ASA 5510 NAT Problems

Unanswered Question
Jun 15th, 2009
User Badges:

Problem:

I am currently trying to configure NAT on my ASA 5510. I am having problems geting the two interfaces to comunicate with each other. I can ping my Linksys Router from the outside interface of the firewall, but I am unable to do this from the inside interface.


Setup:

I currently have a Linksys RV082 connected to two ISP's, connected on the LAN side of that is a Cisco ASA 5510 firewall, connected on the lan side of that is a Cisco 2821 router.


NAT:

Original:

Interface: interior

Source Network: interior:any/0

Destination Network: any

Translated:

Interface: Exterior

Address: interface PAT


Static routes:

Linksys to Firewall:

Destination IP: 192.168.6.0

Subnet mask: 255.255.255.0

Default Gateway: 192.168.0.101

Hop count: 1

Interface: lan


Firewall to Linksys

Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1



IP Addresses:

Inside firewall: 192.168.6.0

Outside firewall: 192.168.0.101

Linksys: 192.168.0.1

Cisco Router Outside: 192.168.6.101

Cisco Router Inside: 192.168.4.0


____________Cisco ASA 5510 Configuration_____________________________

Firewall# show running-config

: Saved

:

ASA Version 7.0(8)

!

hostname Firewall

domain-name default.domain.invalid

enable password 6efABQ2cPmP7OKuA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Interior

security-level 20

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/1

nameif Exterior

security-level 20

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu management 1500

mtu Exterior 1500

mtu Interior 1500

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (Exterior) 100 interface

nat (Interior) 100 0.0.0.0 0.0.0.0

route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp Exterior

sysopt noproxyarp Interior

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd address 192.168.6.2-192.168.6.10 Interior

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

dhcpd enable Interior

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:ff820992c3c5d0aa4866e518fe0f9766

: end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 06/15/2009 - 12:00
User Badges:
  • Purple, 4500 points or more

If you're wanting to ping from inside out, you should put inspect icmp under your policy-map:


policy-map global_policy

class inspection_default

inspect icmp


That should work.


HTH,

John

thotsaphon Mon, 06/15/2009 - 12:10
User Badges:
  • Gold, 750 points or more

Hi Michael again,(grin)

Your NAT statements look fine to me. Doing PAT. Right? Please let me know about your security policies from inside to outside. I haven't seen any ACL on your configuration. You can use ASDM to see what's going on.


Edit: As john mentioned. For ICMP(Stateless), you need to inspect it or allow echo-reply back from outside to inside.



Toshi

mebernstein Tue, 06/16/2009 - 05:06
User Badges:

Here is where I am, I am DEAD stuck. I can not get trafic of any kind to pass through the ASA 5510. I have tried what I beleive to be everything. Below I have posted my new configuration file. I need to know what is wrong with it and how to fix it. I have also cut the 2821 out of the equation so now the computer is connected directly to the asa 5510. Before this all came about I did have the Linksys and the 2821 communicating, I also have heard that you can put the asa 5510 in the middle in transparent mode (not routed) and keep the packet flow the way it was before. Any help is greatly appreciated.


Cisco ASA 5510 configuration:


ASA Version 7.0(8)

!

hostname Firewall

domain-name default.domain.invalid

enable password 6efABQ2cPmP7OKuA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Interior

security-level 100

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet0/1

nameif Exterior

security-level 0

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

nameif 0

security-level 0

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list Exterior_access_in extended permit tcp interface Exterior interface Interior

access-list Exterior_access_in extended permit icmp interface Exterior interface Interior

access-list Exterior_access_in extended permit ip interface Exterior interface Interior

access-list Exterior_access_out extended permit tcp interface Interior interface Exterior

access-list Exterior_access_out extended permit icmp interface Interior interface Exterior

access-list Exterior_access_out extended permit ip interface Interior interface Exterior

access-list Interior_access_in extended permit tcp interface Interior interface Exterior

access-list Interior_access_in extended permit icmp interface Interior interface Exterior

access-list Interior_access_in extended permit ip interface Interior interface Exterior

access-list Interior_access_out extended permit tcp interface Exterior interface Interior

access-list Interior_access_out extended permit icmp interface Exterior interface Interior

access-list Interior_access_out extended permit ip interface Exterior interface Interior

access-list 0_access_in extended permit tcp any interface Exterior

pager lines 24

logging asdm informational

mtu management 1500

mtu Exterior 1500

mtu Interior 1500

mtu 0 1500

icmp permit any management

icmp permit any Exterior

icmp permit any Interior

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (Exterior) 100 interface

global (Interior) 101 192.168.6.2-192.168.6.10

nat (Interior) 100 0.0.0.0 0.0.0.0 dns

nat (Interior) 100 0.0.0.0 0.0.0.0 outside

access-group Exterior_access_in in interface Exterior per-user-override

access-group Exterior_access_out out interface Exterior

access-group Interior_access_in in interface Interior per-user-override

access-group Interior_access_out out interface Interior

access-group 0_access_in in interface 0

route Exterior 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp 0

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd address 192.168.6.2-192.168.6.10 Interior

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config Interior

dhcpd enable management

dhcpd enable Interior

Cryptochecksum:..

Actions

This Discussion