cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1943
Views
0
Helpful
6
Replies

Static NAT on an ASA 5505

crewdog10
Level 1
Level 1

Hello I'm new to the forum. Hope this works out. Basically I have a test lab consisting of two ASA's both running IOS 8.4. I would like to connect the outside interface of ASA2 to the DMZ on ASA1 and use the outside interface on ASA1 for ISP connectivity. On the ASA 2 I cannot get my internal hosts to ping either ASA1's DMZ interface or ASA2's Outside Interface. They can ping ASA2's internal IP. From each ASA I can also ping the 5.1 and 5.2 IP addresses. I have configured NAT according to the 8.4 IOS CLI guide but it does not appear to be working. I have also attached my config from ASA2. What am I missing to nat from the inside to outside interfaces?

ASA1 (Internet Connected)

DMZ: 192.168.5.1 /24

Outside: DHCP from ISP

ASA2 (Internal Test Lab)

Outside: 192.168.5.2 /24

Internal: 172.16.0.1 /16

ASA Version 8.4(2)5

!

hostname ASA2

enable password **************** encrypted

passwd **************** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.5.2 255.255.255.0

!

boot system disk0:/asa842-5-k8.bin.exe

ftp mode passive

object network NatInternal

subnet 172.16.0.0 255.255.0.0

object network NatInternal_mapped

subnet 192.168.5.0 255.255.255.0

object network Internal_Range

range 172.16.0.11 172.16.0.17

object network External_Range

range 192.168.5.11 192.168.5.17

object network natinternal

object-group network obj_any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NatInternal NatInternal_mapped destination st

atic Internal_Range External_Range

route outside 0.0.0.0 0.0.0.0 192.168.5.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 172.16.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c2bda9f1ae788fef7d24aa19b7bf9c83

: end

6 Replies 6

crewdog10
Level 1
Level 1

Wow not a single reply for an easy question. Did I post this in the wrong area?

Hi,

on ASA2 try this:

policy-map global_policy

class inspection_default

inspect icmp

Regards.

Alain.

Don't forget to rate helpful posts.

That didn't work. I don't think it's an issue with ping but with how I set up nat.

Ed

1) you will need Alain's config because you need to tell ASA1 to allow ICMP back in

2) you won't be able to ping ASA1's outside interface from behind ASA2. It is a security feature that you cannot ping through an ASA to an interface. You should try pinging beyond ASA1 ie. the internet but you will need to add Alain's config to ASA1 as well.

3) You should be able to ping ASA1 dmz IP. Your NAT setup is a bit cut off in what you posted. Can you describe exactly what it is meant to be doing ?  Also do you need to NAT one set of IPs to another or would it be okay if you natted all internal 172.16.x.x. addresses to the 192.168.5.2 address assigned to the outside IP of ASA2 ?

4) There is a firewalling forum but you may as well keep it here now

5) How do you know it is such an easy question

Jon

First off, thank you both Alain and John. I am now able to ping from my VM'S on ASA2 to the DMZ interface of ASA1. Great! My intention was to have the IP's statically mapped to make troubleshooting easier. Ideally I'd like to have:

VM on ASA2           NAT'd to

172.16.0.11             192.168.5.11

172.16.0.12             192.168.5.12

172.16.0.13             192.168.5.13

Etc.... And from the DMZ of ASA1 use PAT to the outside interface for the ISP connection.

Now although my VM's can now ping ASA1 (192.168.5.1), on the ASDM for ASA1 it shows that the source IP address is 192.168.5.2 and not what I would like to be 192.168.5.11 for VM1.

The last challenge I have is getting the VM's on the internet. I thought that on ASA1 I could just copy the rule "nat (inside,outside) after-auto source dynamic any interface" and paste it to "nat (dmz,outside) after-auto source dynamic any interface dns" but that did not work. I also noticed that inbound DNS queries from ASA2 to ASA1 are being denied.

Ideally I'd like the VM's statically NAT'ed and be able to get them on the internet.

Any help is appreciated.

I got on the ISP by changing the DMZ security level to 50. Now all I have to work on is the static NAT which I can do a bit later. Thank you Sir's ;-)

Review Cisco Networking for a $25 gift card