 87.85.95.130 87.85.95.131
object network LANNAT
subnet 10.37.23.0 255.255.255.0
object network DMZNAT
subnet 172.16.1.0 255.255.255.0
object network GWLANNAT
subnet 172.16.2.0 255.255.255.0
object network BGF-WAC02
host 172.16.2.230
object network DMZ
subnet 172.16.1.0 255.255.255.0
object network ToDMZ
subnet 192.168.101.0 255.255.255.0
object network GWLAN
subnet 172.16.2.0 255.255.255.0
object network BGF-SSl01
object-group network MessageLabServers
network-object object MessageLabs01
network-object object MessageLabs02
network-object object MessageLabs03
network-object object MessageLabs04
network-object object MessageLabs05
network-object object MessageLabs06
network-object object MessageLabs07
network-object object MessageLabs08
network-object object MessageLabs09
network-object object MessageLabs10
network-object object MessageLabs11
access-list outside-in remark ##### Traffic From Outside #####
access-list outside-in extended permit icmp any any
access-list outside-in extended permit ip object BGF-SSL01 object LAN
access-list outside-in extended permit tcp object-group MessageLabServers object BGF-EX01 eq smtp
access-list outside-in extended permit tcp object MirusPublicIP object BGF-EX01 eq smtp
access-list outside-in extended permit ip object BGF-SSLVPNUsers object LAN
access-list outside-in extended permit ip object BGF-WAC02 object LAN
access-list oustide-in extended permit tcp any object BGF-SSL01 eq https
access-list lan-in remark ##### Traffic From LAN #####
access-list lan-in extended permit icmp any any
access-list lan-in extended permit tcp object BGF-EX01 any eq smtp
access-list lan-in extended deny tcp any any eq smtp
access-list lan-in extended deny tcp any any eq pop3
access-list lan-in extended deny tcp any any eq imap4
access-list lan-in extended permit ip object LAN any
access-list dmz-in remark ##### Traffic From DMZ #####
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit ip object LAN any
access-list dmz-in extended permit ip object DMZ any
access-list dmz-in extended permit ip object GWLAN any
pager lines 24
logging enable
logging asdm informational
mtu LAN 1500
mtu ToDMZ 1500
mtu Outside 1500
ip verify reverse-path interface LAN
ip verify reverse-path interface ToDMZ
failover
failover lan unit primary
failover lan interface Failover Management0/0
failover interface ip Failover 192.168.10.254 255.255.255.252 standby 192.168.10.253
no monitor-interface LAN
no monitor-interface ToDMZ
no monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network BGF-EX01
nat (LAN,Outside) static 213.15.x.x
object network BGF-SSL01
nat (ToDMZ,any) static 213.15.x.x
object network LANNAT
nat (LAN,Outside) dynamic interface
object network DMZNAT
nat (ToDMZ,Outside) dynamic interface
object network GWLANNAT
nat (ToDMZ,Outside) dynamic interface
access-group lan-in in interface LAN
access-group dmz-in in interface ToDMZ
access-group outside-in in interface Outside
!
router eigrp 10
no auto-summary
network 10.37.23.0 255.255.255.0
network 192.168.101.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 192.168.1.1 5
route Outside 0.0.0.0 0.0.0.0 213.15.x.x 10
route Outside 0.0.0.0 0.0.0.0 213.15.x.x 20
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 10.37.23.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.37.23.0 255.255.255.0 LAN
ssh 192.168.101.0 255.255.255.0 ToDMZ
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password bEGO7dWKoixYUC.b encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect esmtp Allow_TLS
description Allow TLS
parameters
  allow-tls
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f80c67330b0363b42f850d5722305939
: end

DMZ ASA

ASA Version 8.3(1)
!
hostname BGF-ASA03
domain-name x.co.uk
enable password dzR/i52oKB2qKunT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
description DMZ
nameif DMZ
security-level 49
ip address 172.16.1.254 255.255.255.0 standby 172.16.1.253
!
interface Ethernet0/2
description OutsideDMZ
nameif OutsideDMZ
security-level 41
ip address 192.168.101.252 255.255.255.0 standby 192.168.101.251
!
interface Ethernet0/3
description GWLAN
nameif GWLAN
security-level 48
ip address 172.16.2.254 255.255.255.0 standby 172.16.2.253
!
interface Management0/0
description LAN Failover Interface
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name x.co.uk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network BGF-SSL01
host 172.16.1.252
object network BGF-SSLVPNUsers
range 172.16.1.50 172.16.1.150
object network DMZ
subnet 172.16.1.0 255.255.255.0
object network GWLAN
subnet 172.16.2.0 255.255.255.0
object network LAN
subnet 10.37.23.0 255.255.255.0
object network ToLAN
subnet 192.168.101.0 255.255.255.0
access-list outside-in remark ##### Traffic From Outside #####
access-list outside-in extended permit icmp any any
access-list outside-in extended permit tcp any object BGF-SSL01 eq https
access-list outside-in extended permit ip object LAN object DMZ
access-list outside-in extended permit ip object LAN object BGF-SSLVPNUsers
access-list outside-in extended permit ip object LAN object GWLAN
access-list dmz-in remark ##### Traffic From DMZ #####
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit ip object BGF-SSLVPNUsers any
access-list dmz-in extended permit ip object DMZ any
access-list dmz-in extended permit ip object ToLAN any
access-list gwlan-in remark ##### Traffic From GuestWLAN #####
access-list gwlan-in extended permit icmp any any
access-list gwlan-in extended deny ip object GWLAN object DMZ
access-list gwlan-in extended deny ip object GWLAN object BGF-SSLVPNUsers
access-list gwlan-in extended deny ip object GWLAN object LAN
access-list gwlan-in extended permit ip object GWLAN any
access-list gwlan-in extended permit ip object ToLAN any
pager lines 24
logging enable
logging asdm informational
mtu DMZ 1500
mtu OutsideDMZ 1500
mtu GWLAN 1500
ip verify reverse-path interface DMZ
ip verify reverse-path interface OutsideDMZ
failover
failover lan unit primary
failover lan interface Failover Management0/0
failover interface ip Failover 192.168.11.254 255.255.255.252 standby 192.168.11.253
no monitor-interface DMZ
no monitor-interface OutsideDMZ
no monitor-interface GWLAN
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
access-group dmz-in in interface DMZ
access-group outside-in in interface OutsideDMZ
access-group gwlan-in in interface GWLAN
!
router eigrp 10
no auto-summary
network 172.16.1.0 255.255.255.0
network 172.16.2.0 255.255.255.0
network 192.168.101.0 255.255.255.0
!
route OutsideDMZ 0.0.0.0 0.0.0.0 192.168.101.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 172.16.1.0 255.255.255.0 DMZ
http 10.37.23.0 255.255.255.0 OutsideDMZ
http 192.168.101.0 255.255.255.0 OutsideDMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 DMZ
ssh 10.37.23.0 255.255.255.0 OutsideDMZ
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password bEGO7dWKoixYUC.b encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9fc1878cdc94a506ad5bb017cb3c9a42
: end

Capture.JPG

Labels:
0 Helpful
1 Reply 1

craigie1977
Level 1
Level 1

‎02-03-2011 10:57 AM

I have resolved the issue, I had applied the NAT statement for BGF-SSL01 on the wrong ASA.

Once I removed this from the LAN ASA and popped it onto DMZ ASA, everything worked!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card