ASA 8.6 und nat
Hey,
in the LAN have a Mail Server ! No Mails come's from the Internet !
What is wrong ?
object network srv-ex
host 10.104.1.9
object service mail-serv
service tcp source eq smtp destination eq smtp
nat (inside,outside) source static any any destination static srv-ex srv-ex service mail-serv mail-serv
access-list outside_access_in extended permit tcp any 10.104.1.9 255.255.255.255 eq smtp
Thanks
Hey,
no works, this was the config :
object service mail-serv
service tcp destination eq smtp
object network srv-ex
host 10.104.1.9
nat (outside,inside) source static any any destination static interface srv-ex service mail-serv mail-serv
access-list outside_access_in extended permit tcp any host 10.104.1.9 eq smtp
access-group outside_access_in in interface outside
show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 1058, untranslate_hits = 212
2 (inside) to (outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 description NAT-Excempt for VPN
translate_hits = 0, untranslate_hits = 828
3 (outside) to (inside) source static any any destination static interface srv-ex service mail-serv mail-serv
translate_hits = 0, untranslate_hits = 0
Make from the Internet a telnet on port 25 nothing !
Similar Messages
-
Hi,
I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure
The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:
interface Ethernet0/1.777
description TRU 777
vlan 777
nameif tru777
security-level 50
ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18
access-list acl_tru777 remark * ALLOW ALL OUTBOUND *
access-list acl_tru777 extended permit ip any any
access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240
ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
global (outside) 2 x.x.x.x
crypto isakmp nat-traversal 20
I think that is everything you should need, if not please just ask.
Thank you very much in advance,
ChrisHi Julio,
Here you go:
FWL01# sh nameif
Interface Name Security
Ethernet0/0 outside 0
Ethernet0/1 CLIENTS 50
Ethernet0/1.314 tru01 50
Ethernet0/1.313 dmz01 50
Ethernet0/1.316 tru02 50
Ethernet0/1.776 dmz776 50
Ethernet0/1.777 tru777 50
Management0/0 management 100
FWL01# sh run nat
nat (tru02) 1 192.168.3.0 255.255.255.240
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
FWL01# sh run glob
global (outside) 1 interface
global (outside) 2 x.x.x.x
Thanks,
Chris -
ASA 8.2 - Static NAT and Dynamic NAT Policy together
Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help! -
ASA 5510 8.4 Nat & Portforwarding
So I'm trying to forward an internal service on a internal server to the external interface on the same port on the outside interface of our ASA.
I been searching for a solution for days and found nothing.
Here are the relevant parts of my config:
: Saved
ASA Version 8.4(2)
object service TCP-WebServer-8080
service tcp source eq 8080
object network WebServer_Object_10.1.10.7
host 10.1.10.7
object network obj-10.1.100.0
subnet 10.1.10.0 255.255.255.0
access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE
access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE
access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080
nat (inside,outside) source dynamic obj-10.1.10.0 interface
access-group webserveraccess in interface outside
access-group insideout in interface inside
object network WebServer_Object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080
Here's the packet tracer output:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.2.3.4 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So it looks like it's being dropped by an ACL, but it looks right to me. Can I have some guidance as to what I am doing wrong?Alright! That fixed!
Here is the packet tracer output
wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WebServer_object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080
Additional Information:
NAT divert to egress interface inside
Untranslate MYWANIP/8080 to 10.1.10.7/8080
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group webserveraccess in interface outside
access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network WebServer_Object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1375902, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow -
Connect 2 ASA's together without NAT
I have a strange business case that requires us to use 2 ASA's to protect an internal system. I'm trying to figure out if there is a way to connect the 2 without using a NAT between them.
The setup looks like this, sorry for the crude drawing
right now there is a route on asa2 0.0.0.0 0.0.0.0 10.1.1.1 1
there is no need for users on asa1 to reach the system behind asa2.
I think i should be able to just have ACL's on ASA2 to allow ports and host to the system behind it. but my gut says that I need a NAT
thanks for any input.Yes, with the following assumptions:
- You have ACL of "permit ip any any log" on all of the lower level interface,
- Remove all of the inspect from the configuration,
Then your ASA will behave "almost" like router at that point -
IPSEC b/w ASA and Router --- with nat stuff
I need help regarding the following issue..
An asa is connected to a router which is connected to the internet.
A vpn must be established b/w ASA and a router that is over internet . The ASA is not directly connected to the internet. It is connected to a router which nat the Asa outside ip to a static global IP .
All i need to know is that do need any special configs for this . or its the same as if ASA would have been directly connected to the internetIn order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
Configure the crypto ipsec command in Phase 2.
Configure the isakmp policy command.
Configure the nat 0 command and the access-list command in order to bypass NATting.
Configure the crypto-map command.
Configure the tunnel-group DefaultL2LGroup command with group information -
Cisco ASA 8.4 Destination Nat
Hi,
I am facing problem in implemnting NAT on cisco 8.4
the senerio is
Inside interface network 10.10.10.0/24
and 10.118.0.0/16 is also routed towards inside network
Other network 192.168.10.0/24 is routed via outside interface.
My requirement is to NAT the 192.168.10.2(real IP) to 10.10.10.2(mapped ip) so that when users from inside network(10.118.0.0/16) will come they will access the 10.10.10.2 instead of the real Ip(192.168.10.2)
So I used
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
but the connection is not working but with show nat I am getting hits on the NAT statement.
cap test ethernet-type arp interface inside real-time
1: 23:29:05.684199 arp who-has 10.10.10.2 tell 10.10.10.1
2: 23:29:09.687998 arp who-has 10.10.10.2 tell 10.10.10.1
I have also enabled the proxyarp on the inside interface but still the connection was not working.
Any help will be much appreciated...
Packet tracer output
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Additional Information:
NAT divert to egress interface Extranet
Untranslate
10.10.10.2/80 to 192.168.10.2/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp any object obj-192.168.10.2
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Additional Information:
Static translate 10.118.60.44/12345 to 10.118.60.44/12345
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 35428108, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Extranet
output-status: up
output-line-status: up
Action: allowHi,
You current NAT configuration
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Basicly does so that when the network 10.118.0.0/16 tries to access the host 10.10.10.2/32 the source network 10.118.0.0/16 wont be translated but the host 10.10.10.2/32 will be untranslated to 192.168.10.2/32
So when someone on your local network tries to connect to 10.10.10.2/32 the router connected to the ASA will naturally use ARP to resolve the IP/MAC pair. I would check on that router if the ARP table shows the 10.10.10.2. If it doesnt then naturally the connection will fail.
I am not sure if you had a typo there (or I just understood you wrong) where you said that the router should know the real IP of 192.168.10.2 because with this configuration it specifically DOESNT know that IP address as the ASA seems to be NATing it to 10.10.10.2/32 which I guess would be part of the connected network between ASA and the router.
- Jouni -
stevemoores wrote:
"interface" means just that, the IP address of the interface, so make an object with the x.x.x.100 address and try using that instead of interface.
That is what I am thinking and trying now.Hi Everyone,
Running 8.4 on Cisco ASA. When a user is connected via VPN a subset of internet traffic is required to go outside via our office internet connection. I have that working fine but it is using the outside interface IP instead of a particular IP I want to use. Below is my NAT statement but I am not sure how to amend so it uses the address I want. I assume I need to replace interface with something that specifies the NAT I want to use?
Outside interface is x.x.x.99 and is what sites see when VPN traffic is routed out to internet.
I want the traffic to show as x.x.x.100
nat (outside,outside) source dynamic NETWORK_OBJ_VPN_Pool interface
This topic first appeared in the Spiceworks Community -
Help with Slow access or NAT to Inside Interface on ASA 9.1
I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
Attached a diagram of what I am currently doing?
Any help is appreciated.
Thanks.
P.S. Addresses in attached picture config are not real, but I know what they translate to.Hi,
To me you it would seem that you are looking for a NAT configurations something like this
object network SERVER-PUBLIC
host 197.162.127.6
object network SERVER-LOCAL
host 10.0.1.25
nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni -
Cisco ASA 5510 Natting 2 internal ip to 1 public ip
Hi Guys,
I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
My current configuration for nat 1 internal ip to 1 public ip:
static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 172.16.101.11 21 netmask 255.255.255.255 dns
Thank you for your help.
Cheers
TommyYes it is possible . See if this helps. I'm not in front of my ASA right now, but I think this is the old and new way. If you are actually using the interface address, you might need to use the "interface" keyword
Pre 8.3
static (inside,outside) tcp 1.1.1.1 80 192.168.1.100 8080 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 8080 192.168.1.101 8080 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 25 192.168.1.102 25 netmask 255.255.255.255
8.3 and Later
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static 1.1.1.1 service tcp 8080 80
object network obj-192.168.1.101
host 192.168.1.101
nat (inside,outside) static 1.1.1.1 service tcp 8080 8080
object network obj-192.168.1.102
host 192.168.1.102
nat (inside,outside) static 1.1.1.1 service tcp 25 25
If you are using the interface address--
static (inside,outside) tcp interface 80 192.168.1.100 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.101 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.102 25 netmask 255.255.255.255
8.3 and Later
object network obj-192.168.1.100
host 192.168.1.100
nat (inside,outside) static interface service tcp 8080 80
object network obj-192.168.1.101
host 192.168.1.101
nat (inside,outside) static interface service tcp 8080 8080
object network obj-192.168.1.102
host 192.168.1.102
nat (inside,outside) static interface service tcp 25 25 -
ASA rpf-check DROP, ASA checking NAT in the incorrect interface
Hi
My current architecture is :
Internet <--> FW <--> ASA <--> LAN
FW <--> ASA
we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
the "vpn" interface is used to grant access to our LANs from remote Offices
let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
below the current configuration :
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0
interface GigabitEthernet0/2
nameif vpn
security-level 0
ip address 192.168.12.2 255.255.255.0
object-group network Inside_LANs
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo
access-list Inside-to-outside extended permit udp any host TimeServer eq ntp
access-list Inside-to-outside extended permit ip object-group Inside_LANs any
global (outside) 1 interface
global (outside) 2 192.168.11.60 netmask 255.255.255.255
nat (inside) 1 access-list Inside-to-outside
nat (inside) 2 192.168.6.0 255.255.255.0
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255
static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.13
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list Inside-to-outside
match udp inside any inside host TimeServer eq 123
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.10
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
match ip inside host 192.168.2.10 outside any
static translation to 192.168.11.10
translate_hits = 76643, untranslate_hits = 188597
Additional Information:
example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.4.40
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list Inside-to-outside
match ip inside 192.168.4.0 255.255.255.0 vpn any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.6.30
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 192.168.6.0 255.255.255.0
match ip inside 192.168.6.0 255.255.255.0 vpn any
dynamic translation to pool 2 (No matching global)
translate_hits = 117, untranslate_hits = 0
Additional Information:
our questions :
1) why ASA don't check the reverse path route before checking the NAT ?
if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
when ASA check a server with static NAT it find a match in the outside interface but even so it discard it and the connection Work. (example 2)
when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
why ASA checking the global NAT even if it's not the correct interface ?
Why it's working for static NAT and not working for the dynamic one ?
Thanks a lotHi,
It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
But to me the situation in its current form looks the following.
Example 1
To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
Example 2
This seems to be working as expected also.
According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
Example 3 and 4
These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
Hope this helps :)
- Jouni -
ASA 5510 NAT with IOS 9.1
Hi All,
Hoping someone can clear this up for me.
I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.
The ASA is connected inside the LAN to separate a second LAN.
Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)
I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN
I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?
If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.
Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.
If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.
Many thanksHi,
Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?
If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.
The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.
Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.
You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
Hello Everyone,
I have a need to multihome out two MAN links to the same ISP. The two links will connect via an ISR and will participate in an eBGP adjacency. On the internal side, iBGP will be used to create the alternate default route to the ISP. Each of the ISR’s downstream ports participates on the same Ethernet subnet. On the same subnet/broadcast domain, there are two ASA5510 appliances that will use HSRP to advertise the public IPv4 addresses and will NAT them into the private network.
My question is, since the ASAs do not participate in BGP, and since we are going to NAT the traffic eliminating the need to use a route map to inject the default route into the downstream EIGRP network, would I simply build a static default route in the ASAs out the upsteam interfaces? My initial thought is to not worry about recursive lookups because they are connected via Ethernet.
ip route 0.0.0.0 0.0.0.0 fa0/0; and so on.
I’ve attached a simple topology for reference.
Thanks…MattYes Jcarvaja, HSRP is not a feature on the ASAs, and yes HSRP is difficult to setup natively to support active/active load balancing on any device. That's not really the point though is it. FHRP's are typically used for distribution switches and finely tuned to access layer 2 and layer 3 convergence, unless using GLBP (and even then should be considered). My mistake for using the term HSRP and thank you for pointing it out.
As for the iBGP links, they represent the same subnet as I mentioned. The cat switches are there to facilitate physical restraints as each pair of ISRs and ASAs are two miles apart. Since the ASA's are performing NAT, they don't really participate in the BGP network and there is no need or capability to inject the BGP default route into the EIGRP network. They will participate in the downstream EIGRP network. If the MAN connection on one ISR goes down, then the iBGP route to the Internet will be graduated. I guess I could have indicated on the drawing that these were all a part of the same subnet.
How do I configure the ASA's static default route? Wouldn't I be able to inject a static default route in each ASA using the ASA's outside interface when using active/active? If I have to, I could see if we can use EIGRP on the network upstream of the ASAs if there is no other way of doing this, but this is not preferred.
Any help you can provide is greatly appreciated.
Thank you...Matt -
Cisco asa traffic flow with destination nat
Hi Folks,
Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
RajeshThe ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from. On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
The short answer:
The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.
If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
The longer answer:
For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
-or-
Step 2 check B: Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
Now lets refer to the specific example you outlined in your post; you said:
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
nat (LAN,ISP-1) after-auto source dynamic any interface
nat (LAN,ISP-2) after-auto source dynamic any interface
Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
Message was edited by: Jay Johnston -
ASA 5505 not connecting to the internet
My ASA 5505 9.1 previously worked but I recently swapped out my modem (different issue). The new modem is bridged so my ASA gets an IP address from the ISP.
Internet ------ SB6141 modem ---------- ASA ---------- rest of network (direct connection or router)
I have no issues connecting to the ASA and when I remove the ASA my router properly connects to the internet.
Things I have tried
Setting static address for ASA outside interface
Pinging 8.8.8.8 from ASDM (ping fails in ASDM but works in CLI)
Modifying the NAT
Successful packet trace
Reading multiple other forum entries
I can't figure out what is blocking the traffic to the outside. Below is my running-config.
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Wireless
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.248
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Wireless
subnet 10.0.1.0 255.255.255.0
description Created during name migration
object network NETWORK_OBJ_192.168.2.0_29
subnet 192.168.2.0 255.255.255.248
object network obj_any_1
subnet 0.0.0.0 0.0.0.0
description Outside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 4444
port-object eq 4445
port-object eq 4446
object-group service Wemo tcp-udp
port-object eq 3478
object-group service DM_INLINE_SERVICE_1
service-object udp destination eq 1701
service-object tcp destination eq pptp
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object tcp destination eq 50
service-object tcp destination eq 51
service-object tcp destination eq 44000
object-group service DM_INLINE_TCP_3 tcp
port-object eq 4444
port-object eq 4445
port-object eq 4446
port-object eq 5900
port-object eq 5901
object-group network DM_INLINE_NETWORK_1
network-object host 217.79.189.135
network-object host 24.197.239.70
object-group service DM_INLINE_TCP_4 tcp
port-object eq 5900
port-object eq 5901
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit object-group TCPUDP object Wireless any
access-list inside_access_in extended permit icmp object Wireless any
access-list inside_access_in extended permit ip object Wireless any
access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_5
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any4 192.168.2.0 255.255.255.248
access-list inside_nat0_outbound extended permit tcp any4 192.168.2.0 255.255.255.248
access-list inside_nat0_outbound_1 extended permit ip any4 192.168.2.0 255.255.255.248
access-list outside_access_in extended permit tcp any object AppleRouter object-group DM_INLINE_TCP_2
access-list outside_access_in remark VNC
access-list outside_access_in extended permit tcp any object AppleRouter object-group DM_INLINE_TCP_4
access-list outside_access_in extended deny tcp object-group DM_INLINE_NETWORK_1 any object-group DM_INLINE_TCP_3
access-list outside_access_in remark Migration, ACE (line 2) expanded: permit tcp any4 interface outside object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any4 0.0.0.0 0.0.0.0 eq www
access-list outside_access_in extended permit tcp any4 0.0.0.0 0.0.0.0 eq https
access-list outside_access_in remark ICMP config
access-list outside_access_in extended permit icmp any4 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit tcp any4 object AppleRouter object-group Wemo
access-list outside_access_in extended permit udp any4 object AppleRouter object-group Wemo
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup inactive
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.0_29 NETWORK_OBJ_192.168.2.0_29 no-proxy-arp route-lookup inactive
object network AppleRouter-4500
nat (inside,outside) static interface service tcp 4500 4500
object network AppleRouter-4444
nat (inside,outside) static interface service tcp 4444 4444
object network AppleRouter-5901
nat (inside,outside) static interface service tcp 5901 5901
object network AppleRouter-5900
nat (inside,outside) static interface service tcp 5900 5900
object network AppleRouter-4445
nat (inside,outside) static interface service tcp 4445 4445
object network AppleRouter-4446
nat (inside,outside) static interface service tcp 4446 4446
object network Wemo-tcp
nat (inside,outside) static interface service tcp 3478 3478
object network Wemo-udp
nat (inside,outside) static interface service udp 3478 3478
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
telnet 192.168.1.0 255.255.255.0 inside
telnet Wireless 255.255.255.0 inside
telnet timeout 10
ssh 192.168.1.0 255.255.255.0 inside
ssh Wireless 255.255.255.0 inside
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd auto_config outside interface inside
dhcpd enable insideFirst lets eliminate the ASA as the problem, Connect a PC directly to one of the "inside" ports on the ASA and make sure it recieves an IP in the 192.168.1.0/24 range.
add this command to the ASA
object network obj_any
nat (inside,outside) dynamic interface
now try to ping 8.8.8.8 or 4.2.2.2
If ping works, now add the router back into the loop and see if you are able to reach the internet again.
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
How do I add a new Ipod to an existing account?
I created a new Itunes account and then I got a new Ipod and I plugged my Ipod into my computer, but nothing came up on Itunes? How do I add my new Ipod to my Itunes account?
-
Target a movie clip inside a movie clip
When I go to the symbol editing mode on the first movie clip, I drag the instance of my 2nd movie clip to the stage. I then am duplicating my work, (it is over lapping) not sure what I am doing wrong here? and I am finding that my child movie clip is
-
All of a sudden the screen on my 3+ year old macbook pro has blurred badly - I can hardly read the words - any ideas?
-
Heavu CPU Utilization of Dictionary Query - After 9i to 10g Upgrade
Hi Friends, We have migrated our production DB from Oracle 9i(Windows) to Oracle 10g(AIX) and after that a heavy cpu utilization query is coming frequently and hence many timeouts are happening in the application. Application is connecting to the dat
-
SAP NetWeaver 7.0 ABAP Trial Version installation failure
Hi, i'm trying to install SAP NetWeaver 7.0 ABAP Trial Version. At the begin of installation is everything well till 47%. I tried more time, but all the time the installation stppted at 47%. Do any one know a solution? Best regards Raj