ASA NAT Problem - I think?

NiallDavis · ‎08-03-2007

Hi Guys,

I have an ASA5520 with an interface to the internet on a /28 public network and an interface to a /24 public network - I will connect other interfaces to other networks in time, but I just want to get the thing working for now.

Anyway, I have set it up from the ASDM using the wizard and some extra config my self. I don't want NAT - i.e I want hosts on the /24 network to be reachable to their original IP from the internet. I can ping anything from the firewall. I can ping the local interface from my test pc (on the /24 network) but I cannot ping, web, telnet etc anything on the internet. However the syslog shows the packets going through the firewall and I have opened the rules up completely for testing.

Can anyone see why the test box cannot reach the internet and vice versa?

Is it NAT?

Config is below (* = omitted text.

Thanks,

Niall.

: Saved

:

ASA Version 7.0(6)

!

hostname cr01-sh

domain-name *.net

enable password B6R1dZUX1mTgE6pC encrypted

names

name 213.*.*.2 Aurix01-s01

dns-guard

!

interface GigabitEthernet0/0

nameif WAN

security-level 0

ip address 217.*.*.34 255.255.255.240

!

interface GigabitEthernet0/1

nameif Customer

security-level 10

ip address 213.*.*.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Customer_access_in extended permit ip any any log

access-list Customer_access_in extended permit icmp any any log

access-list Customer_access_in extended permit udp any any log

access-list Customer_access_in extended permit tcp any any log

access-list WAN_access_out extended permit tcp any any log

access-list WAN_access_out extended permit udp any any log

access-list WAN_access_out extended permit icmp any any log

access-list WAN_access_out extended permit ip any any log

access-list WAN_access_in extended permit ip any host Aurix01-s01

access-list WAN_access_in extended permit icmp any host Aurix01-s01

pager lines 24

logging enable

logging asdm informational

mtu WAN 1500

mtu Customer 1500

mtu management 1500

no failover

monitor-interface WAN

monitor-interface Customer

monitor-interface management

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

access-group WAN_access_in in interface WAN

access-group WAN_access_out out interface WAN

access-group Customer_access_in in interface Customer

route WAN 0.0.0.0 0.0.0.0 217.*.*.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 WAN

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:74609abf4a90bd20175922f0ae6b0e52

: end

acomiskey · ‎08-03-2007

try...

static (Customer,WAN) 213.x.x.0 213.x.x.0 netmask 255.255.255.0

or

access-list nat0 extended permit ip 213.x.x.0 255.255.255.0 any

nat (Customer) 0 access-list nat0

or

nat (Customer) 0 213.x.x.0 255.255.255.0

srue · ‎08-03-2007

since you haven't enabled nat-control, nothing is nat'ed by default. you dont need to do anything except add the appropriate acl's.

for icmp traffic, you have to explicitly allow echo-reply's back in

permit icmp any any echo-reply

or

enable icmp inspection.

NiallDavis · ‎08-03-2007

Thanks for the reply.

I couldn't get DNS or web either - permit icmp any any echo-reply not withstanding, do I not have the correct acl's in place for web browsing?

Thanks again,

Niall.

acomiskey · ‎08-03-2007

Your acls customer_access_in and wan_access_out are allowing everything and are not needed. I would remove them and you will have the same effect.

You are allowing icmp from any into the wan interface but only to Aurix01-s01. Is that where you're pinging from?

NiallDavis · ‎08-03-2007

Yes Aurix01-s1 is my test box and is what I am trying to ping, web browse etc from.

I opened it wide open for testing to try to see if the problem was acl related.

To re-cap, I can ping anywhere from the ASA and I can see the ICMP or dns build and tear down in the syslog when pinging from the test box. I don't see any dropped packets in the syslog.

Thanks again for your help on this.

Niall.

srue · ‎08-03-2007

try removing the following two:

access-group WAN_access_out out interface WAN

access-group Customer_access_in in interface Customer

Once you add those acl's you have to start explicitly allowing a lot of other things , like icmp echo requests (permit icmp any any echo).

NiallDavis · ‎08-04-2007

Thanks for the help again.

OK - I have re-run the setup wizard, tested, played around with changing the security levels so the wan was lower then the customer interface and still nothing. removed and readded acls etc. still nothing.

I have a theory:

I wonder if my isp have loaded in the routes to the customer network?

I ran a tracert from my home to the wan router (gateway for the ASA) and it resolved in 10 hops. I then ran a tracert to the aurix-s01 IP (on the customer network) and it partially resolved to 5 hops and then timed out - it timed out once it made it to my ISP's core router! would this be because they have not loaded the route for the customer network we have ordered?

Would this be why I cannot get internet access through the ASA because the default gateway doesn't know of the network it is coming from and it is not coming from the interface for its default route?

Also would this be why the ASA shows the ping build and tear down in the syslog and no dropped packets but nothing gets out?

Thanks again for your help.

Niall.

NiallDavis · ‎08-06-2007

Just a quick update - It seems the whole problem was my ISP - they had not loaded the routes for the network on the inside interface (customer) - I can now ping etc.

However, I have remove all the rules from the ASDM so that there is just the defualt ruls and now I can ping and resolve DNS, but cannot browse the web. I have checked it is not the test box by substituting with another.

Any ideas?

PS - Sorry for the wild goose chase.

Thanks,

Niall.