ASA behind a router performing NAT...

Unanswered Question
Mar 5th, 2008

Hi,

I'm not sure if this would be more suited in the R&S forums but I figure some

security people must have worked on something similar....

I have an ASA sitting behind a 2800 router with 2 Internet circuits. I'm trying to

NAT everthing from the ASA inbound & outbound.

I can't ping from the DMZ to the inside of the router, icmp is allowed. I can't

see any deny's on the logs either, yet I can see an e-mail appliance (192.168.10.9)

getting NAT'd and I know it's receiving updates:

tcp 83.x.x.69:80 192.168.10.9:80 217.198.148.6:52782 217.198.148.6:52782

I was trying to do the NAT on the ASA but I've wiped that so now there's just a

172.16.90.2 address on the outside interface as well as the Inside (10.1.10.0/24)

and DMZ (192.168.10.0/24) interfaces.

!

interface GigabitEthernet0/0

description Link to Outside Interface of ASA

ip address 172.16.90.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/1

description Primary Circuit

ip address 83.x.x.66 255.255.255.248

ip nat outside

!

interface FastEthernet0/0/0

description Backup Circuit

ip address 89.x.x.159 255.255.255.254

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

ip route 83.x.x.64 255.255.255.248 GigabitEthernet0/0

ip route 89.x.x.159 255.255.255.255 GigabitEthernet0/0

ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0

ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0

!

!

ip nat pool NAT_INT 83.x.x.67 83.x.x.69 prefix-length 29

ip nat inside source list 11 pool NAT_INT overload

!

access-list 11 permit any

access-list 11 permit 192.168.10.0 0.0.0.255

access-list 11 permit 10.1.1.0 0.0.0.255

access-list 11 permit 172.16.90.0 0.0.0.255

!

I'm trying to figure out where things are going wrong, the packet-tracer on the ASA

suggests everything is fine there, and there doesn't seem to be a whole lot going on

with the NAT...maybe something on the routing...

Anybody got any ideas?!

Thanks,

Denis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 03/05/2008 - 12:11

the asa/pix platform denies ICMP by default. the easiest way around this is to enable icmp ispection.

assuming you're running the default global inspection policy, enter the following:

policy-map global_policy

class inspection_default

inspect icmp

------------

besides that, what else was wrong?

for communications between networks that reside on different interfaces of the ASA, additional configuration will be required, depending on the security-levels of each interface.

d.donnelly Wed, 03/05/2008 - 12:36

Yup, I enabled that for icmp alright. I'm happy enough with how things are working on the ASA. The problem just seems to be when I try to get out past the router, so I thought there's a problem with how the statics are configured for the internal networks.

I'm stretching my understanding a bit here but if I can provide any more information please let me know.

sundar.palaniappan Wed, 03/05/2008 - 13:08

Dennis,

Can you reconfigure the static route;

Remove:

ip route 192.168.10.0 255.255.255.0 GigabitEthernet0/0

Add:

ip route 192.168.10.0 255.255.255.0 172.16.90.2

If that doesn't help can you share a sanitized copy of the ASA configuration.

HTH

Sundar

d.donnelly Thu, 03/06/2008 - 07:11

Ok, so somehow I resolved this...

I changed the ip routes as you mentioned above but it didn't have any effect. I also changed the NAT configuration to the the following:

ip nat inside source list 10 interface GigabitEthernet0/1 overload

ip nat inside source static 172.16.90.2 83.x.x.70

...this didn't seem to have any effect either.

I gave the redundant circuit a higher metric and messed about with the DNS servers and then things started working...

Not sure what happened but it works now so it'll do!

Thanks for your input guys,

Denis

Actions

This Discussion