ASA Configuration.....Possibly NAT

Answered Question
Apr 18th, 2010
User Badges:

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing



     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   


show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

Correct Answer by dtochilovsky about 6 years 11 months ago

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.




Traffic will not pass between interfaces that have the same security level.


Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092


Let me know if that helps.

Dmitry.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 04/18/2010 - 07:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

niall-wilkins wrote:


Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing



     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   


show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad


Niall


Yes it is NAT. You can do a number of things -


1) turn off NAT globally on the firewall ie. "no nat-control"


2) use a nat exemption on your firewall for your host ie.


access-list NATEX permit ip host 192.168.150.2 any


nat (inside) 0 access-list NATEX


3) use a static ie.


static (inside,outside) 192.168.150.2 192.168.150.2 netmask 255.255.255.255


all of the above will mean your host address is unchanged on the outside


if you want to change the host address then -


4)  nat (inside) 1 192.168.150.2 255.255.255.255

     global (outside) 1 interface


this will change your IP of 192.168.150.2 to 10.1.20.10 as it goes to the outside. This would mean you wouldn't need a route back on the router to the 192.168.150.0/24 network.


Jon

niall-wilkins Mon, 04/19/2010 - 14:39
User Badges:

Hi,

Thanks for the repsonse.

I added the no nat-control command and tried again but it still fails.

To simplify things I removed the router and added a PC to the outside interface.  However I can ping the outside interface from the outside pc and I can ping the inside interface from the Inside PC but I can get through the firewall.


I have added the following ACL


access-list Inside-Interface_access_in extended permit ip host Inside-Host host Outside-Host
access-list Outside-Interface_access_in extended permit ip any any


Inside-Host is 192.168.150. and Outside-host is 10.1.20.2


PC(192.168.150.2)-------->Eth0/1 (192.168.150.1) ASA Eth0/0 (10.1.20.1)--------->PC2 (10.1.20.2)


If I check the logs I see the following:


%ASA-6-106015: Deny TCP (no connection) from Inside-Host/2360 to 192.168.150.1/443 flags FIN ACK  on interface Inside-Interface
%ASA-7-710005: TCP request discarded from Inside-Host/2360 to Inside-Interface:192.168.150.1/443
%ASA-3-106014: Deny inbound icmp src Inside-Interface:Inside-Host dst Outside-Interface:Outside-Host (type 8, code 0)
%ASA-7-710005: UDP request discarded from Inside-Host/137 to Inside-Interface:192.168.150.255/137
SSL-VPN#
SSL-VPN#

I know that it is something really,really simple that I am overlooking but I have not figured it out yet.  I have included a copy of my config to assist.

Anyway thanks again

Attachment: 
Correct Answer
dtochilovsky Tue, 04/20/2010 - 09:04
User Badges:

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.




Traffic will not pass between interfaces that have the same security level.


Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092


Let me know if that helps.

Dmitry.

Actions

This Discussion

Related Content