NAT and ACL on ASA

Unanswered Question
Feb 20th, 2008

Hi All,

I am trying to configure my second interface to reach outside world on my ASA device.

From machines i could able to ping the seconf interface on the ASA and vice versa. But the machines are not able to reach outside world. I dout my NAT configs and ACL.

Attached my running config of ASA device

Any Help on this would be of great help

thanks inadvance

sudar

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
caliber01 Wed, 02/20/2008 - 14:59

Hi All ,

Forgot to mention that 172.16.0.0 cant able to get outside world ..through the interface fg-idsys..(second interface on ASA)

dongdongliu Wed, 02/20/2008 - 18:30

hi sudar

I note this:

global (fg-idsys) 1 interface

interface Ethernet0/3

nameif fg-idsys

security-level 70

ip address 192.168.70.254 255.255.255.0

do you want to use a private address as a source address to access outside?

regard

dongdong

caliber01 Wed, 02/20/2008 - 19:46

Hi Dongdong,

Thanks for your reply..

actually i want to get outside using my outside interface...

means that the end systems has to come to fg-idsys (interface ethernet0/3) and then it has to go to outside interface to reach Internet.

interface Ethernet0/0

nameif outside

security-level 0

ip address 63.146.69.170 255.255.255.248

...thanks a lot looking forward

dongdongliu Wed, 02/20/2008 - 21:02

hi sudar

i know what you mean,but could not find any configuration that fg-idsys(private address) is related with outside(public address).

please use "show xlate" to see which address is NATed when the internal machine want to access internet.

regard

dongdong

caliber01 Thu, 02/21/2008 - 11:15

Here is my nat output for that interface

But still i couldn't able to see it on the xlate output for this ip address 172.16.1.0 255.255.255.0

Fugen-FW# sh nat fg-idsys

==========================

match ip fg-idsys network161 255.255.255.0 outside any

dynamic translation to pool 1 (63.XXX.XX.XXX [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fg-idsys network161 255.255.255.0 fg-idsys any

dynamic translation to pool 1 (192.168.70.254 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fg-idsys any outside any

no translation group, implicit deny

policy_hits = 0

Fugen-FW# sh xlate

21 in use, 205 most used

Global 63.146.XX.XXX Local 192.168.49.10

Global 63.146.XX.XXX Local 192.168.49.13

PAT Global 63.146.XX.XXX(273) Local 172.31.0.101(123)

PAT Global 63.146.XX.XXX(392) Local 172.31.0.150(123)

PAT Global 63.146.XX.XXX(32253) Local 192.168.48.139(1026)

PAT Global 63.146.XX.XXX(32208) Local 192.168.48.139(56162)

PAT Global 63.146.XX.XXX(13928) Local 192.168.48.139(4304)

PAT Global 63.146.XX.XXX(14126) Local 192.168.48.140(3211)

PAT Global 63.146.XX.XXX(14125) Local 192.168.48.140(3210)

PAT Global 63.146.XX.XXX(14124) Local 192.168.48.140(3209)

PAT Global 63.146.XX.XXX(14123) Local 192.168.48.140(3208)

PAT Global 63.146.XX.XXX(14122) Local 192.168.48.140(3207)

PAT Global 63.146.XX.XXX(14121) Local 192.168.48.140(3206)

PAT Global 63.146.XX.XXX(13994) Local 192.168.48.140(3160)

PAT Global 63.146.XX.XXX(13739) Local 192.168.48.140(2911)

PAT Global 63.146.XX.XXX(32187) Local 192.168.48.140(13258)

PAT Global 63.146.XX.XXX(13700) Local 192.168.48.140(2878)

PAT Global 63.146.XX.XXX(272) Local 192.168.48.1(137)

PAT Global 63.146.XX.XXX(14154) Local 192.168.48.147(61053)

PAT Global 63.146.XX.XXX(14153) Local 192.168.48.147(61052)

PAT Global 63.146.XX.XXX(18721) Local 192.168.48.103(10000)

what could be the reason ...is anything else iam missing in NAT config....

caliber01 Thu, 02/21/2008 - 11:35

Hi ,

i am also getting an error in the ASDM log

No translation group found for icmp src fugen-dmz:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)

And also what is the impact on these interface in regards to the security level

dongdongliu Thu, 02/21/2008 - 18:30

hi sudar

No translation group found for icmp src fugen-dmz:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)

it seems like ASA consider 172.16.1.0 come from fugen-dmz interface, if you show nat fugen-dmz maybe will find some info.

whether 172.16.1.0 come from fg-idsys "nat (fg-idsys) 1 network161 255.255.255.0"

or come from fugen-dmz "nat (fugen-dmz) 1 172.16.0.0 255.255.0.0"

interface fugen-dmz and fg-idsys both have private address and do not related with outside.i mean, remove global (fugen-dmz) 1 interface and global (fg-idsys) 1 interface then try again

regard

dongdong

caliber01 Thu, 02/21/2008 - 19:28

Hi,

172.16.1.0 named as network161 and it comes from fg-idsys. And this fg-idsys have more security level than the fugen-dmz.

when i decrease the security level of fg-idsys less than the fugen-dmz , the error changes to fg-idsys.

No translation group found for icmp src fg-idsys:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)

but from interface fugen-dmz the machines can go putside world. i replicated the same config to fg-idsys.

soon i will post the nat of fugen-dmz

caliber01 Fri, 02/22/2008 - 09:54

Hi ,

Here is my nat output of fugen-dmz interface

Fugen-FW# sh nat fugen-dmz

===========================

match ip fugen-dmz 192.168.49.0 255.255.255.0 outside 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 172.31.0.0 255.255.255.0 outside 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 11, untranslate_hits = 1277

match ip fugen-dmz any outside 10.100.100.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 192.168.49.0 255.255.255.0 fugen-dmz 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 172.31.0.0 255.255.255.0 fugen-dmz 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz any fugen-dmz 10.100.100.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz host 192.168.49.10 outside any

static translation to 63.XXX.XX.XXX

translate_hits = 478, untranslate_hits = 4044

match ip fugen-dmz host 192.168.49.13 outside any

static translation to 63.XXX.XX.XXX

translate_hits = 724, untranslate_hits = 4894

match ip fugen-dmz host 200.198.184.106 fugen-dmz any

alias translation to 192.168.101.155

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 192.168.49.0 255.255.255.0 outside any

dynamic translation to pool 1 (63.XXX.XX.XXX[Interface PAT])

translate_hits = 242, untranslate_hits = 4

match ip fugen-dmz 192.168.49.0 255.255.255.0 fugen-dmz any

dynamic translation to pool 1 (192.168.254.254 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 172.31.0.0 255.255.0.0 outside any

dynamic translation to pool 1 (63.XXX.XX.XXX[Interface PAT])

translate_hits = 2098, untranslate_hits = 92

match ip fugen-dmz 172.31.0.0 255.255.0.0 fugen-dmz any

dynamic translation to pool 1 (192.168.254.254 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz any outside any

no translation group, implicit deny

policy_hits = 82234

caliber01 Mon, 02/25/2008 - 11:54

Hi All ,

I am stuck with this for a long time ...

Net pro's please give your valuable suggestions in this NAT problem.

Actions

This Discussion