ASA NAT/Traceroute Inside to Outside Issues

Similar Messages

• ASA access from inside to outside interface

  Hi
  We need to make acces on our ASA device from inside network to outside interface.
  The situation is next:
  We have public external ip address and we need to access it from our inside network.
  Can you please tell me if it is possible to do this?
  Thank you.

  That's right, the solution is named Hairpinning aka U-turn.
  The dynamic rule was the one suggested in my first reply:
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface           *Assume you are using number one

• NAT (INSIDE To OUTSIDE)

  I need Configuration of this topology
  At Outside Router
  int f0/0
  ip add 10.1.1.2 255.255.255.0
  At Inside Router
  int f0/0
  ip add 192.168.1.2 255.255.255.0
  At ASA
  int e0
  ip add 10.1.1.1 255.255.255.0
  int e1
  ip add 192.168.1.1 255.255.255.0
  I want NAT from inside to outside and also need ACL configuration and attached diagram.
  and version of ASA is 8.2
  Navaz       
  Message was edited by: Navaz Wattoo

  THIS MY ASA CONFIGURATION
  ciscoasa(config)# sh running-config
  : Saved
  ASA Version 8.0(2)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 10.1.1.1 255.255.255.0
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  access-list OUT extended permit tcp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
  access-group OUT in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  prompt hostname context
  Cryptochecksum:00000000000000000000000000000000
  : end
  ciscoasa(config)#
  THIS MY OUTSIDE ROUTER CONFIGURATION
  R1(config)#do sh run
  Building configuration...
  Current configuration : 877 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ip domain lookup
  ip domain name lab.local
  multilink bundle-name authenticated
  interface FastEthernet0/0
  ip address 10.1.1.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  ip route 192.168.1.0 255.255.255.0 10.1.1.1
  no ip http server
  no ip http secure-server
  logging alarm informational
  control-plane
  gatekeeper
  shutdown
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  stopbits 1
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  stopbits 1
  line vty 0 4
  login
  end
  R1(config)#
  THIS MY INSIDE ROUTER CONFIGURATION
  R2(config)#do sh run
  Building configuration...
  Current configuration : 880 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ip domain lookup
  ip domain name lab.local
  multilink bundle-name authenticated
  interface FastEthernet0/0
  ip address 192.168.1.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  ip route 10.1.1.0 255.255.255.0 192.168.1.1
  no ip http server
  no ip http secure-server
  logging alarm informational
  control-plane
  gatekeeper
  shutdown
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  stopbits 1
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  stopbits 1
  line vty 0 4
  login
  end
  R2(config)#
  Navaz

• How to allow a subnet for a number of hosts to surf internet and ping from inside and outside in ASA in GNS3?

  after tried to setup access list, it return drop in packet tracer and can not ping outside router too
  is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
  assume all works in GNS3, expect initial network setup too
                                              inside                                                                 outside
  router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
  ASA version: 8.42 
  when i try the following command,
  ASA
  conf t
  interface GigabitEthernet 0
  description INSIDE
  nameif inside
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  no shut
  end
  conf t
  interface GigabitEthernet 1
  description OUTSIDE
  no shutdown
  nameif outside
  security-level 100
  ip address 192.168.1.4 255.255.255.0
  no shut
  end
  conf t
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (inside,outside) dynamic interface
  end
  conf t
  access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
  access-group USERSLIST in interface inside
  end
  Router A
  conf t
  int fastEthernet 0/0
  ip address 192.168.1.2 255.255.255.0
  no shut
  end
  Router B
  conf t
  int fastEthernet 0/0
  ip address 192.168.1.3 255.255.255.0
  no shut
  end
  ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.0     255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  <--- More --->

  current config can not ping, one of packet tracer allow all, another packet tracer drop
  can not ping between Router A and Router B
  ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.3.0     255.255.255.0   outside
  Phase: 2
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  object network DYNAMIC-PAT
   nat (inside,outside) dynamic interface
  Additional Information:
  Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
  <--- More --->
  <--- More --->
  Phase: 4
  <--- More --->
  Type: IP-OPTIONS
  <--- More --->
  Subtype: 
  <--- More --->
  Result: ALLOW
  <--- More --->
  Config:
  <--- More --->
  Additional Information:
  <--- More --->
  <--- More --->
  Phase: 5
  <--- More --->
  Type: FLOW-CREATION
  <--- More --->
  Subtype: 
  <--- More --->
  Result: ALLOW
  <--- More --->
  Config:
  <--- More --->
  Additional Information:
  <--- More --->
  New flow created with id 14, packet dispatched to next module
  <--- More --->
  <--- More --->
  Result:
  <--- More --->
  input-interface: inside
  <--- More --->
  input-status: up
  <--- More --->
  input-line-status: up
  <--- More --->
  output-interface: outside
  <--- More --->
  output-status: up
  <--- More --->
  output-line-status: up
  <--- More --->
  Action: allow
  <--- More --->
  ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.0     255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  <--- More --->
  Drop-reason: (acl-drop) Flow is denied by configured rule
  <--- More --->
  ASA-1# 
  ASA-1# sh run |
  : Saved
  ASA Version 8.4(2) 
  hostname ASA-1
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0
   description INSIDE
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0 
  interface GigabitEthernet1
   description OUTSIDE
   nameif outside
   security-level 0
   ip address 192.168.3.4 255.255.255.0 
  interface GigabitEthernet2
   shutdown
   no nameif
   no security-level
  <--- More --->
   no ip address
  <--- More --->
  <--- More --->
  ftp mode passive
  <--- More --->
  object network DYNAMIC-PAT
  <--- More --->
   subnet 192.168.1.0 255.255.255.0
  <--- More --->
  access-list 101 extended permit icmp any any echo-reply 
  <--- More --->
  access-list 101 extended permit icmp any any source-quench 
  <--- More --->
  access-list 101 extended permit icmp any any unreachable 
  <--- More --->
  access-list 101 extended permit icmp any any time-exceeded 
  <--- More --->
  access-list ACL-OUTSIDE extended permit icmp any any 
  <--- More --->
  pager lines 24
  <--- More --->
  mtu inside 1500
  <--- More --->
  mtu outside 1500
  <--- More --->
  icmp unreachable rate-limit 1 burst-size 1
  <--- More --->
  no asdm history enable
  <--- More --->
  arp timeout 14400
  <--- More --->
  <--- More --->
  object network DYNAMIC-PAT
  <--- More --->
   nat (inside,outside) dynamic interface
  <--- More --->
  access-group ACL-OUTSIDE in interface outside
  <--- More --->
  timeout xlate 3:00:00
  <--- More --->
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  <--- More --->
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  <--- More --->
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  <--- More --->
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  <--- More --->
  timeout tcp-proxy-reassembly 0:01:00
  <--- More --->
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  <--- More --->
  user-identity default-domain LOCAL
  <--- More --->
  no snmp-server location
  <--- More --->
  no snmp-server contact
  <--- More --->
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  <--- More --->
  telnet timeout 5
  <--- More --->
  ssh timeout 5
  <--- More --->
  console timeout 0
  <--- More --->
  threat-detection basic-threat
  <--- More --->
  threat-detection statistics access-list
  <--- More --->
  no threat-detection statistics tcp-intercept
  <--- More --->
  <--- More --->
  <--- More --->
  prompt hostname context 
  <--- More --->
  no call-home reporting anonymous
  <--- More --->
  call-home
  <--- More --->
   profile CiscoTAC-1
  <--- More --->
    no active
  <--- More --->
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  <--- More --->
    destination address email [email protected]
  <--- More --->
    destination transport-method http
  <--- More --->
    subscribe-to-alert-group diagnostic
  <--- More --->
    subscribe-to-alert-group environment
  <--- More --->
    subscribe-to-alert-group inventory periodic monthly
  <--- More --->
    subscribe-to-alert-group configuration periodic monthly
  <--- More --->
    subscribe-to-alert-group telemetry periodic daily
  <--- More --->
  crashinfo save disable
  <--- More --->
  Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
  <--- More --->
  : end
  ASA-1# 

• Internet Access from Inside to Outside ASA 5510 ver 9.1

  Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
  I get errors like this when I try Packet Tracer:
  (nat-xlate-failed) NAT failed
  (acl-drop) Flow is denied by configured rule
  Version Information:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  Device Manager Version 7.1(5)
  Compiled on Thu 05-Dec-13 19:37 by builders
  System image file is "disk0:/asa914-k8.bin"
  Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
  Thank You!
  Config:
  ASA5510# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  domain-name
  inside.int
  enable password <redacted> encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd <redacted> encrypted
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.199.199.123 255.255.255.240
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.199.199.4
  domain-name
  inside.int
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  access-list OUTSIDE-IN extended permit ip any any
  access-list INSIDE-IN extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
    nat (Inside,Outside) dynamic interface
  access-group INSIDE-IN in interface Inside
  access-group OUTSIDE-IN in interface Outside
  router rip
  network 10.0.0.0
  network 199.199.199.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username <redacted> password <redacted> encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
     inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
     destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
     subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:
  <redacted>
  : end
  SH NAT:
  ASA5510# sh nat
  Manual NAT Policies (Section 1)
  1 (Inside) to (Outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  Auto NAT Policies (Section 2)
  1 (Inside) to (Outside) source dynamic inside-net interface
       translate_hits = 0, untranslate_hits = 0
  SH RUN NAT:
  ASA5510# sh run nat
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
  nat (Inside,Outside) dynamic interface
  SH RUN OBJECT:
  ASA5510(config)# sh run object
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

  Hello Mitchell,
  First of all how are you testing this:
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  Take in consideration that the netmask is /30
  The Twice NAT is good, ACLs are good.
  do the following and provide us the result
  packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
  packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
  And provide us the result!
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  Note: Check my website, there is a video about this that might help you.
  http://laguiadelnetworking.com

• ASA 5510 traffic from inside to outside

  Hello,
  I'm working on a basic configuration of a 5510 ASA.
  inside network of 192.168.23.0 /24
  outside network 141.0.x.0 /24
  config is as follows:
  interface Ethernet0/0
   nameif OUTSIDE
   security-level 0
   ip address 141.0.x.0 255.255.255.0
  interface Ethernet0/1
   nameif INSIDE
   security-level 50
   ip address 192.168.23.1 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list OUTSIDE_access_in extended permit icmp any any
  access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
  access-list INSIDE_access_in extended permit icmp any any
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 192.168.23.0 255.255.255.0
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
  In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
  I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
  So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
  Any ideas please?

  Version of FW:
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.3(1)
  Output of Packet-Trace Command is:
  SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   141.0.x.0      255.255.255.0   OUTSIDE
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group INSIDE_access_in in interface INSIDE
  access-list INSIDE_access_in extended permit icmp any any
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  class-map inspection_default
   match default-inspection-traffic
  policy-map global_policy
   class inspection_default
    inspect icmp
  service-policy global_policy global
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 104, untranslate_hits = 0
  Additional Information:
  Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 107, untranslate_hits = 0
  Additional Information:
  Phase: 10
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 141, packet dispatched to next module
  Result:
  input-interface: INSIDE
  input-status: up
  input-line-status: up
  output-interface: OUTSIDE
  output-status: up
  output-line-status: up
  Action: allow

• Inside to outside many to 1 hide mode nat

  Hello
  I'm new to ASA configurations and needing some help with a configuration on a 5555-X running 8.6 code. I need to allow multiple network ip ranges from my inside network to multiple subnets on the outside so that the outside systems only see incoming traffic from one ip address and it can not be from the ip address of the outside interface. I was able to do this with a zone-based firewall and IOS nat statements but having difficulty doing the same thing in ASA's os.

  Hi ,
    Its is pretty simple and straight forward , for your requirement you need to use ,
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1114283
  Information About Dynamic PAT
  Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers.
  Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
  Figure 27-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.
  Figure 27-10 Dynamic PAT
  After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).
  NAT understanding
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Let me know if you need any help on this , you can do PAT with extra IP address which is available on outside interface . you need to have appropriate routing for the extra ip address
  HTH
  sandy.

• ASA 5505 unable to connect inside or outside

  Hello,
  I'm extremely new to router configurations, and am attempting to configure a backup ASA 5505 to use as a temporary access point in the event that our main ASA becomes unavailable. What I have done is loaded the running config from our main ASA onto the backup, and have made changes to necessary routes, IPs, etc. I can connect to it from a remote computer without problem, but I cannot access any of our servers, nor can I access the internet. I have also tried modifying the access list and NAT rules every which way from Sunday, but I still cannot get this thing to allow any information through. I keep getting "failed to locate egress interface for UDP from outside" errors.
  We are using Cisco AnyConnect to connect , and mind you, since the config for this backup ASA was taken from our main, it still has the original certificate info and profiles. I was told that this wouldn't matter, but I thought I should mention in case I need to remove any of it from the config.
  Here is part of the config file. I took out some information, but tried to keep it understandable. If anyone could point me in the right direction, it would be greatly appreciated!
  ciscoasa# show running-config
  : Saved
  : Serial Number: xxxxxxxxxxx
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)
  hostname ciscoasa
  domain-name domain
  enable password encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd encrypted
  names
  ip local pool pool1 x.x.9.22-x.x.9.254 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address x.x.8.10 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address x.x.x.237 255.255.255.248
  boot system disk0:/asa922-k8.bin
  boot config disk0:/startup-config
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group Default
   name-server x.x.8.100
   domain-name domain
  same-security-traffic permit intra-interface
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network pool1
   subnet x.x.9.0 255.255.255.0
  object network outside-network
   host x.x.x.237
  object network Remote-Network
   subnet x.x.8.0 255.255.255.0
  object network local
  object network obj-x.x.9.24
   host x.x.9.24
  object-group network Outside-Network-Group
   description Outside Network Group
   network-object x.x.x.232 255.255.255.248
  object-group network Inside-Network-Group
   description Inside Network Group
   network-object x.x.8.0 255.255.255.0
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list NONAT extended permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 30000
  logging buffered debugging
  logging asdm informational
  no logging message 106015
  no logging message 313001
  no logging message 313008
  no logging message 106023
  no logging message 710003
  no logging message 106100
  no logging message 302015
  no logging message 302014
  no logging message 302013
  no logging message 302018
  no logging message 302017
  no logging message 302016
  no logging message 302021
  no logging message 302020
  flow-export destination inside x.x.8.132 2055
  flow-export template timeout-rate 1
  flow-export delay flow-create 50
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  asdm image disk0:/asdm-722.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static any any destination static pool1 pool1 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static Remote-Network Remote-Network no-proxy-arp route-lookup
  nat (outside,outside) source dynamic pool1 interface
  object network obj_any
   nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 x.x.x.232 1
  route inside x.x.11.0 255.255.255.0 x.x.11.1 1
  If you have any questions, or need any other information, please let me know.
  Thanks!

  Am I posting this in the wrong section? Anyone?

• NAT outside to inside and inside to outside (in 8.4(2) version)

  Thanks a lot and i attached a diagram here
  Requirement:
  need to pass through traffic from outside to inside and inside to outside.
  I also attached a diagram with the ip 
  and also tell me one thing that natting is only for private to public or public to private.

  Hi,
  I think i replied on your post earlier as well.
  As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
  For Bidirectional traffic , you always need static NAT
  When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
  For the Inside to Outside Traffic , you can use this NAT:-
  object network LAN
  subnet 0 0
  nat (inside,outside) dynamic interface
  FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
  For this , you can either use , Static PAT/NAT:-
  object network host
  host 10.10.10.10
  nat (inside,Outside) static interface service tcp 3389 3389
  access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
  This will enable you to take the RDP access for your PC from the internet.
  Is this what you want ?
  Thanks and Regards,
  Vibhor Amrodia

• Controlling ASA outbound (inside to outside) traffic

  Hello There,
  I have been in trouble while controlling every traffic passing from inside to outside. We already have websnese integtared with ASA 5520. Please help me in providing the details on this
  1. Traditional method by putting ACL on inside port (what things need to be blocked)
  2. Any special/standard configuration of inside ACL
  3. What other ways or methods are implemented.
  Please help somebody.....  :-)

  What's is exactly what you want to do on the firewall with those Access-lists?
  Here's a link that explains how to use Access-lists on an ASA.
  http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html

• Static NAT to inside DNS address

  I'm struggling to address an issue where as a policy I have internal virtualized/clustered servers on reserved DHCP addresses on a separate VLAN, and occasionally there is a situation where by the guests change hosts and end up on another VLAN (for whatever reason) or with a different IP address.
  This isn't an issue for my internal users because all our communications works off DNS addresses, but I have a natted FTP server that whenever it changes IP/VLAN, i have to manually change the natted address on my ASA.
  ex
  static (inside,Outside) 100.100.100.101 192.168.100.39 netmask 255.255.255.255
  would like to use a DNS address of ftp.domainname.com instead of the IP address so that if the inside IP changes I don't have to rewrite the static rule every time.
  Is there any facility to do this with the ASA?
  thanks

  Hello Robert,
  Not possible to do it on the ASA. You will need to use the ip address on the Nat statements.

• ASA5505 Can't pass traffic between inside (private) & outside (private)

  10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
  Goal:
  10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other.  Current config is any/any for troubleshooting.
  Example:
  10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails.  Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
  Question:
  What am I doing wrong?
  : Saved
  ASA Version 8.2(5)
  hostname SJ-HostB-ASA
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.15.50.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.60.15.253 255.255.255.252
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list outside_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no sysopt connection permit-vpn
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 1
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 30
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 30
  console timeout 30
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.15.50.243 source inside
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
    destination address email
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  asdm image disk0:/asdm-645.bin
  no asdm history enable

  Hi,
  You can only PING / ICMP an ASA interface from behind that same interface.
  So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
  You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
  So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
  You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
  You can also add the following configurations
  policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
  - Jouni

• Problem of routing between inside and outside on ASA5505

  I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
  I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
  a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
  WAE#ping 10.10.10.250
  PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
  --- 10.10.10.250 ping statistics ---
  5 packets transmitted, 0 packets received, 100% packet loss
  WAE#sh arp
  Protocol Address Flags Hardware Addr Type Interface
  Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
  Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
  Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
  b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
  Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
  ASA# sh route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
  * - candidate default, U - per-user static route, o - ODR
  P - periodic downloaded static route
  Gateway of last resort is 172.26.18.1 to network 0.0.0.0
  C 172.26.18.0 255.255.255.0 is directly connected, outside
  C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
  C 10.10.10.0 255.255.255.0 is directly connected, inside
  d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  All other ports are in vlan 1 by default.

  I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
  port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
  port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
  I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
  If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
  Thanks a lot

• ASA5510 - Nat 2 Inside vlans to separate ISP's

  Hi All,
  We have 2xASA5510. I have 2 Inside interfaces as INS_STAFF and INS_QUEST and two Outside interface OUT_STAFF and OUT_QUEST which is in sapareta ISP's. All interfaces is assinged to different vlans. now i want to nat INS_STAFF to OUT_STAFF and INS_QUEST to OUT_QUEST,because I'm having two default routes it gets impossible to do. Plus I want to make failover with my ASA's. I know that i can solve this problem with PBR on router.but I haven't it . Can you help me with solving this problem only with ASA's? Can it help to make context's and separate each Inside and Outside alone?
  Best Regars,
  Davud Hajiyev

  You can only make it work with multiple context mode where each context will have an inside and an outside interface, ie:
  Context 1: INS_STAFF and OUT_STAFF
  Context 2: INS_QUEST and OUT_QUEST
  With just single context, you can't configure 2 default gateways on ASA as it is not supported to have 2 default gateways via 2 outside interfaces.

• How to allow some fixed extension go in from outside to inside but not allow go from inside to outside

  how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
  for example, allow JPEG, MOV, AVI data flow from outside to inside
  but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
  how to configure?

  Hi,
  The ZBF link sent earlier show how we can inspect URI in http request
  parameter-map type regex uri_regex_cm
     pattern “.*cmd.exe”
  class-map type inspect http uri_check_cm
     match request uri regex uri_regex_cm
  ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
  Thanks