ASA 5505 Dynamic NAT ok Static NAT won't work!

Unanswered Question
Sep 19th, 2008

So I was trying to configure an ASA 5505 with both dynamic NAT for PC users to reach the internet and static NAT to reach servers behind the ASA. PC users work ok although they could not ping out which is odd.

But the real problem is that I set up some static entries for some servers in the network. They can not surf or ping out or anything. But I can ping them on their private inside IPs from the ASA.

Here is a hypothetical example. And keep in mind none of this is cut and paste, it's all off my head from what I can remember so it might be slightly flawed on syntax but this should give you an idea.

!-- my interface configs

interface Vlan1

description Connection to ISP

nameif outside

security-level 0

ip address 44.33.22.11 255.255.255.0

!

interface Vlan2

description Private Network

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface ethernet 0/0

description Connection to ISP

speed 100

duplex full

switchport access vlan 1

!

interface ethernet 0/1

description Private Network

speed 100

duplex full

switchport access vlan 2

!-- temporary for external management and testing. This works and I can reach the ASA.

http server enable

http 0.0.0.0 0.0.0.0 outside

http redirect outside 80

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 10

ssh version 2

console timeout 10

management-access outside

icmp permit any inside

icmp permit any outside

!-- static route to the outside

route outside 0.0.0.0 0.0.0.0 44.33.22.1 1

!-- my dynamic PC users NAT which works

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

!-- some static server NATs which don't work

static (inside,outside) 44.33.22.12 192.168.1.12

static (inside,outside) 44.33.22.13 192.168.1.13

static (inside,outside) 44.33.22.14 192.168.1.14

Oh yeah, I also created an inbound ACL to permit any source on the internet to the public IP addresses (44.33.22.12-14) as the destination applied to the outside interface.

As I stated before, all the dynamic NATs work fine. Users can surf the web. However we cannot surf the web from the static servers. I see the xlate but there is no conn. What the heck is going on? I also cannot reach the servers by the public IPs fonr the outside.

One more little piece of info, I know the public IP addresses are good because those IPs are currently on other devices that are reachable. When those public IPs are put in the ASA as static entries and the server's inside are re-IPd with private IPs, it doesn't work?!?

BTW, I have a "basic" license. Is there some sort of limitation on the ASA 5505 that won't let this work? What gives?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Fri, 09/19/2008 - 07:41

u nating for clients to access internet good the dynamic and as long as u made the ACLs to permit traffic going to pulic nated ip address

but i think u have an error with static nat config it must looks like:

static (inside,outside) 44.33.22.12 192.168.1.12 netmask 255.255.255.255

and the ACL on the inbound direction on the outside interface should permit traffic going to 44.33.22.12 not the private address

after updating nating

do

clear xlate

and reload if u can

then test it

good luck

if helpful rate

jeremyault Fri, 09/19/2008 - 07:51

Thank you for your thoughts...

Yes the dynamic PAT for PCs on the private network going to the outside interface IP address works great NAT/Global = good.

The static example you are showing me is actually what I did put. I was typing this all in from memory and just forgot to add the netmask part on the static entry. The static entry is the way you showed it.

And yes, the ACL on the outside interface in bound permits from the internet (any) to the public IP addresses - not the private IPs.

I even had TAC look at it and they said the config was exactly correct. I even rebooted the "next hop" device on the outside just incase it was a stuck ARP issue. Still no good.

The only one thing I didn't do was to reboot the ASA after I got it all configured. Maybe that's what I need to do to resolve the issue???

I'll try that next. But incase that doesn't work -- any other possible ideas?

jeremyault Fri, 09/19/2008 - 08:26

I may have found the answer....

The basic license only allows 10 concurrent users!!! This ASA 5505 has the basic license on it.

"In routed mode, hosts on the inside count towards the limit only when they communicate with the outside (Internet VLAN). The interface associated with the default route is considered to be the Internet interface. See the show local-host command to view the host limits. "

This makes sense. Because users were able to surf the web right.. well the first 10 users were anyway. Then the servers would not work because that was more than what the license would permit.

What do you think?

jeremyault Mon, 09/22/2008 - 07:22

Looks like it was the license....

ciscoasa# show local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 0, towards licensed host limit of: 10

Interface outside: 1 active, 79 maximum active, 0 denied

Interface inside: 0 active, 15 maximum active, 2016 denied

Interface _internal_loopback: 0 active, 0 maximum active, 0 denied

Actions

This Discussion