ASA 5505 Static NAT

Hi Guys,
Me again asking for some more help, thanks.
I am trying to deploy a Polycom Access Director behind an ASA 5505 firewall and am having some problems configuring inbound NAT for this device.
Currenlty I am able to dial from an endpoint outbound through the ASA with no problem but am unable to dial into the VC endpoint by the IP address (Traffic is not hitting the Access Director)
This blog post shows what I am trying to achieve along with the ACLs that I have applied.
http://blog.networkfoo.org/2014/02/deploy-polycom-rpad-single-nic-with.html#!/2014/02/deploy-polycom-rpad-single-nic-with.html
These are my NAT Rules
nat (Wireless_LAN,VC_INFRA) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (Wireless_LAN,VC_DMZ) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.239.0 obj-10.255.239.0
nat (Wireless_LAN,VC_LAN) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (VC_INFRA,any) source static obj-10.255.243.0 obj-10.255.243.0 destination static VPNPool-Network VPNPool-Network
object network obj-10.255.222.0
 nat (outside,outside) dynamic interface
object network obj-10.255.243.0
 nat (outside,outside) dynamic interface
object network obj_any
 nat (Wireless_LAN,outside) dynamic interface
object network obj_any-01
 nat (VC_DMZ,outside) dynamic interface
object network obj_any-02
 nat (VC_INFRA,outside) dynamic interface
object network obj_any-03
 nat (VC_LAN,outside) dynamic interface
nat (outside,VC_DMZ) after-auto source static any any destination static interface obj-CV2RPAD1
This is my ACLs
access-list outside_access_in extended permit udp any eq 1719 object-group RPAD_SERVERS_EXT eq 1719
access-list outside_access_in extended permit udp any eq 1720 object-group RPAD_SERVERS_EXT eq 1720
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq h323
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT range 10001 13000
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT range 20002 30001
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5061
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5222
access-list outside_access_in extended permit icmp any any object-group DefaultICMP
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 20002 30001
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 16386 25386
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1719 any eq 1719
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1720 object-group DMA_SERVERS_INT eq 1720
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT eq h323
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT range 36000 61000
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 13001 15000 any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq sip any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 5070 object-group DMA_SERVERS_INT eq sip
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 30001 60000 object-group RM_SERVERS_INT eq https
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 any gt 1023
access-list dmz_access_in extended permit icmp object-group RPAD_SERVERS_EXT any object-group DefaultICMP
If I move my NAT statement as follows
      no nat after-auto 1
      nat (outside,VC_DMZ) 5 source static any any destination static interface obj-CV2RPAD1
I am able to dial outbound still with no issues and am also able to intiate a call inbound which partially connects. The call seems to fail at the Capabilities exchange so the RTP media stream does not start up so there is some additional troubleshooting to be done.
However moving this NAT statement has the side effect of breaking the IPSec VPN that I have configured for the Cisco VPN Client, I would like to be able to keep my VPN working and be able to do a port forwards/Static 1:1 NAT towards my RPAD.
Once this is happy and working I can then go and troubleshoot why inbound calls are failing at the cpabilities exchange.

Thanks a lot Jon, for assisted me solve this problem.
The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.
How you explain that?

Similar Messages

  • ASA 5505 Static hosts cannot access outside

    I'm replacing an old PIX with a second hand ASA firewall.
    I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet.
    I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere.
    Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet. If I've obscured something pertinent let me know.
    Any advice would be greatly appreciated! Thanks.
    : Saved
    ASA Version 7.2(3)
    hostname fw-1
    domain-name XXXX
    enable password XXXX encrypted
    names
    name 92.X.X.61 bb-office
    name 92.X.X.128 gl-office
    name 10.0.0.117 daviker-dialler_in
    name 77.X.X.117 daviker-dialler_out
    name 10.0.0.112 data-2_in
    name 77.X.X.112 data-2_out
    name 10.0.0.81 corp-1_in
    name 77.X.X.81 corp-1_out
    name 10.0.0.111 data-1_in
    name 77.X.X.210 user_75
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 77.X.X.66 255.255.255.192
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd XXXX encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name XXXX
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 5900
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 4040
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 9876
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq sip
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq www
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq https
    access-list inbound extended permit udp host bb-office host daviker-dialler_out eq sip
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 1433
    access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-ns
    access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-dgm
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq netbios-ssn
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 445
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 4040
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 9876
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq sip
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq www
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq https
    access-list inbound extended permit udp host gl-office host daviker-dialler_out eq sip
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 1433
    access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-ns
    access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-dgm
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq netbios-ssn
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 445
    access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 5900
    access-list inbound extended permit tcp any host data-2_out eq ssh
    access-list inbound extended permit tcp any host corp-1_out eq ssh
    access-list inbound extended permit tcp any host corp-1_out eq www
    access-list inbound extended permit tcp any host corp-1_out eq pop3
    access-list inbound extended permit tcp any host corp-1_out eq imap4
    access-list inbound extended permit tcp any host corp-1_out eq smtp
    access-list inbound extended permit tcp any host corp-1_out eq 995
    access-list inbound extended permit tcp any host corp-1_out eq 465
    access-list inbound extended permit tcp any host corp-1_out eq 993
    access-list inbound extended permit tcp any host corp-1_out eq 8008
    access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ns
    access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-dgm
    access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ssn
    access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq 445
    access-list inbound extended permit udp any host 77.X.X.113 eq netbios-ns
    access-list inbound extended permit udp any host 77.X.X.113 eq netbios-dgm
    access-list inbound extended permit tcp any host 77.X.X.113 eq netbios-ssn
    access-list inbound extended permit tcp any host 77.X.X.113 eq 445
    access-list inbound extended permit tcp host bb-office host data-2_out eq 5901
    access-list inbound extended permit tcp host bb-office host data-2_out eq 3690
    access-list inbound extended permit tcp host bb-office host data-2_out eq www
    access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 3389
    access-list inbound extended permit tcp host 2.X.X.18 host data-2_out eq 3306
    access-list inbound extended permit tcp any host data-2_out eq 3306
    access-list inbound extended permit tcp host 212.X.X.7 host daviker-dialler_out eq 5900
    access-list inbound extended permit tcp host bb-office host data-2_out eq 3306
    access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 1433
    access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 5900
    access-list inbound extended permit tcp host user_75 host data-2_out eq 3690
    access-list inbound extended permit tcp host user_75 host data-2_out eq www
    access-list inbound extended permit tcp host user_75 host data-2_out eq 3306
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
    static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
    static (inside,outside) data-2_out data-2_in netmask 255.255.255.255
    static (inside,outside) 77.X.X.113 data-1_in netmask 255.255.255.255
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 77.X.X.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 77.X.X.91 8.8.8.8
    dhcpd domain cagltd.net
    dhcpd auto_config outside
    dhcpd address 10.0.0.20-10.0.0.40 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    username matt password XXXX encrypted
    prompt hostname context
    Cryptochecksum:00af76f23831b8c828fc6677c9069072
    : end

    Hi Jouni,
    Thanks for the info.
    I didn't have icmp traffic allowed, so I knew ping wouldn't be working. I was testing using http.
    I have enabled icmp and dhcp clients can ping outside. Static nat clients can't ping outside. Static clients also cannot use outbound http.
    As suggested, I have run some packet traces.
    From a static nat client on the ASA:
    fw-1# packet-tracer input inside tcp 10.0.0.81 80 173.203.209.67 80
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
      match ip inside host corp-1_in outside any
        static translation to corp-1_out
        translate_hits = 668, untranslate_hits = 2
    Additional Information:
    Static translate corp-1_in/0 to corp-1_out/0 using netmask 255.255.255.255
    Phase: 6
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
      match ip inside host corp-1_in outside any
        static translation to corp-1_out
        translate_hits = 668, untranslate_hits = 2
    Additional Information:
    Phase: 7
    Type: HOST-LIMIT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 1759, packet dispatched to next module
    Phase: 10
    Type: ROUTE-LOOKUP
    Subtype: output and adjacency
    Result: ALLOW
    Config:
    Additional Information:
    found next-hop 77.X.X.65 using egress ifc outside
    adjacency Active
    next-hop mac address 0017.0f13.5000 hits 1
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    This looks fine to me, but as I say, an outbound tcp port 80 connection from the actual machine on 10.0.0.81 fails.
    Here is a similar trace from a dhcp client to the same destination:
    fw-1# packet-tracer input inside tcp 10.0.0.20 80 173.203.209.67 80
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (inside) 1 0.0.0.0 0.0.0.0
      match ip inside any outside any
        dynamic translation to pool 1 (77.74.111.66 [Interface PAT])
        translate_hits = 990, untranslate_hits = 226
    Additional Information:
    Dynamic translate 10.0.0.20/80 to 77.74.111.66/1 using netmask 255.255.255.255
    Phase: 5
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    nat (inside) 1 0.0.0.0 0.0.0.0
      match ip inside any inside any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 0, untranslate_hits = 0
    Additional Information:
    Phase: 6
    Type: HOST-LIMIT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 1771, packet dispatched to next module
    Phase: 9
    Type: ROUTE-LOOKUP
    Subtype: output and adjacency
    Result: ALLOW
    Config:
    Additional Information:
    found next-hop 77.X.X.65 using egress ifc outside
    adjacency Active
    next-hop mac address 0017.0f13.5000 hits 5
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    I can see the difference in the NAT translation section. A real outbound tcp port 80 connection from the actual machine on 10.0.0.20 works fine.
    Finally, for the sake of comparison, I ran a similar packet trace using a static nat IP on the old PIX firewall:
    old-fw-1# packet-tracer input inside tcp 10.0.0.117 80 173.203.209.67 80
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect http
    service-policy global_policy global
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
    nat-control
      match ip inside host daviker-dialler_in outside any
        static translation to daviker-dialler_out
        translate_hits = 17132, untranslate_hits = 1277850
    Additional Information:
    Static translate daviker-dialler_in/0 to daviker-dialler_out/0 using netmask 255.255.255.255
    Phase: 7
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
    nat-control
      match ip inside host daviker-dialler_in outside any
        static translation to daviker-dialler_out
        translate_hits = 17132, untranslate_hits = 1277850
    Additional Information:
    Phase: 8
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 1006075, packet dispatched to next module
    Phase: 10
    Type: ROUTE-LOOKUP
    Subtype: output and adjacency
    Result: ALLOW
    Config:
    Additional Information:
    found next-hop 78.X.X.69 using egress ifc outside
    adjacency Active
    next-hop mac address 0017.0f13.5000 hits 572133
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    Outbound traffic from static nat hosts on the old PIX firewall works fine. One glaring difference is that the PIX is inspecting http traffic, but surely this is a red herring. Another difference is that the old and new firewalls have different gateways / default routes & different outside IP addresses. As the new ASA firewall (and its dhcp hosts) can talk to the outside world quite happily I don't think this is relevant.
    I wondered whether it might be down to the difference in the inside (255.255.255.0) and outside (255.255.255.192) subnets. The set up is the same on the PIX, but I wondered whether some other line of config might be required on the ASA to handle it. I adjusted the subnet of the inside interface on the ASA to match the outside one (both 255.255.255.192) but it didn't make any difference.
    So I'm puzzled!

  • MS NLB with ASA and Static NAT from PUP to NLB IP

    Hi all,
    I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
    ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
    I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
    192.168.0.50 is the 1st VM
    192.168.0.51 is the 2nd VM
    192.168.0.52 is the cluster IP for heartbeat
    192.168.0.53 is the cluster IP for NLB traffic.
    0100.5e7f.0035 is the cluster MAC.
    The NLB cluster is using MULTICAST
    I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
    For the ASA I found
    http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
    ASDM
    Configuration > Device Management > Advanced > ARP > ARP Static Table
    I was able to add my stic ARP just fine.
    However, the next step was to enable ARP inspection.
    Configuration > Device Management > Advanced > ARP > ARP Inspection
    My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
    For the CAT Switch I found
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
    I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
    On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
    At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
    So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
    Result of the command: "show run"
    : Saved
    ASA Version 8.4(4)9
    hostname MP-ASA-1
    enable password ac3wyUYtitklff6l encrypted
    passwd ac3wyUYtitklff6l encrypted
    names
    dns-guard
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 198.XX.XX.82 255.255.255.240
    interface Ethernet0/1
    description Root Inside Interface No Vlan
    speed 1000
    duplex full
    nameif Port-1-GI-Inside-Native
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    interface Ethernet0/1.2
    description Managment LAN 1 for Inside Networks
    vlan 2
    nameif MGMT-1
    security-level 100
    ip address 192.168.180.1 255.255.255.0
    interface Ethernet0/1.3
    description Managment LAN 2 for Inside Networks
    vlan 3
    nameif MGMT-2
    security-level 100
    ip address 192.168.181.1 255.255.255.0
    interface Ethernet0/1.100
    description Development Pubilc Network 1
    vlan 100
    nameif DEV-PUB-1
    security-level 50
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/1.101
    description Development Pubilc Network 2
    vlan 101
    nameif DEV-PUB-2
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/1.102
    description Suncor Pubilc Network 1
    vlan 102
    nameif SUNCOR-PUB-1
    security-level 49
    ip address 192.168.3.1 255.255.255.0
    interface Ethernet0/1.103
    description Suncor Pubilc Network 2
    vlan 103
    nameif SUNCOR-PUB-2
    security-level 49
    ip address 192.168.4.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa844-9-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network Inside-Native-Network-PNAT
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network with PNAT
    object network ASA-Outside-IP
    host 198.XX.XX.82
    description The primary IP of the ASA
    object network Inside-Native-Network
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network
    object network VPN-POOL-PNAT
    subnet 192.168.100.0 255.255.255.0
    description VPN Pool NAT for Inside
    object network DEV-PUP-1-Network
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUP-1 Network
    object network DEV-PUP-2-Network
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUP-2 Network
    object network MGMT-1-Network
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1 Network
    object network MGMT-2-Network
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2 Network
    object network SUNCOR-PUP-1-Network
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUP-1 Network
    object network SUNCOR-PUP-2-Network
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUP-2 Network
    object network DEV-PUB-1-Network-PNAT
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUB-1-Network with PNAT
    object network DEV-PUB-2-Network-PNAT
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUB-2-Network with PNAT
    object network MGMT-1-Network-PNAT
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1-Network with PNAT
    object network MGMT-2-Network-PNAT
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2-Network with PNAT
    object network SUNCOR-PUB-1-Network-PNAT
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUB-1-Network with PNAT
    object network SUNCOR-PUB-2-Network-PNAT
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUB-2-Network with PNAT
    object network DEV-APP-1-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-APP-2-SNAT
    host 192.168.2.120
    description DEV-APP-2 Server with SNAT
    object network DEV-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-SQL-1
    host 192.168.0.110
    description DEV-SQL-1 Inside Server IP
    object network DEV-SQL-2
    host 192.168.2.110
    description DEV-SQL-2 Inside Server IP
    object network SUCNOR-APP-1-PUB
    host 198.XX.XX.XX
    description SUNCOR-APP-1 Public Server IP
    object network SUNCOR-APP-2-SNAT
    host 192.168.4.120
    description SUNCOR-APP-2 Server with SNAT
    object network SUNCOR-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network SUNCOR-SQL-1
    host 192.168.3.110
    description SUNCOR-SQL-1 Inside Server IP
    object network SUNCOR-SQL-2
    host 192.168.4.110
    description SUNCOR-SQL-2 Inside Server IP
    object network DEV-APP-1-SNAT
    host 192.168.0.120
    description DEV-APP-1 Network with SNAT
    object network SUNCOR-APP-1-SNAT
    host 192.168.3.120
    description SUNCOR-APP-1 Network with SNAT
    object network PDX-LAN
    subnet 192.168.1.0 255.255.255.0
    description PDX-LAN for S2S VPN
    object network PDX-Sonicwall
    host XX.XX.XX.XX
    object network LOGI-NLB--SNAT
    host 192.168.0.53
    description Logi NLB with SNAT
    object network LOGI-PUP-IP
    host 198.XX.XX.87
    description Public IP of LOGI server for NLB
    object network LOGI-NLB-IP
    host 192.168.0.53
    description LOGI NLB IP
    object network LOGI-PUP-SNAT-NLB
    host 198.XX.XX.87
    description LOGI Pup with SNAT to NLB
    object-group network vpn-inside
    description All inside accessible networks
    object-group network VPN-Inside-Networks
    description All Inside Nets for Remote VPN Access
    network-object object Inside-Native-Network
    network-object object DEV-PUP-1-Network
    network-object object DEV-PUP-2-Network
    network-object object MGMT-1-Network
    network-object object MGMT-2-Network
    network-object object SUNCOR-PUP-1-Network
    network-object object SUNCOR-PUP-2-Network
    access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
    access-list outside_access_out remark Block ping to out networks
    access-list outside_access_out extended deny icmp any any inactive
    access-list outside_access_out remark Allow all traffic from inside to outside networks
    access-list outside_access_out extended permit ip any any
    access-list outside_access extended permit ip any object LOGI-NLB--SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
    access-list outside_access extended permit ip any object DEV-APP-2-SNAT
    access-list outside_access extended permit ip any object DEV-APP-1-SNAT
    access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu Port-1-GI-Inside-Native 1500
    mtu MGMT-1 1500
    mtu MGMT-2 1500
    mtu DEV-PUB-1 1500
    mtu DEV-PUB-2 1500
    mtu SUNCOR-PUB-1 1500
    mtu SUNCOR-PUB-2 1500
    mtu management 1500
    ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any Port-1-GI-Inside-Native
    icmp permit any MGMT-1
    icmp permit any MGMT-2
    icmp permit any DEV-PUB-1
    icmp permit any DEV-PUB-2
    icmp permit any SUNCOR-PUB-1
    icmp permit any SUNCOR-PUB-2
    asdm image disk0:/asdm-649-103.bin
    no asdm history enable
    arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
    arp timeout 14400
    no arp permit-nonconnected
    nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    object network Inside-Native-Network-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network VPN-POOL-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network DEV-PUB-1-Network-PNAT
    nat (DEV-PUB-1,outside) dynamic interface
    object network DEV-PUB-2-Network-PNAT
    nat (DEV-PUB-2,outside) dynamic interface
    object network MGMT-1-Network-PNAT
    nat (MGMT-1,outside) dynamic interface
    object network MGMT-2-Network-PNAT
    nat (MGMT-2,outside) dynamic interface
    object network SUNCOR-PUB-1-Network-PNAT
    nat (SUNCOR-PUB-1,outside) dynamic interface
    object network SUNCOR-PUB-2-Network-PNAT
    nat (SUNCOR-PUB-2,outside) dynamic interface
    object network DEV-APP-2-SNAT
    nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
    object network SUNCOR-APP-2-SNAT
    nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
    object network DEV-APP-1-SNAT
    nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
    object network SUNCOR-APP-1-SNAT
    nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
    object network LOGI-NLB--SNAT
    nat (DEV-PUB-1,outside) static LOGI-PUP-IP
    object network LOGI-PUP-SNAT-NLB
    nat (outside,DEV-PUB-1) static LOGI-NLB-IP
    access-group outside_access in interface outside
    access-group outside_access_out out interface outside
    route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 outside
    http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
    http 192.168.180.0 255.255.255.0 MGMT-1
    http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
    : end
    Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
    Thanks,
    Chris

    Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
    Chris

  • ASA 5505:Static Routing and Deny TCP connection because of bad flag

    Hi Everybody,
    I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
    In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
    When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
    %PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
    the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
    thanks!
    EDIT: On the schema, The interface of the main asa is 172.16.18.148...

    Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.

  • Public Pool, 2 ASAs, Static NAT ...

    I am looking for help on a mixture of Routing and Switching and Firewalling ...
    So I have a router connected to the ISP ... the router is also connected to a switch.  Into that switch I have pugged two ASAs.  A 5505 and 5520.
    I was given a /27 (255.255.255.224), 30 address block from the ISP.  Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.
    Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).
    Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)?  Possibly even move them back and forth between ASAs?
    How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example?  Does the ASA send out an ARP message for each of its static addresses that it is using?  They packets aren't broadcast to the subnet, are they?
    Or is this a Layer 3 problem.  Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
    I was trying to debate if I could possibly model this in GNS3.
    PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.
    Thanks so much for the help,
    Matt
    CCNP, CCDP, CCIP, ASA Specialist               

    Can I use any of the rest of the addresses .4 through .30, on either ASA  in Static NAT (1 to 1 translation)?  Possibly even move them back and  forth between ASAs?
    --> YES you can
    How does the router know which as ASA it needs to forward the packet to  if it is destined for .12 for example?  Does the ASA send out an ARP  message for each of its static addresses that it is using?  They packets  aren't broadcast to the subnet, are they?
    --> YES, the ASA will send out an ARP to tell the router that it has that particular static address
    Or is this a Layer 3 problem.  Do I have to segment my /27 into two  /28's on my router (requiring an additional interface and use of another  IP address)?
    --> NO, you don't have to segment the /27 into /28

  • ASA 5505: unable to ping external hosts

    Hi,
    I have a LAN behind ASA 5505, interface NAT/PAT is configured.
    External interface is configured for PPPoE.
    Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
    icmp permit any inside
    icmp permit any outside
    access-list outside_access_in extended permit icmp any any
    Protocol inspections and fixups are default.
    When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
    302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
    302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
    313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
    313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
    302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
    302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
    Where 202.xx.yy.zz is IP of external interface of ASA.
    This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
    Any help will be highly appreciated.
    Thank you.
    Alex

    Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any source-quench
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-group outside_access_in in interface outside
    or icmp inspection instead of acl.
    policy-map global_policy
    class inspection_default
    inspect icmp
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
    HTH
    Jorge

  • ASA 5505 NAT rules blocking inside traffic

    Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
    Embarq :          Network                                      xxx.xxx.180.104
    Gateway:                                                             xxx.xxx.180.105
    Subnet Mask:                                                     255.255.255.248
    Our Static IP's:                                                    xxx.xxx.180.106 to xxx.xxx.180.110
    Cisco Pix for VPN tunnels :                              xxx.xxx.180.107  outside IP
        used for DataBase Servers :                        100.1.0.2  Inside IP/ Gateway 2
    Cisco ASA 5505:                                               xxx.xxx.180.106  outside IP
        all other traffic :                                              100.1.0.1  Inside IP/ Gateway 1
    Inside Network:                                                 100.1.0.0/24
    Application Server:                                          100.1.0.115 uses Gateway 1
    BackUp AppSrvr:                                             100.1.0.116 uses Gateway 1
    DataBase Server:                                            100.1.0.113 uses Gateway 2
    BackUp DBSrvr:                                               100.1.0.114 uses Gateway 2
    Cobox/Receiver:                                               100.1.0.140
    BackUp Cobox:                                                 100.1.0.150
    Workstation 1:                                                   100.1.0.112
    Workstation 2:                                                   100.1.0.111
    Network Speaker1,2,3,4:                                 100.1.0.125 to 100.1.0.128
    Future Workstations:                                        100.1.0.0/24
    1.           Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
    2.           All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
    3.           All Workstations/Network Speakers need to be able to communicate with all four servers, and   the Cobox/Receiver.
    4.          The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login  securely and edit their account info.
    5.          The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule  created NAT'ing them to xxx.xxx.180.109.
          A.          The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside    IP address.
          B.          The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
    6.          The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
          A.          The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
          B.           The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
    7.          Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
    8.         
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 100.1.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.xxx.180.106 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_4
    protocol-object icmp
    protocol-object udp
    object-group protocol DM_INLINE_PROTOCOL_5
    protocol-object icmp
    protocol-object udp
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
    access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
    access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
    access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
    access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
    access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
    access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
    access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
    static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
    static (inside,outside) xxx.xxx.180.109  access-list inside_nat_static_1
    static (outside,inside) 100.1.0.115  access-list outside_nat_static_1
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 100.1.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 100.1.0.5-100.1.0.15 inside
    dhcpd dns 71.0.1.211 67.235.59.242 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
    : end
    no asdm history enable

    OK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
    In the meantime I will Close and Rate this post for now so others can get this info also.
    If we have any further issues after the upgrade, then I will open a new post.
    Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.

  • ASA 5505 - Cannot ping outside natted interface

    Hello,
    I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
    Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
    Thank you in advance
    the config are:
    : Saved
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name domain
    enable password ********** encrypted
    passwd ************ encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 172.88.188.122 255.255.255.248
    interface Vlan3
    no forward interface Vlan2
    nameif backup
    security-level 0
    no ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name domain
    same-security-traffic permit intra-interface
    access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
    access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
    access-list outside_in extended permit tcp any host 172.88.188.123 eq www
    access-list outside_in extended permit icmp any any
    access-list outside_in extended permit icmp any any echo-reply
    access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
    access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
    access-list inside_out extended permit icmp any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu backup 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 1 172.88.188.128
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
    static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
    static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
    route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd lease 1048575
    dhcpd auto_config outside
    dhcpd address 192.168.1.100-192.168.1.200 inside
    dhcpd dns 8.8.8.8 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:865943aa325eb75812628fec3b1e7249
    : end

    You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
    Hairpinning would look like this in your scenario.
    same-security-traffic permit intra-interface
    global (inside) 1 interface
    static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
    static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
    static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

  • Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues

    Hey all,
    I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
    Things I have successfully been able to do:
    1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
    2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
    3. Install and run ASDM 7.3(2)
    4. Went through the start-up  wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
    The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy. 
    http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
    Attached is a copy of my running-config and version. Any help with this would be greatly appreciated. 

    Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
    So your Exchange server in the 10.10.12.0/24 subnet  will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
    I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well.

  • ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

    Greetings all.  I've searched through the forums and have found some similar situations to mine but nothing specific.  I'm hoping this is an easy fix...  :/
    I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4).  They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images.  Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already.  So...
    The network admin on the Fortinet side assinged me 172.31.1.0/24.  I have established a connection but obviously, cannot route anywhere to the other side.  Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
    Thank you in advance everyone.

    Hello Chris,
    For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
    Basically the NAT configuration will be like this:
    object network Local-net
    subnet 192.168.1.0 255.255.255.0
    object network Translated-net
    subnet 172.31.1.0 255.255.255.0
    object network Fortinet-net
    subnet 10.10.115.0 255.255.255.0
    nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
    Obviously, you can change the name of the objects.
    Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
    access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
    This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
    Let me know if you have any doubts.
    Daniel Moreno
    Please rate any posts you find useful

  • Nat/pat asa 5505 asdm ver 8.4

    hi all,
    i have a problem with portfoarwarding on asa 5505.
    i have this situation:
    internet ---> pubblic ip address-> router albacom -- 10.0.0.15 ---> -nat farward port 80--10.0.0.1 -outside -firewall asa -inside - 192.168.0.1------------server web 192.168.0.99
    the server is not in dmz but it's on the lan network
    my user must connect from internet, with any browser http://albacom_pubblic_address and router albacom and then asa firewall must nat  and farward the port 80 on server web 192.168.0.99
    any idea or tutorial
    ths, best regards

    Hi Luca,
    On the ASA, you would need the following:
    object network server_ip
      host 192.168.0.99
    object service tcp_80
    service tcp destination eq 80
    nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80
    That would port forward all the request coming on port 80 on the outside interface of the firewall, to your internal server on port 80.
    Hope that helps
    Thanks,
    Varun

  • Problem with nat / access rule for webserver in inside network asa 5505 7.2

    Hello,
    i have trouble setting up nat and access rule for webserver located in inside network.
    I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
    Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
    I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
    What am i doing wrong?

    Command:
    packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.123.0   255.255.255.0   inside
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x35418d8, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=188.x.x.213, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

  • Cisco ASA 5505 IPSEC, one endpoint behind NAT device

    We have two Cisco ASA 5505 devices.
    Both are identical, however, one of them is behind a NAT device.
    We are attempting to create an IPSEC network.
    Site fg:
    <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
    ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
    Site be:
    <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
    ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
    USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
    USG1: UDP port 500/4500 forwarded to 192.168.4.50
    It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
    We verified / attempted the following:
    - NAT excemption on both sides for IPSEC subnets
    - Mirror image crypto maps
    - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
    - Toggled between static to dynamic crypto maps on ASA1
    Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
    Does anyone have any idea?
    195.txt contains show running-config of ASA3
    212.txt contains show running-config of ASA1
    log.txt contains somewhat entire log snipper of ASA1

    Hi,
    on 212 is see
    tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 195.xxx.xxx.xxx ipsec-attributes
    pre-shared-key
    When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
    If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
    Regards,
    Abaji.

  • ASA 5505 9.1 and NAT issues to single dynamic IP

    Good afternoon everybody, 
    a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
    Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP). 
    As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
    <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
    <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
    In the same time, the consolle connection shows these two messages :
    Asa5505# ERROR: NAT unable to reserve ports.
    ERROR: NAT unable to reserve ports.
    I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
    This is the configuration file, I  have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
    Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
    ASA Version 9.1(5) 
    hostname Asa5505
    domain-name home
    enable password XXXXXX encrypted
    names
    interface Ethernet0/0
     description ADSLPPoE
     switchport access vlan 2
    interface Ethernet0/1
     description Internal_LAN
    interface Ethernet0/2
     description Management_Net 
     switchport access vlan 3
    interface Ethernet0/3
     shutdown
    interface Ethernet0/4
     shutdown
    interface Ethernet0/5
     description Uplink
     switchport trunk allowed vlan 1,3
     switchport trunk native vlan 1
     switchport mode trunk
    interface Ethernet0/6
     description Wireless-POE
     switchport trunk allowed vlan 1,3
     switchport trunk native vlan 1
     switchport mode trunk
    interface Ethernet0/7
     description Webcam-POE 
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.250 255.255.255.0 
    interface Vlan2
     nameif outside
     security-level 0
     pppoe client vpdn group AliceADSL
     ip address pppoe setroute 
    interface Vlan3
     no forward interface Vlan1
     nameif management
     security-level 100
     ip address 10.5.1.250 255.255.255.0 
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 192.168.1.4
     domain-name home
    object network Exchange-HTTPS
     host 192.168.1.150
    object network Exchange-SMTP
     host 192.168.1.150
    object network Network_Inside
     subnet 192.168.1.0 255.255.255.0
    object network Network_Management
     subnet 10.5.1.0 255.255.255.0
    access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https 
    access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp 
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1492
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network Exchange-HTTPS
     nat (inside,outside) static interface service tcp https https 
    object network Exchange-SMTP
     nat (inside,outside) static interface service tcp smtp smtp 
    object network Network_Inside
     nat (inside,outside) dynamic interface
    object network Network_Management
     nat (management,outside) dynamic interface
    access-group Outside_ACL in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable 8080
    http 10.5.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    management-access management
    vpdn group AliceADSL request dialout pppoe
    vpdn group AliceADSL localname aliceadsl
    vpdn group AliceADSL ppp authentication pap
    vpdn username aliceadsl password ***** store-local
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd dns 192.168.1.4 192.168.1.150 interface inside
    dhcpd wins 192.168.1.4 interface inside
    dhcpd enable inside
    dhcpd address 10.5.1.30-10.5.1.40 management
    dhcpd dns 208.67.222.222 208.67.220.220 interface management
    dhcpd enable management
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     port 10443
     anyconnect-essentials
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect ip-options 
      inspect netbios 
      inspect rsh 
      inspect rtsp 
      inspect skinny  
      inspect esmtp 
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect sip  
      inspect xdmcp 
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:XXXXXXXX
    : end
    no asdm history enable
    Thanks in advance for your precious help !
    C.

    Update 29th of June :
    Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
    I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
    Two brief questions :
    1) in my NAT statements for PAT, does it change anything if I modify them (for example) from 
    nat (inside,outside) static interface service tcp https https
    to
    nat (inside,outside) dynamic interface service tcp https https 
    ? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
    2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
    Thank you for your precious help and patience !
    C.

  • How to set up NAT for two servers using same port with ASDM ASA 5505

    Hi there,
    We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
    What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
    Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
    and
    Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
    If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
    Thanks in advance,
    James

    I would create two objects and use object NAT
    object network Obj_5004
    host 192.168.1.40
    object network Obj_5004
    nat (inside,outside) static service tcp 5003 5004
    object network Obj_5003
    host 192.168.1.38
    object network Obj_5003
    nat (inside,outside) static service tcp 5003 5003
    Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

Maybe you are looking for

  • How to use niDCPower_ConfigureSoftwareEdgeMeasureTrigger in PXIe-4154 (each vi session has two active channels)?

    I am trying to use this function in my CVI code to configure a PXIe-4154 to make measurement based on software trigger. niDCPower_ConfigureSoftwareEdgeMeasureTrigger I saw this RUN TIME ERROR when I execute the code. Error code -1074118587 ... the re

  • Why does my site not appear correctly on other computers?????

    I made a website for the gallery I manage. address is 12spsg.com When making the site with CS4 it looked fine on both computers I was working on but now the left sidebar is appearing in the middle of the screen, the top menu bar is not all one row th

  • Valuated SIT: Batch related error

    Hi Experts We use valuated SIT functionality. The material moved is non-batch managed in supplying plant  and it is batch managed in receiving plant. Due to this, when attempted to do PGI, getting the error "Enter Batch" (Message M7 018). This error

  • Query Builder - Path and Object name for instance ..

    Hello, how to get the Object Name of an Instance "InstanceX" and the Path of the Object with query Builder .. Thanks

  • Outlook password 8.1

    When I upgraded to Windows 8.1 my hp laptop created a @outlook.com account. Now it requires me to enter the last password i used to access the computer. I don't recall even setting one up. Tried to start up in safe mode, it won't allow that. Please h