ASA 5510 v7.2(3) NAT problem

Answered Question
Dec 20th, 2007

Hi,


Hope that someone can shed some light on the issue which I think is a problem. I am trying to configure the ASA firewall behind a 3800 router and the default route for the firewall is pointing to the router (via public IP).


After I had configured all the interfaces on the ASA and at in the "nat-control" and "static" statements, all the machines are able to go to the Internet without the need of access list. Is this the correct behaviour?


Here is the configuration I had done on the ASA.


========================================

ASA Version 7.2(3)

!

hostname Firewall

enable password xxx

names

name 1xx.xx.xx.xx A-EXT

name 192.168.10.2 A-INT

name 1xx.xx.xx.xx B-EXT

name 192.168.10.3 B-INT

name 192.168.10.4 C-INT

name 1xx.xx.xx.xx C-EXT

name 1xx.xx.xx.xx D-EXT

name 192.168.10.5 D-INT

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 116.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!


interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

passwd xxx

no ftp mode passive

pager lines 24

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

static (Inside,Outside) A-EXT A-INT netmask 255.255.255.255

static (Inside,Outside) B-EXT B-INT netmask 255.255.255.25

5

static (Inside,Outside) C-EXT C-INT netmask 255.255.255.255

static (Inside,Outside) D-EXT D-INT netmask 255.255.255.255


route Outside 0.0.0.0 0.0.0.0 116.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx


========================================

Correct Answer by husycisco about 9 years 2 months ago

Tan,

Please post the complete syslog message

And try this

no access-group inside_access_in out interface inside

access-group inside_access_in in interface inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Thu, 12/20/2007 - 09:32

since nat-control is enabled, only hosts with static statements should be able to get out.

for everyone to get out that doesn't have a static statement, you can add the following statements:

nat (inside) 1 0 0

global (outside) 1 interface


this will PAT all other inside IP's to the external interface of the ASA.

tanziweigca Thu, 12/20/2007 - 09:53

Hello Srue,


Thanks for the reply.


So the behaviour is actually normal and nothing to be alarmed of? Cos the last time I configured a PIX, I had to specifically add in access list before all the machines can access the Internet.


Thanks,


Tan

tanziweigca Thu, 12/20/2007 - 22:03

Hi,


Now I am getting more and more confused on using the access list on the ASA. I am still in the beginner stage of using the ASA and tried to configure it. First the NAT problem and now the access lists. Do provide some suggestions/info on whether I am doing the right thing on the device.


The config is as follows:


========================================

ASA Version 7.2(3)

!

hostname Firewall

enable password utCRxZC9Wy3lLvgs encrypted

names

name 1xx.xx.xx.xx A-EXT

name 192.168.10.2 A-INT

name 1xx.xx.xx.xx B-EXT

name 192.168.10.3 B-INT

name 192.168.10.4 C-INT

name 1xx.xx.xx.xx C-EXT

name 1xx.xx.xx.xx D-EXT

name 192.168.10.5 D-INT

name 203.xx.xx.xx Office-Public

name 63.xx.xx.xx A-Head-Office

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 116.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!


interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.99.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

no ftp mode passive

same-security-traffic permit inter-interface

access-list Outside_access_in extended permit tcp host Office-Public host A-EXT

access-list Inside_access_out extended permit tcp host A-INT host Office-Public eq https

access-list Inside_access_out extended permit tcp host A-INT host A-Head-Office eq 9012

access-list Inside_access_out extended permit udp host A-INT host A-Head-Office eq 9012

access-list Inside_access_out extended permit tcp host Office-Public host A-INT eq https

pager lines 24

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 1 192.168.10.0 255.255.255.0

static (Inside,Outside) A-EXT A-INT netmask 255.255.255.255

static (Inside,Outside) B-EXT B-INT netmask 255.255.255.25

5

static (Inside,Outside) C-EXT C-INT netmask 255.255.255.255

static (Inside,Outside) D-EXT D-INT netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group Inside_access_out out interface Inside

route Outside 0.0.0.0 0.0.0.0 116.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:282a3f77769a7500573c447fafca0fda


========================================


I am trying to allow HTTPS access from Office-Public to A-INT and I am very confused on why the statement below must be there in order for traffic to flow.


"access-list Inside_access_out extended permit tcp host Office-Public host A-INT eq https"


Any help on this is greatly appreciated.


Merry Christmas,


Confused Tan

husycisco Fri, 12/21/2007 - 20:17

Hi Tan

Think about it, Does 203.xx.xx.xx client types https://192.168.10.2 for reaching A-INT which is at a remote office? No. They type the A-EXT.

203.xx.xx.xx is an outside address and 192.168.10.2 is an inside. So the traffic is from outside to inside. Can we defne this as Inside_access_out? No.

So the statement you mention musnt be there. What you have to do is


access-list outside_access_in permit tcp host Office-Public host A-EXT eq https

access-group outside_access_in in interface outside

Regards

tanziweigca Sat, 12/22/2007 - 00:24

Hello Husycisco,


Thanks for your feedback.


I did tried to use the statements that you had mentioned but still, the traffic does not go through from outside to inside. I will always an error message about "deny by inside_access_out". Until I put in the statement as if the traffic is from inside to outside, everything works fine. I knew that the statements should not be there but after some troubleshoot, still, I have no other options but to put in the statements to let it flow.


Do you have any ideas what could be the problem?


Thanks a lot.

tanziweigca Sat, 12/22/2007 - 02:36

Hi,


More information about the problem.


When I keyed in the followings, I continue to get the errors about "deny by inside_access_out" .


access-list inside_access_out permit tcp host A-INT host Office-Public eq https

access-list outside_access_in permit tcp host Office-Public host A-EXT eq https

access-group outside_access_in in interface outside


I believed the above statements should be enough for the traffic to flow through (the Static statement is already there) but somehow, it still does not work. I think somewhere on the configuration, there is an error which caused this problem but I just could not pinpoint it.


Any help on this is greatly appreciated.


Thanks,


Tan

Correct Answer
husycisco Sat, 12/22/2007 - 09:29

Tan,

Please post the complete syslog message

And try this

no access-group inside_access_in out interface inside

access-group inside_access_in in interface inside

tanziweigca Sun, 12/23/2007 - 22:38

Hi Husycisco,


Thanks for your help.


I actually upgraded the ASA software to the latest version and everything works fine!! I do not know why this is so but the upgrade does the magic. Thanks for your help on the issue and greatly appreciated for your effort. Hope you have a wonderful Christmas and New Year.


Cheers,


Tan

husycisco Mon, 12/24/2007 - 00:02

Hi Tan

You are welcome. Would you please post your current running config if you have time, for determining possible reasons (For further users who may search and found your topic and this may help them)

Hope you have a marry christmas and a happy new year


Regards

tanziweigca Tue, 12/25/2007 - 06:25

Hello Husycisco,


Thanks for the feedback.


No problems at posting the latest running config on the ASA. The information is as attached in this posting.


I had created another post about creating GRE in this particular ASA. If you know anything about it, please do reply to the post. Thanks a lot in advance.


Thanks and Happy Holidays,


Tan



Attachment: 

Actions

This Discussion