09-19-2008 06:56 AM - edited 03-11-2019 06:46 AM
So I was trying to configure an ASA 5505 with both dynamic NAT for PC users to reach the internet and static NAT to reach servers behind the ASA. PC users work ok although they could not ping out which is odd.
But the real problem is that I set up some static entries for some servers in the network. They can not surf or ping out or anything. But I can ping them on their private inside IPs from the ASA.
Here is a hypothetical example. And keep in mind none of this is cut and paste, it's all off my head from what I can remember so it might be slightly flawed on syntax but this should give you an idea.
!-- my interface configs
interface Vlan1
description Connection to ISP
nameif outside
security-level 0
ip address 44.33.22.11 255.255.255.0
!
interface Vlan2
description Private Network
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface ethernet 0/0
description Connection to ISP
speed 100
duplex full
switchport access vlan 1
!
interface ethernet 0/1
description Private Network
speed 100
duplex full
switchport access vlan 2
!-- temporary for external management and testing. This works and I can reach the ASA.
http server enable
http 0.0.0.0 0.0.0.0 outside
http redirect outside 80
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
console timeout 10
management-access outside
icmp permit any inside
icmp permit any outside
!-- static route to the outside
route outside 0.0.0.0 0.0.0.0 44.33.22.1 1
!-- my dynamic PC users NAT which works
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
!-- some static server NATs which don't work
static (inside,outside) 44.33.22.12 192.168.1.12
static (inside,outside) 44.33.22.13 192.168.1.13
static (inside,outside) 44.33.22.14 192.168.1.14
Oh yeah, I also created an inbound ACL to permit any source on the internet to the public IP addresses (44.33.22.12-14) as the destination applied to the outside interface.
As I stated before, all the dynamic NATs work fine. Users can surf the web. However we cannot surf the web from the static servers. I see the xlate but there is no conn. What the heck is going on? I also cannot reach the servers by the public IPs fonr the outside.
One more little piece of info, I know the public IP addresses are good because those IPs are currently on other devices that are reachable. When those public IPs are put in the ASA as static entries and the server's inside are re-IPd with private IPs, it doesn't work?!?
BTW, I have a "basic" license. Is there some sort of limitation on the ASA 5505 that won't let this work? What gives?
Thanks!
09-19-2008 07:41 AM
u nating for clients to access internet good the dynamic and as long as u made the ACLs to permit traffic going to pulic nated ip address
but i think u have an error with static nat config it must looks like:
static (inside,outside) 44.33.22.12 192.168.1.12 netmask 255.255.255.255
and the ACL on the inbound direction on the outside interface should permit traffic going to 44.33.22.12 not the private address
after updating nating
do
clear xlate
and reload if u can
then test it
good luck
if helpful rate
09-19-2008 07:51 AM
Thank you for your thoughts...
Yes the dynamic PAT for PCs on the private network going to the outside interface IP address works great NAT/Global = good.
The static example you are showing me is actually what I did put. I was typing this all in from memory and just forgot to add the netmask part on the static entry. The static entry is the way you showed it.
And yes, the ACL on the outside interface in bound permits from the internet (any) to the public IP addresses - not the private IPs.
I even had TAC look at it and they said the config was exactly correct. I even rebooted the "next hop" device on the outside just incase it was a stuck ARP issue. Still no good.
The only one thing I didn't do was to reboot the ASA after I got it all configured. Maybe that's what I need to do to resolve the issue???
I'll try that next. But incase that doesn't work -- any other possible ideas?
09-19-2008 08:26 AM
I may have found the answer....
The basic license only allows 10 concurrent users!!! This ASA 5505 has the basic license on it.
"In routed mode, hosts on the inside count towards the limit only when they communicate with the outside (Internet VLAN). The interface associated with the default route is considered to be the Internet interface. See the show local-host command to view the host limits. "
This makes sense. Because users were able to surf the web right.. well the first 10 users were anyway. Then the servers would not work because that was more than what the license would permit.
What do you think?
09-22-2008 07:22 AM
Looks like it was the license....
ciscoasa# show local-host
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 0, towards licensed host limit of: 10
Interface outside: 1 active, 79 maximum active, 0 denied
Interface inside: 0 active, 15 maximum active, 2016 denied
Interface _internal_loopback: 0 active, 0 maximum active, 0 denied
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: