Problem with NAT on ASA5520

Unanswered Question

Hi everyone,

I have 4 interfaces. 1 outside interface and 3 inside interfaces (DMZ20, LAN2, LAN3). I need permit traffic between all inside interfaces at least for the beginning - this works fine now, NAT for internet from all inside interfaces to outside also works fine.

But I have BIG problem with acces from internet to local LAN services (ftp, ssh, www, dns, ntp, smtp, https, ldaps...) with another my global IP adress from my internet provider than 193.22.83.82 from outside interface.

"

access-list outside_access_in extended permit tcp any host 193.22.83.76 eq www (with 193.22.83.82 works fine)

static (DMZ20,outside) tcp 193.22.83.76 www 192.168.20.72 www netmask 255.255.255.255 (with 193.22.83.82 works fine)

access-group outside_access_in in interface outside

"

Also I would not use "same-security-traffic permit inter-interface" for permit between inside interfaces, but I have problem with ACL. Also I don´t have time for settings:( Better would be to change DMZ20 interface to DMZ zone with for example security-level 30.

Thank's a lot for your help,

Jan

!
ASA Version 7.0(6)
!
hostname asa13
domain-name netlinx.com
enable password dKd2d5d67dG encrypted
names
name 192.168.20.0 LAN_dmz
name 192.66.0.0 LAN_old
name 10.0.0.0 LAN_ba1
name 10.1.0.0 LAN_ba2
name 10.2.0.0 LAN_bb
name 10.16.0.0 LAN_new
name 10.17.0.0 LAN_havirov
name 10.20.0.0 LAN_brno
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.22.83.82 255.255.255.224
!
interface GigabitEthernet0/1
nameif DMZ20
security-level 100
ip address 192.168.20.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif LAN2
security-level 100
ip address 192.66.16.3 255.255.0.0
!
interface GigabitEthernet0/3
nameif LAN3
security-level 100
ip address 10.16.4.222 255.255.0.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd dKd2d5d67dG encrypted
no ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
same-security-traffic permit inter-interface
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_old 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_ba1 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_ba2 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_bb 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_new 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_havirov 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_brno 255.255.0.0
access-list natdmz20 extended deny ip any any log
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_old 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_dmz 255.255.255.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_ba1 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_ba2 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_bb 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_havirov 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_brno 255.255.0.0
access-list natlan3 extended deny ip any any log
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_dmz 255.255.255.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_ba1 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_ba2 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_bb 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_new 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_havirov 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_brno 255.255.0.0
access-list natlan2 extended deny ip any any log
pager lines 24
logging enable
logging trap notifications
logging asdm notifications
logging host DMZ20 192.168.20.19
mtu outside 1500
mtu DMZ20 1500
mtu LAN3 1500
mtu LAN2 1500
no failover
monitor-interface outside
monitor-interface DMZ20
monitor-interface LAN3
monitor-interface LAN2
icmp deny any outside
icmp permit any DMZ20
icmp permit any LAN3
icmp permit any LAN2
asdm image disk0:/asdm506.bin
asdm location LAN_ba1 255.255.0.0 DMZ20
asdm location LAN_ba2 255.255.0.0 DMZ20
asdm location LAN_bb 255.255.0.0 DMZ20
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DMZ20) 0 access-list natdmz20
nat (DMZ20) 1 LAN_dmz 255.255.255.0
nat (LAN3) 0 access-list natlan3
nat (LAN3) 1 LAN_new 255.255.0.0
nat (LAN2) 0 access-list natlan2
nat (LAN2) 1 LAN_old 255.255.0.0

route outside 0.0.0.0 0.0.0.0 193.22.83.65 1
route DMZ20 LAN_bb 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_ba2 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_ba1 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_havirov 255.255.0.0 192.168.20.251 1
route DMZ20 LAN_brno 255.255.0.0 192.168.20.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http LAN_dmz 255.255.255.0 DMZ20
http LAN_new 255.255.0.0 LAN3
http LAN_old 255.255.0.0 LAN2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet LAN_dmz 255.255.255.0 DMZ20
telnet 16.16.0.0 255.255.0.0 LAN3
telnet LAN_old 255.255.0.0 LAN2
telnet timeout 5
ssh scopy enable
ssh LAN_dmz 255.255.255.0 DMZ20
ssh LAN_new 255.255.0.0 LAN3
ssh LAN_old 255.255.0.0 LAN2
ssh timeout 60
console timeout 0
ntp server 192.168.20.11 source LAN2
tftp-server LAN2 192.66.21.10 /tmp
smtp-server 192.66.19.4
Cryptochecksum:e04d0c33b9fc078f6913f72ef75965a4

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Tue, 02/02/2010 - 07:17

Hi Jan

Can you post the "show static" output from the firewall ?

Are you saying everything works fine with 83.82 IP (outside IP) ? and not with other IPs given by the ISP ? For outside access to your server farm, you need to have dedicated IPs NATted to the outside, and rules allowing access from outside to inside..

Regards

Raj

Hi Raj,

"show static" don´t work, but "show nat" yes. Now I have much more rules then before in discussion, for example  "name 193.22.83.80 GTS80, name 193.22.83.94 GTS94, ..." This rules with more ISP IP I have on another same ASA 5520 with contexts, where works fine. In this ASA worked only once and I don't know why, because next day I had same problem again But when i used only one ISP adress from outside interface (PAT), rules works fine.

Do you think, that this rules isn't enought? But on another ASA works fine.

access-list outside_access_in extended permit tcp any host 193.22.83.76 eq www

static (DMZ20,outside) tcp 193.22.83.76 www 192.168.20.72 www netmask 255.255.255.255

access-group outside_access_in in interface outside

Please show me exaple of "rules allowing access from outside to inside" I'm still cisco beginner

Thank's very much!

Jan

Show nat:

NAT policies on Interface DMZ20:
  match tcp DMZ20 host zavazadlo eq 5222 outside any
    static translation to GTS80/5222
    translate_hits = 4, untranslate_hits = 4825
  match tcp DMZ20 host zavazadlo eq 5223 outside any
    static translation to GTS80/5223
    translate_hits = 0, untranslate_hits = 2
  match tcp DMZ20 host zavazadlo eq 5269 outside any
    static translation to GTS80/5269
    translate_hits = 0, untranslate_hits = 0
  match tcp DMZ20 host srv110 eq 389 outside any
    static translation to GTS80/389
    translate_hits = 0, untranslate_hits = 7
  match tcp DMZ20 host srv110 eq 636 outside any
    static translation to GTS80/636
    translate_hits = 0, untranslate_hits = 0
  match tcp DMZ20 host srv110 eq 3268 outside any
    static translation to GTS80/3268
    translate_hits = 0, untranslate_hits = 0
  match tcp DMZ20 host srv110 eq 3269 outside any
    static translation to GTS80/3269
    translate_hits = 0, untranslate_hits = 0
  match udp DMZ20 host mrakoplas-DNS eq 53 outside any
    static translation to GTS94/53
    translate_hits = 0, untranslate_hits = 259
  match tcp DMZ20 host mrakoplas-DNS eq 53 outside any
    static translation to GTS94/53
    translate_hits = 0, untranslate_hits = 0
  match tcp DMZ20 host sadmin eq 22 outside any
    static translation to GTS80/3178
    translate_hits = 0, untranslate_hits = 3
  match tcp DMZ20 host pinda eq 8888 outside any
    static translation to GTS80/80
    translate_hits = 0, untranslate_hits = 39
  match tcp DMZ20 host pinda eq 8443 outside any
    static translation to GTS80/443
    translate_hits = 0, untranslate_hits = 122
  match tcp DMZ20 host LB-SK eq 80 outside any
    static translation to GTS75/80
    translate_hits = 0, untranslate_hits = 0
  match tcp DMZ20 host LB-CZ eq 80 outside any
    static translation to GTS81/80
    translate_hits = 1023, untranslate_hits = 9492
  match tcp DMZ20 host 192.168.20.151 eq 80 outside any
    static translation to GTS87/80
    translate_hits = 0, untranslate_hits = 63
  match tcp DMZ20 host 192.168.20.151 eq 443 outside any
    static translation to GTS87/443
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ20 host 192.168.20.22 outside any
    static translation to GTS92
    translate_hits = 0, untranslate_hits = 31
  match ip DMZ20 host 192.168.20.23 outside any
    static translation to GTS91
    translate_hits = 557, untranslate_hits = 221
  match ip DMZ20 host 192.168.20.24 outside any
    static translation to GTS90
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ20 host 192.168.20.25 outside any
    static translation to GTS78
    translate_hits = 0, untranslate_hits = 42
  match ip DMZ20 host 192.168.20.26 outside any
    static translation to GTS68
    translate_hits = 0, untranslate_hits = 37
  match ip DMZ20 host 192.168.20.27 outside any
    static translation to GTS73
    translate_hits = 0, untranslate_hits = 5
  match ip DMZ20 host 192.168.20.28 outside any
    static translation to GTS67
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ20 LAN_dmz 255.255.255.0 outside any
    dynamic translation to pool 1 (GTS82 [Interface PAT])
    translate_hits = 23, untranslate_hits = 19
  match ip DMZ20 LAN_dmz 255.255.255.0 DMZ20 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ20 LAN_dmz 255.255.255.0 LAN2 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 20561, untranslate_hits = 0
  match ip DMZ20 LAN_dmz 255.255.255.0 LAN3 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ20 any outside any
    no translation group, implicit deny
    policy_hits = 275938

NAT policies on Interface LAN2:
  match ip LAN2 LAN_old 255.255.0.0 outside any
    dynamic translation to pool 1 (GTS82 [Interface PAT])
    translate_hits = 45570, untranslate_hits = 1240
  match ip LAN2 LAN_old 255.255.0.0 DMZ20 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 5851, untranslate_hits = 0
  match ip LAN2 LAN_old 255.255.0.0 LAN2 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip LAN2 LAN_old 255.255.0.0 LAN3 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 2737, untranslate_hits = 0
  match ip LAN2 any outside any
    no translation group, implicit deny
    policy_hits = 49896

NAT policies on Interface LAN3:
  match tcp LAN3 host 10.16.4.223 eq 3389 outside any
    static translation to GTS85/3389
    translate_hits = 0, untranslate_hits = 0
  match ip LAN3 LAN_new 255.255.0.0 outside any
    dynamic translation to pool 1 (GTS82 [Interface PAT])
    translate_hits = 9156, untranslate_hits = 413
  match ip LAN3 LAN_new 255.255.0.0 DMZ20 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 612, untranslate_hits = 0
  match ip LAN3 LAN_new 255.255.0.0 LAN2 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 705, untranslate_hits = 0
  match ip LAN3 LAN_new 255.255.0.0 LAN3 any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip LAN3 any outside any
    no translation group, implicit deny
    policy_hits = 0

sachinraja Tue, 02/02/2010 - 13:40

Hi Jan

show nat will show you all nat xlation connections, even dynamic nats.. show static will show you specific one-to-one static NATs configured.. if you want to access a server from outside... YES .. you need to define 1) static NATs & 2) access-list to allow traffic from outside to DMZ...

eg,, if your DMZ server is a web-server and has an IP address 192.168.20.72 (from your example).. you would need to build a static NAT first:

static (DMZ20,outside) 193.22.83.76 192.168.20.72 netmask 255.255.255.255

This will make sure your packets are translated.. you dont need to give a source and destination port of www.. first try this and then you can restrict based on port numbers..

You need to then build access-lists

access-list outside_access_in externded permit tcp any host 193.22.83.76 eq www

access-group outside access_in in interface outside

(these are right)..

if you have more services, you need to have more static/ACLs buit...

static (DMZ20,outside) 193.22.83.77 192.168.20.73 netmask 255.255.255.255

access-list outside_access_in externded permit tcp any host 193.22.83.77 eq ftp (example)

If you have specific queries in this, let us know..

Hope this helps.. all the best..


Raj

Actions

This Discussion

Related Content