ASA 5510 - implicit NAT rule?

Unanswered Question
Apr 8th, 2010
User Badges:

verions 7.0(2)


I had 1 internal server that is getting out through asa. I added a 2nd server but it does not have access. I've read that the implicit nat rule should work for both and I see nothing in the config that would show otherwise.


10.9.1.3 can currently ping out, browse , etc.  10.9.1.4 cannot.


10.9.1.4 can ping the inside interface and leave the asa, but it does not return.


when I ping with 10.9.1.3 the ping message returns and includes the outside interface in the message.

when the 10.9.1.4 pings, it tries to return, but the outside interface isnt included in the messae.



Pertinent lines on the config.


interface Ethernet0/0
nameif CTC
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx


asdm location 10.9.1.0 255.255.255.0 SKYHAWK
asdm location 10.9.1.2 255.255.255.255 SKYHAWK
asdm location 10.9.1.4 255.255.255.255 SKYHAWK


object-group service Internet tcp
description HTTP; DNS; HTTPS
port-object eq www
port-object eq domain
port-object eq https


access-list SBC_access_in extended permit tcp any interface CTC eq https
access-list SBC_access_in extended permit tcp any interface CTC eq www


access-list site-tosite1 extended permit ip 10.10.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list site-to-stie1 extended permit ip 10.9.1.0 255.255.255.0 172.17.3.0 255.255.255.0

access-list site-tosite2 extended permit ip 10.10.0.0 255.255.0.0 172.17.4.0 255.255.255.0
access-list site-to-stie2 extended permit ip 10.9.1.0 255.255.255.0 172.17.4..0 255.255.255.0


access-list SKYHAWK_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list SKYHAWK_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.17.4.0 255.255.255.0


global (CTC) 10 interface
nat (SKYHAWK) 0 access-list SKYHAWK_nat0_outbound
nat (management) 10 0.0.0.0 0.0.0.0


icmp permit any CTC
icmp permit any echo SKYHAWK
icmp permit any echo-reply SKYHAWK




these 2 lines bother me, Ive had technicians look at the device before, these appear left over, there is no other reference to the names.

access-list SKYHAWK_access_out extended permit ip any any
access-list SKYHAWK_access_in extended permit ip any any


should they be deleted?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ISCONTACT Thu, 04/08/2010 - 07:56
User Badges:

should have posted the routes and few static nats inside


static (SKYHAWK,CTC) tcp interface ftp 10.9.1.3 ftp netmask 255.255.255.255

static (SKYHAWK,CTC) tcp interface www 10.9.1.3 www netmask 255.255.255.255
access-group SBC_access_in in interface CTC
route CTC 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

route SKYHAWK 10.10.0.0 255.255.0.0 10.9.1.2 1

Actions

This Discussion