Local NAT on ASA 5505

Unanswered Question
Nov 19th, 2008

Hello,

I'm quit new to these boards so I'll try to explain my problem as best as I can.

If something is missing or incorrect pls inform me so I can update.

I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.

Here you have the config as it is on the ASA right now.

Local server IP: 10.0.74.5

Required NAT address: 192.168.222.1

Customer range: 10.10.10.0/24

VPN Config:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 200.200.200.200

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key "key"

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT

I'm allowing this first before I start narrowing it down to only ftp!

access-list outside_access_in extended permit tcp any host 192.168.222.1

access-list outside_access_in extended permit ip any host 192.168.222.1

access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list outboundnat2

nat (inside) 1 0.0.0.0 0.0.0.0

Any help would be grately appreciated!

Kind regards,

Eleander

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (11 ratings)
Loading.
Jon Marshall Wed, 11/19/2008 - 02:20

Eleander

You can remove this line

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

because traffic will be from the Natted address ie. NAT happens before the crypto-map access-list check.

The remote peer needs to have a mirror image of this access-list so

access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 host 192.168.222.1

You could also remove the following

access-list outside_access_in extended permit tcp any host 192.168.222.1

as your next line permitting ip covers tcp. But then you say you will be looking to narrow that down.

The only other thing is you need to be aware that with a L2L VPN there are 2 ways in terms of acl's it can be setup

1) "sysopt connection permit-vpn" If you have this line in your config then traffic coming from the remote site down the tunnel is unencrypted and then it bypasses the acl attached to the outside interface ie. the acl on the outside interface does not have any effect on the traffic

2) If you don't have "sysopt connection permit-vpn" then the traffic will be then checked against the acl on the outside interface after being decrypted.

To see whether you are running sysopt connection permit-vpn run

"sh running-config sysopt"

I believe it is on y default.

Jon

LSAEleander Wed, 11/19/2008 - 02:32

Jon,

Thx for the quick reply.

Changed as you proposed but I can't find any sysopt connection entry.

Kind regards,

Eleander

Jon Marshall Wed, 11/19/2008 - 02:37

Eleander

What is the output of running the command

sh running-config sysopt

if you want to turn off bypassing the acl then you will need to enter

asa(config)# no sysopt connection permit-vpn

but that is only if you want the traffic to be subject to your acl on the outside interface.

Jon

Jon Marshall Wed, 11/19/2008 - 03:23

Okay no problem. I just checked the command references and this is on by default -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

So if you want to bypass the acl on the outside interface you don't need to do anything. If you want the incoming VPN traffic to be checked against the acl on the outside interface then you need to enter

asa(config)# no sysopt connection permit-vpn

Still bit of a mystery as to why it doesn't show the sysopt settings -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s6_72.html#wp1287358

Jon

LSAEleander Wed, 11/19/2008 - 03:31

Jon,

I've changed the config as you proposed and mailed the customer to try the connection again?

Did you by any chance had a look at the added config in my previous post? To see I didn't made any mistakes in the ACL's?

Kind regards,

Eleander

Jon Marshall Wed, 11/19/2008 - 03:39

Eleander

You will need to add the following

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

FTP is a funny one. Do you know if it is passive ftp or not ?

If you have problems getting the FTP to work then you may need to adjust your acl. But first things first, need to see if the VPN tunnel comes up :-)

Jon

Jon

LSAEleander Wed, 11/19/2008 - 04:19

Jon,

I addedd the information you requested and also the FTP into the access-list. (see attached word doc)

But now I'm having these problems.

"Rejecting IPSec Tunnel: no matching crypto map entry for remote proxy 10.10.10.87/255.255.255.255/0/0 local proxy 192.168.222.1/255.255.255.255/0/0 on interface outside"

Looking into them right now.

What ACL am I missing?

Really appreciate you spending this much time to find a solution!

Kind regards,

Eleander

Jon Marshall Wed, 11/19/2008 - 04:33

Eleander

Is this coming up on the ASA we have been modifying the config on ?

Do you happen to have the config for both devices ie. the one we have been dealing with and the other one ?

Just as a quick test could you add this line to your crypto-map access-list and retry

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 host 10.10.10.87

It really should not make a difference but just in case.

Jon

LSAEleander Wed, 11/19/2008 - 04:46

Jon,

Added the ACL but nothing changes.

In the attachement you can find the latest config.

We only manage this one firewall, which is a pitty and moreso because the firewall on the other site isn't a Cisco. :(

Before making your proposed change for the sysopt the L2L was working. SO it must be in the access lists!

Thx a lot.

Kind regards,

Eleander

Jon Marshall Wed, 11/19/2008 - 06:09

Eleander

Can you remove the sysopt line and then let me know if it is working ie.

pix(config)# sysopt connection permit-vpn

Jon

LSAEleander Wed, 11/19/2008 - 06:13

Jon,

I also dug a little further and the site-to-site seems to be comming active.

There was a problem within the traffix selection for the L2L.

Thx a lot for the support on the access-list!

Just having this problem right now:

6 Nov 19 2008 16:58:29 302013 10.10.10.87 10.0.74.5 Built inbound TCP connection 5460 for outside:10.10.10.87/37590 (10.10.10.87/37590) to inside:10.0.74.5/21 (192.168.222.1/21)

6 Nov 19 2008 16:58:59 302014 10.10.10.87 10.0.74.5 Teardown TCP connection 5460 for outside:10.10.10.87/37590 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

So connection goes through but time's out!

think changing/adding the ftp instead of the ftp-data will resolve my issue!

Thx a lot!!!

Jon Marshall Wed, 11/19/2008 - 06:17

Eleander

Do you think you have it working now or at least know what to do ?

I'm dying to get out on my mountain bike but happy to hang around if you need further help.

Jon

LSAEleander Wed, 11/19/2008 - 06:22

Jon,

I've made several changes, but the customer also has a ISDN router, on that router I just added the needed entries. (completely forgot about that one)

Get out on your MTB and go out there.

I thank you a lot for your help allready and really appreciate it.

If I can't solve it I'll repost in here.

Tomorrow is another day.

btw I'm situated in Belgium so on the GMT+1 time.

Have fun and hopefully i'll see you around.

Thx again!

Jon Marshall Wed, 11/19/2008 - 06:28

"Have fun and hopefully i'll see you around"

Will do. I'm in UK so it's dark by about 4:00 (2:30 at the moment) so i'll check later or tomorrow morning.

Jon

LSAEleander Wed, 11/19/2008 - 07:30

Jon,

I've tested with inspect ftp (enabled or disable) -> no reslut!

I can see that L2L is active within the ASDM logging. (there are only 2 L2L configs on this ASA and they semm both active)

FTP from one site works well. (but the data is exempted)

When checking the log I see SYN Timeouts for this connection.

Added the 10.10.10.0 network within my Cisco 800 router to pass by the firewall (10.0.74.252) to be sure.

I'm quit in the dark here. I'm overseeing something or I'm misunderstanding somthing.

The sysopt is still active though.

Just let me know when you're back so we look any further!

Thx

Jon Marshall Wed, 11/19/2008 - 09:02

Okay. Quick test to see if it is the outside acl that is the problem. Can reenable sysopt connection permit-vpn ie.

asa(config)# sysopt connection permit-vpn

and then retest and let me know. If it works at least we can concentrate on the acl.

Jon

LSAEleander Thu, 11/20/2008 - 00:07

Good mornig Jon,

Hope you had a nice ride yesterday.

I've changed the sysopt again and awaiting confirmation from the other side.

In attachement the current running & working config for our customer.

I've exempted trafic from one site and everything works well for them, but to the other site (due to sec reasons) I an only allow ftp! (STill not working)

Getting SYN timeouts within the log but I see the translation is made! Really don't get it.

Kind regards,

Eleander

Jon Marshall Thu, 11/20/2008 - 01:03

Morning. Yes had a good ride. I have to go out in a minute and won't be around until about 12:00 (it's 9:00 now).

But key things to try

1) remove "no sysopt connection permit-vpn" as discussed

2) Have you determined which ftp is in use ie. passive or active. The fixup is there for the active ftp so you don't have to open up all random ports.

If after reenabling sysopt connection permit-vpn it still doesn't work then it looks like it could be an application issue. Do you know if the site that works uses ftp and if they do are they using the same ftp client as the site that isn't working.

Apolgies for not being around this morning. Considering your new to the forums don't think i'm representing them very well.

Jon

LSAEleander Thu, 11/20/2008 - 01:08

Jon,

Doesn't matter. I haven't had this much support from people in a while. For forum support I'm very very pleased so it doesn't matter!

Everyone tries to help out people on a free basis in their own free time so don't worry really.

The problem is looked into and that's the most important thing. It isn't that I have a network down issue so, and then again there are other solutions for that! :)

I'll see your response when your back.

Kind regards,

Eleander

LSAEleander Thu, 11/20/2008 - 03:34

Jon,

removed the no sysopt & still awaiting the test after the ftp fixup change. (update -> still no luck with the fixup enabled or disabled)

The ftp transfer is a "default" ftp so it's the "active" one.

These are the logs I'm getting:

2008-11-20 11:50:03 Local4.Info 10.0.74.252 Nov 20 2008 13:39:04: %ASA-6-302013: Built outbound TCP connection 19941 for outside:10.10.10.87/21 (10.10.10.87/21) to inside:10.0.74.5/5066 (192.168.222.1/5066)

2008-11-20 11:50:33 Local4.Info 10.0.74.252 Nov 20 2008 13:39:34: %ASA-6-302014: Teardown TCP connection 19941 for outside:10.10.10.87/21 to inside:10.0.74.5/5066 duration 0:00:30 bytes 0 SYN Timeout

If I'm getting this right traffic comes in from port 21 but gets translated to a '1024+x' which isn't active on my servers! This means that my NAT isn't right??

I'm getting lost here with my interpretation of the logs!!

Due to sec reasons I constantly needed to alter the IP-adressess in the files I've put only but I thought it might be worth mentioning that the servers I connect to also use a "public" range namely 143.97.x.x! Maybe this can cause problems on NAT settings!

Kind regards,

Eleander

Jon Marshall Thu, 11/20/2008 - 04:06

Eleander

Back now and you have my full attention !

Can you post the config you are working with at the moment.

Jon

LSAEleander Thu, 11/20/2008 - 04:17

Like I allready said, no problem Jon, I'm verry thankfull that your willing to help me out! Whish one day my knowledge within Cisco products will grow to your level though.. :)

In attachement you can find my current config.

Bare in mind that I altered the public IP's and that, as mentioned in anothe post, the customers internal range is also a 143.x.x.x network.

As you can see I just changed the ACL for the L2L where the ftp is failing. To do another test.

I changed the ACL from these errors:

2008-11-20 11:50:03 Local4.Info 10.0.74.252 Nov 20 2008 13:39:04: %ASA-6-302013: Built outbound TCP connection 19941 for outside:10.10.10.87/21 (10.10.10.87/21) to inside:10.0.74.5/5066 (192.168.222.1/5066)

2008-11-20 11:50:33 Local4.Info 10.0.74.252 Nov 20 2008 13:39:34: %ASA-6-302014: Teardown TCP connection 19941 for outside:10.10.10.87/21 to inside:10.0.74.5/5066 duration 0:00:30 bytes 0 SYN Timeout

Kind regards,

Eleander

Jon Marshall Thu, 11/20/2008 - 04:37

Okay, i'm going through the config now and there are a few things that are not clear.

1) There are a couple of access-lists that don't seem to be used anywhere eg.

outside_2_cryptomap

outboundnat2 (although it looks like you have removed this ??)

2) You have this global statement

global (outside) 2 192.168.222.10-192.168.222.20 netmask 255.255.255.0

but there is not corresponding NAT statement.

Could you also clarify exactly where the FTP is coming to and going from for both the site that works and the site that doesn't.

Thanks

Jon

LSAEleander Thu, 11/20/2008 - 05:02

Indeed I removed the outboundnat2!

The global was in there for a test and I'll delete it! (done)

The outside_2_crytomap is a typo and should be outside_cryptomap_2! (changed)

Because now I don't have any ACL on the outside_cryptomap_2!

In attachement the altered config!

FTP is comming from 10.10.10.x (defined servers in my wrong ACL's) and going to the 192.168.222.1 which is than NAT'ed to the 10.0.74.5. This is the one that is NOT working!

FTP comming an going to 194.78.124.x gives no problems at all!

Jon Marshall Thu, 11/20/2008 - 05:23

Thanks for update.

access-list outside_cryptomap_2 extended permit ip host 192.168.222.1 Statoil 255.255.255.0

the above is the first line of outside_cryptomap_2. Can't see where Statoil is defined ?

You don't need the rest of this access-list and it is recommended that you do not use TCP ports in your crypto map access-lists. So really you just want the first line but you need to make sure either

a) Statoil relates to something using the "name" command

OR

b) Just use the network subnet

Now because you have now said

access-list outside_cryptomap_2 extended permit ip host 192.168.222.1 Statoil 255.255.255.0

that means to control the traffic you will indeed need to hit the outside acl. So you will have to remove sysopt connection permit-vpn eg.

asa(config)# no sysopt connection permit-vpn

By removing this you will need to ensure that your other site still works but i believe the line

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

will do the job.

However this line also means the Statoil network has full access so you need to modify your outside acl to -

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

*** new line

access-list outside_access_in deny ip 10.10.10.0 255.255.255.0 any

***

where 10.10.10.0 is the Statoil remote subnet.

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

If Statoil are using active FTP then you will need the fixup for FTP.

Sorry for all the edits but the simpler we can make the config the easier to troubleshoot.

Jon

LSAEleander Thu, 11/20/2008 - 05:52

Jon,

No problem at all, I'm getting to better understand everything.

I've changed as you proposed. In the attachement you can now find the new config.

The "statoil" referes indeed to the 10.10.10.x subnet

Inspect FTP is active.

I added all these ACL's because the customer only wants to see the allowed servers and not the complete subnet! :)

Kind regards,

Eleander

Jon Marshall Thu, 11/20/2008 - 06:13

okay, we are getting there.

nat (inside) 0 access-list inside_nat0_outbound_1

You also have a nat0_outbound acl which doesn't seem to be referenced anywhere. If it isn't then you can remove it.

The change made to the outside access-list. You have

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

But you need the additional line before the last 2 lines in your acl. If you do a "sh running-config access-list outside_access_in" then it should give you the line numbers. So you can remove the last line (because it is in the wrong order)

no access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

and then insert it by using the line number eg lets say line 5 puts it's above the last 2 lines

access-list outside_access_in line 5 deny ip Statoil 255.255.255.0 any

You still haven't defined Statoil so best just make the line

access-list outside_access_in line 5 deny ip 10.10.10.0 255.255.255.0 any

As to your last point. If you only want to include individual IP addresses and not the whole subnet then object-groups are the way to go. So lets say you only want to allow

10.10.10.53, 57 & 87

object-group network Statoil_ips

network-object host 10.10.10.53

network-object host 10.10.10.57

network-object host 10.10.10.87

and then your outside access list looks like

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

** change the following 2 lines ***

access-list outside_access_in extended

permit tcp any host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

** to ***

access-list outside_access_in extended permit tcp object-group Statoil_ips host 192.168.222.1 eq ftp

access-list outside_access_in extended permit tcp object-group Statoil_ips host 192.168.222.1 eq ftp-data

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

** move this line up above the 2 before it **

access-list outside_access_in extended deny ip Statoil 255.255.255.0 any

You can then modify just the object-group in future if you need to add another Statoil IP or remove one of the existing ones.

Jon

LSAEleander Fri, 11/21/2008 - 03:01

Jon,

Sorry for my late response but had to go to customers.

Thx a lot for this info.

Changing the config again so it becomes easier to read and understand.

I'm going to simplify and repost.

Thx a lot, really thx a lot!

Jon Marshall Fri, 11/21/2008 - 03:53

Eleander

No problem. I will be in and out today but i'll keep checking whenever i can.

Jon

LSAEleander Fri, 11/21/2008 - 04:38

Jon,

I've changed the config accordingly.

Also changed the existings ACL's for the "Statoil" network so the object group is being used.

This shortened my config significantly and easier to troubleshoot.

I though keep getting out of SYN errors.

Config in attachement.

Kind regards,

Eleander

Attachment: 
Jon Marshall Fri, 11/21/2008 - 04:53

Eleander

Yes, looks a lot clearer now. One final change if you want but it's not critical - you have these 2 access-lists

inside_nat0_outbound

inside_nat0_outbound_1

only inside_nat0_outbound_1 is being used as far as i can see so you could remove the other one ie.

no access-list inside_nat0_outbound

Okay couple of things to check

1) The ftp server 10.0.74.5 - is this used by the other working site or not ?

If it isn't can you try ftping to that server from another address internally just to check that it is all working okay

2) If it is working okay, does this FTP server have it's default-gateway set to the ASA inside interface ?. If not what is it set to.

Jon

LSAEleander Fri, 11/21/2008 - 06:21

Jon,

Removed the entries.

1) Ftp can be reached from other working site.

H:\>ftp 10.0.74.5 (from my pc)

Connected to 10.0.74.5.

220-QTCP at custserver.cust.local.

220 Connection will close if idle more than 5 minutes.

User (10.0.74.5:(none)): "admin"

331 Enter password.

Password:

230 "admin"logged on.

ftp> quit

221 QUIT subcommand received.

2) server has by default at this moment an ISDN router and these are the routes active:

dftroute: 10.0.74.253

On this router following routes are active:

ip route 0.0.0.0 0.0.0.0 10.0.74.252 (ASA)

ip route 10.32.141.0 255.255.255.0 Dialer1 (remote station)

ip route 10.32.143.0 255.255.255.0 Dialer1 (remote station)

ip route 10.10.0.0 255.255.0.0 10.0.74.252 (ip range Statoil)

ip route 194.78.124.0 255.255.255.0 (our site) 10.0.74.252

-> yeah I know its's a public and I'm dying to get it out but supporting over 60 site-to-site takes a while to plan and implement working NAT! :d :)

Hope this get's you any further.

Kind regards,

Eleander

Jon Marshall Fri, 11/21/2008 - 06:33

Eleander

Can you confirm

1) Which Statoil IP address ie. 10.10.?.? the connection to your FTP server is being made from.

2) Can you post output of a "sh running-config xlate"

3) Can you post log from ASA of latest attempt to connect

4) The FTP server does not have any access restrictions itself does it in terms of which remote IP addresses can connect ?

We may have to do a packet capture next :-)

Jon

LSAEleander Fri, 11/21/2008 - 07:00

Jon,

1) 10.10.10.87 (others can be done to if this server isn't active

2) asacust# sh xlate

10 in use, 142 most used

Global 192.168.222.1 Local 10.0.74.5

PAT Global 81.81.81.81(25) Local 10.0.74.1(25)

PAT Global 81.81.81.81(110) Local 10.0.74.1(110)

PAT Global 81.81.81.81(1723) Local 10.0.74.1(1723)

PAT Global 81.81.81.81(47) Local 10.0.74.1(47)

PAT Global 81.81.81.81(3206) Local 10.0.74.15(3548)

PAT Global 81.81.81.81(3205) Local 10.0.74.15(3547)

PAT Global 81.81.81.81(1084) Local 10.0.74.16(4352)

PAT Global 81.81.81.81(3155) Local 10.0.74.6(3671)

PAT Global 81.81.81.81(3152) Local 10.0.74.6(3668)

Note that I entered a random external IP! :)

3)

2008-11-21 13:09:46 Local4.Info 10.0.74.252 Nov 21 2008 13:09:25: %ASA-6-302014: Teardown TCP connection 1037 for outside:10.10.10.87/9408 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

4) no restrictions are being made from the FTP server itself. It's an AS/400 which has full network access through default routing!

Awaiting further logs for test!

Kind regards,

Eleander

Jon Marshall Fri, 11/21/2008 - 07:00

Eleander

Sincere apologies. I have been so wrapped up in tidying up the config i overlooked a very basic setting.

When you ftp from your site you ftp to 10.0.74.5.

When you ftp from Statoil you want them to ftp to 192.168.222.1.

But you can't do this unless of course the ftp service is on different ports for each remote client.

So either

1) You will need to ftp from your site and Statoil to 192.168.222.1

Or

2) the NAT could be done at the Statoil site before it gets to your firewall and before it goes into the VPN tunnel.

The only other option i can think of is that some servers such as apache allow multiple IP addresses to be associated with the same server and users can connect on different IP's to get an http service.

I don't know what the capabilities of the ftp server you are using but if you had a spare 10.0.74.x address from the range and it could support additional IP's this would be another way to do it.

Once again sincere apologies, i should have spotted this from the start. Sometimes you can't see the wood for the trees !

Jon

LSAEleander Fri, 11/21/2008 - 07:12

Jon,

When ftp is initiated it will be done from teh Statoil site using the 192.168.222.1 address. Of that I'm sure.

When I try to do this from our site I need to reconfigure router so I need to add the 192.168.222.1 address within my router and ASA.

2) incomming NAT from their site won't be done so that's not an option! (they are quit strict about ther policy which is understandable!)

I do have free IP's and I can even hang my server in other ranges without problems. (it's an AS/400 -> the green mean machine ! :d))

No problem Jon, but i've had the same thing you have seen what you've done to my config so help was needed, a big oak tree stood in the way! :)

Jon Marshall Fri, 11/21/2008 - 07:20

Eleander

Thanks for that. I'm usually a bit better than this i promise :-)

Okay if Statoil won't NAT then either you will have to connect to that FTP server as 192.168.222.1 from your site and your config would need a bit of updating

OR

You could try and use a different IP address that is not in use and configure another NIC or use a secondary address on AS400 NIC and then run ftp service on this.

One very last thing -

access-list outside_access_in extended deny ip object-group Statoil_server any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

You need to modify the top line from

access-list outside_access_in extended deny ip object-group Statoil_server any

to

access-list outside_access_in extended deny ip 10.10.0.0 255.255.0.0 any

because if you just include the object-group then because of the following 2 lines in that acl any clients not in the object-group would be given access to your 10.0.74.0 network.

Jon

LSAEleander Fri, 11/21/2008 - 07:26

From all the answers you gave me and seeing your rating I'm sure you will Jon. :)

I can add a second IP address on the ftp server. But doens't my NAT problem persist when I'm still using a 10.0.74.x IP?

Eleander

Jon Marshall Fri, 11/21/2008 - 07:34

Eleander

I don't think it will but only if this address is never accessed from your site ie. 194.78.124.0/24.

Remember your nat exemption line is

access-list inside_nat0_outbound_1 extended permit ip 10.0.74.0 255.255.255.0 194.78.124.0 255.255.255.0

nat exemption lines with access-lists take precedence over all other forms of NAT including statics. However if your site never accesses this address via the VPN tunnel then it will never get matched against your "inside_nat0_outbound_1" access-list so it can then get matched by the static translation.

If you wanted to be ultra safe you could exclude the unused IP from the inside_nat0_outbound_1 access-list although obviously that would mean more entries for this access-list.

Alternatively depending on your internal topology you could use an altogther different subnet address and have a secondary IP address on the ISDN router. Think this is a bit more complicated than it needs to be.

Jon

LSAEleander Fri, 11/21/2008 - 07:38

Jon,

As I've learned more from you helping me out in this topic I'm going for the first solution.

As long as my internal users don't know the IP they won't access it.

Best is also we deny access from it.

In this way the easiest solution can be implemented and a great plus is that I can use this to clean up some other things to in other networks. So it will be an allroudn solution. :d

Eleander

LSAEleander Fri, 11/21/2008 - 07:51

Jon,

Now I've this in my xlate:

asacust# sh xlate

12 in use, 170 most used

PAT Global 81.81.81.81(25) Local 10.0.74.1(25)

PAT Global 81.81.81.81(110) Local 10.0.74.1(110)

PAT Global 81.81.81.81(1723) Local 10.0.74.1(1723)

PAT Global 81.81.81.81(47) Local 10.0.74.1(47)

Global 192.168.222.1 Local 10.0.74.4

PAT Global 81.81.81.81(3891) Local 10.0.74.15(3984)

PAT Global 81.81.81.81(3890) Local 10.0.74.15(3983)

PAT Global 81.81.81.81(3889) Local 10.0.74.15(3978)

PAT Global 81.81.81.81(3892) Local 10.0.74.16(1183)

PAT Global 81.81.81.81(1) Local 10.0.74.5 ICMP id 3411

PAT Global 81.81.81.81(1667) Local 10.0.74.1(39002)

PAT Global 81.81.81.81(1666) Local 10.0.74.6(1057)

So the NAT statement will be ok.

Hope they can test soon!

LSAEleander Fri, 11/28/2008 - 06:22

Jon,

Sorry for the late reply, but somewhere packets still get dropped.

Can you tell me how to capture/monitor the traffic! (or what the right document to read in this case?) Tried the packet tracer within the ASDM but doesn't tell me much. (packect gets dropped after the NAT resolution)

Kind regards,

ELeander

francisco_1 Fri, 11/28/2008 - 06:51

Cisco ASA can act as a sniffer to gather information about the packets passing through the interfaces. This is important if you want to confirm that traffic from a particular host or network is reaching the interfaces. You can use an ACL to identify the type of traffic and bind it to an interface by using the capture command.

In Example below, an ACL, called inside-capture, is set up to identify packets sourced from 209.165.202.130 and destined for 209.165.200.230. The security appliance is using this ACL to capture the identified traffic on the inside interface using a capture list named cap-inside.

To view the captured packets, use the show capture command followed by the name of the capture list or export capture to a sniifer application like ethereal or wireshark. The security appliance captured 15 packets that matched the ACL on the inside interface. The highlighted entry shows that it is a TCP SYN (shown as S after the destination port) packet sourced from 209.165.202.130 with a source port of 11084 and it is destined for 209.165.200.230 on destination port 23. The TCP window size is 4128 while the Maximum Segment Size (MSS) is set to 536 bytes.

Example Packet Capturing

Chicago(config)# access-list inside-capture permit ip host 209.165.202.130 host

209.165.200.230

Chicago(config)# capture cap-inside access-list inside-capture interface inside

Chicago(config)# show capture cap-inside

15 packets captured

1: 02:12:47.142189 209.165.202.130.11084 > 209.165.200.230.23: S

433720059:433720059(0) win 4128

2: 02:12:47.163489 209.165.202.130.11084 > 209.165.200.230.23:. ack 1033049551

win 4128

!Output omitted for brevity

15 packets shown

Note

When the capture command is enabled, the security appliance allocates memory right away. The default memory allocation is 512 KB. The security appliance can overwrite content from the beginning in this buffer space when it is full. The capture command has minimal CPU impact and therefore it is one of the most important troubleshooting tools available in Cisco ASA.

Tip

The output of the capture command can be exported into pcap format, which can be imported into a sniffing tool such as Ethereal or TCPDUMP for further analysis.

LSAEleander Thu, 11/20/2008 - 05:19

I Jon,

The ACL typo allready changed a lot! (this is why you need an external to look at the messages! :) )

Now I'm getting these error messages:

2008-11-20 13:42:51 Local4.Info 10.0.74.252 Nov 20 2008 13:42:40: %ASA-6-106015: Deny TCP (no connection) from 10.0.74.5/21 to 10.10.10.87/44276 flags SYN ACK on interface inside

Actions

This Discussion