ASA Configuration.....Possibly NAT

Answered Question
Apr 18th, 2010

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing


     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   

show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

I have this problem too.
0 votes
Correct Answer by dtochilovsky about 6 years 7 months ago

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.

Traffic will not pass between interfaces that have the same security level.

Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092

Let me know if that helps.

Dmitry.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 04/18/2010 - 07:23

niall-wilkins wrote:

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing


     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   

show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

Niall

Yes it is NAT. You can do a number of things -

1) turn off NAT globally on the firewall ie. "no nat-control"

2) use a nat exemption on your firewall for your host ie.

access-list NATEX permit ip host 192.168.150.2 any

nat (inside) 0 access-list NATEX

3) use a static ie.

static (inside,outside) 192.168.150.2 192.168.150.2 netmask 255.255.255.255

all of the above will mean your host address is unchanged on the outside

if you want to change the host address then -

4)  nat (inside) 1 192.168.150.2 255.255.255.255

     global (outside) 1 interface

this will change your IP of 192.168.150.2 to 10.1.20.10 as it goes to the outside. This would mean you wouldn't need a route back on the router to the 192.168.150.0/24 network.

Jon

niall-wilkins Mon, 04/19/2010 - 14:39

Hi,

Thanks for the repsonse.

I added the no nat-control command and tried again but it still fails.

To simplify things I removed the router and added a PC to the outside interface.  However I can ping the outside interface from the outside pc and I can ping the inside interface from the Inside PC but I can get through the firewall.

I have added the following ACL

access-list Inside-Interface_access_in extended permit ip host Inside-Host host Outside-Host
access-list Outside-Interface_access_in extended permit ip any any

Inside-Host is 192.168.150. and Outside-host is 10.1.20.2

PC(192.168.150.2)-------->Eth0/1 (192.168.150.1) ASA Eth0/0 (10.1.20.1)--------->PC2 (10.1.20.2)

If I check the logs I see the following:

%ASA-6-106015: Deny TCP (no connection) from Inside-Host/2360 to 192.168.150.1/443 flags FIN ACK  on interface Inside-Interface
%ASA-7-710005: TCP request discarded from Inside-Host/2360 to Inside-Interface:192.168.150.1/443
%ASA-3-106014: Deny inbound icmp src Inside-Interface:Inside-Host dst Outside-Interface:Outside-Host (type 8, code 0)
%ASA-7-710005: UDP request discarded from Inside-Host/137 to Inside-Interface:192.168.150.255/137
SSL-VPN#
SSL-VPN#

I know that it is something really,really simple that I am overlooking but I have not figured it out yet.  I have included a copy of my config to assist.

Anyway thanks again

Attachment: 
Correct Answer
dtochilovsky Tue, 04/20/2010 - 09:04

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.

Traffic will not pass between interfaces that have the same security level.

Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092

Let me know if that helps.

Dmitry.

Actions

This Discussion

Related Content