ASA NAT config question
flipmad
Member Posts: 184
I am building a Lab with a 5510 simulating my computer as the cloud and I have a 1751 plugged into the LAN interface of the ASA. I want to be able create a NAT to connect to the router via a public IP.
For some reason it doesnt seem to work
Here is what I have
interface Ethernet0/0
description LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 10.255.255.1 255.255.255.0
!
interface Ethernet0/1
description SIM_WAN
nameif outside
security-level 0
ip address 12.127.153.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ROUTER
host 12.127.153.3
object network ROUTER-NAT
host 10.255.255.2
access-list 101 extended permit icmp any any
access-list 103 extended permit icmp any any
access-list 103 extended permit ip object ROUTER-NAT any
access-list 103 extended permit ip any host 12.127.153.3
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static ROUTER ROUTER-NAT
!
object network obj_any
nat (inside,outside) dynamic interface
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 12.127.153.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.255.255.0 255.255.255.0 inside
http 12.127.153.0 255.255.255.0 outside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.255.255.0 255.255.255.0 inside
ssh 12.127.153.0 255.255.255.0 outside
Router is set to 10.255.255.2
I can ping between ASA and the router
I apologize beforehand if this is a simple request. I am newer to the ASA and the object groupings is new to me
For some reason it doesnt seem to work
Here is what I have
interface Ethernet0/0
description LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 10.255.255.1 255.255.255.0
!
interface Ethernet0/1
description SIM_WAN
nameif outside
security-level 0
ip address 12.127.153.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ROUTER
host 12.127.153.3
object network ROUTER-NAT
host 10.255.255.2
access-list 101 extended permit icmp any any
access-list 103 extended permit icmp any any
access-list 103 extended permit ip object ROUTER-NAT any
access-list 103 extended permit ip any host 12.127.153.3
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static ROUTER ROUTER-NAT
!
object network obj_any
nat (inside,outside) dynamic interface
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 12.127.153.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.255.255.0 255.255.255.0 inside
http 12.127.153.0 255.255.255.0 outside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.255.255.0 255.255.255.0 inside
ssh 12.127.153.0 255.255.255.0 outside
Router is set to 10.255.255.2
I can ping between ASA and the router
I apologize beforehand if this is a simple request. I am newer to the ASA and the object groupings is new to me
Comments
-
johnwest43 Member Posts: 294what version os are you running?CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
-
johnwest43 Member Posts: 294Old config (static)
static (inside,outside) 1.1.1.1 10.0.0.1 netmask 255.255.255.255
New config 8.3 (static)
object network whatever_name_you_want
host 10.0.0.1
nat (inside,outside) static 1.1.1.1
Old config (Dynamic PAT, NAT Overload)
nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 1.1.2
New config (Dynamic PAT, NAT Overload)
object network whatever_name_you_want
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic 1.1.1.2 or dynamic interface
Hope this helps. I haven't played with 8.3 that much yet but I hate the fact that they depreciate commands.CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014 -
flipmad Member Posts: 184I really appreciate the help. I dont know what I'm missing. I can ping the internal IP, but I cannot ping the public IP
object network ROUTER
host 10.255.255.2
object network ROUTER
nat (inside,outside) static 12.127.153.3
access-list 103 extended permit icmp any any
access-list 103 extended permit ip any host 12.127.153.3
access-group 103 in interface outside
interface Ethernet0/1
description SIM_WAN
nameif outside
security-level 0
ip address 12.127.153.1 255.255.255.0
ping 10.255.255.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.255.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::c827:94f9:7876:d09b%12
IPv4 Address. . . . . . . . . . . : 12.127.153.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 12.127.153.1
Ping statistics for 12.127.153.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Ping statistics for 12.127.153.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), -
johnwest43 Member Posts: 294are you pinging the outside interface from inside or outside the network?
try replacing access-list 103 extended permit ip any host 12.127.153.3
with access-list 103 extended permit ip any host 10.255.255.2
in 8.3 i believe you use the actual/real IP address of the host when used in conjunction with the acess-group command.
Let me know if this works.CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014 -
flipmad Member Posts: 184Im was hoping that would do the trick too. But still the same.
I am doing some reading up also, this is driving me nuts. I have ASDM built on the ASA, but I have much more experience with the CLI -
johnwest43 Member Posts: 294enter debug icmp trace on the asa and then ping the router from the outside interface. This will let you know if it is getting through the asa. also do you have a default route configured on the router to allow a response back?
router(config)# ip route 0.0.0.0 0.0.0.0 10.255.255.1
when you try this remember to use the actual ip address of the router in your acl on the ASA as shown in my previous post.CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014 -
flipmad Member Posts: 184Ok so maybe this is my issue, or not?
I am simulating the internet on my computer as 12.127.153.2
so my default route is 0.0.0.0 0.0.0.0 12.127.153.2
so when I ping 12.127.153.3 I am trying to translate to my 10.255.255.2 which is the router I have plugged into e0/0 interface.
Unless the problem is because I am coming from the same subnet
The debugs look like they translate from public Ip to public IP and "untranslate" from public to private..
my debugs
LABASA# ICMP echo request from outside:12.127.153.2 to inside:12.127.153.3 ID=1 seq=32 len=32
ICMP echo request untranslating outside:12.127.153.3 to inside:10.255.255.2
ICMP echo request from outside:12.127.153.2 to inside:12.127.153.3 ID=1 seq=33 len=32
ICMP echo request untranslating outside:12.127.153.3 to inside:10.255.255.2
ICMP echo request from outside:12.127.153.2 to inside:12.127.153.3 ID=1 seq=34 len=32
ICMP echo request untranslating outside:12.127.153.3 to inside:10.255.255.2
ICMP echo request from outside:12.127.153.2 to inside:12.127.153.3 ID=1 seq=35 len=32
ICMP echo request untranslating outside:12.127.153.3 to inside:10.255.255.2
Sorry about the spoon feeding. I have been so busy today that I havent gotten a chance to play with it much -
johnwest43 Member Posts: 294That output shows that the message is not being denied by an acl so its making it to the inside interface.
can you post the router config?CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014 -
flipmad Member Posts: 184Router has a very basic config. I have the FE connected to the ASA and I have the Serial interface plugged into another router with a T1 cross over cable. No access-lists
I can ping the ASA from the Router
LAB#ping 10.255.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.255.1, timeout is 2 seconds:
!!!!!
LAB#sh run
Building configuration...
Current configuration : 1331 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LAB
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
!
!
ip domain name test.com
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.255.255.2 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
ip address 12.127.154.2 255.255.255.0
encapsulation ppp
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.127.154.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1000
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
end -
johnwest43 Member Posts: 294Your current config knows where to send the packets but it doesnt know how to get them their.
remove ip route 0.0.0.0 0.0.0.0 12.127.154.1
add ip route 0.0.0.0 0.0.0.0 10.255.255.1
(the address of the ASA on the directly connected interface)
that should cure the rest of the problem.
let me know how it works out.CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014 -
flipmad Member Posts: 184I actually left my default route, because I want to simulate internet traffic going across the serial interface to my other router
I added
ip route 12.127.153.0 255.255.255.0 10.255.255.1
IT works!
Now, I figured that because the ASA was NATTING the 12.127.153.3 address to 10.255.255.2 that the request from the ASA would come in from 10.255.255.1 so I wouldnt need a route because the 10.255.255.x is directly connected.
But it actually looks like the ASA is actually sending from the 12.127.153.x subnet and the router was basically sending it out my serial interface because that is where my default route was set.
Now because the ASA is natting, why wouldnt the request come from the 10.255.255.x subnet and the router never even sees the public subnet? -
flipmad Member Posts: 184Ok, i drew this out and I understand why. Amazing that i was thinking this was the ASA issue the whole time when the router was my culprit.
I really appreciate you helping me on this.
I was so caught up in the old/new syntax that I was blind to what was really happening.
Thanks for the schooling, I learned from it. -
johnwest43 Member Posts: 294glad to help. I have found that if you sketch out your topo you usually find the issue. Just remember the simplest answer is always the place to start.CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
-
kamarulazrin Member Posts: 7 ■□□□□□□□□□COOL!!! I just love reading at how people do trobleshooting!!
now I'm more determined than ever to take my CCNA Security.
Thanks guys!!:)