cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1459
Views
0
Helpful
3
Replies

ASA Configuration.....Possibly NAT

niall-wilkins
Level 1
Level 1

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing


     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   

show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

1 Accepted Solution

Accepted Solutions

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.

Traffic will not pass between interfaces that have the same security level.

Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092

Let me know if that helps.

Dmitry.

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

niall-wilkins wrote:

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing


     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   

show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

Niall

Yes it is NAT. You can do a number of things -

1) turn off NAT globally on the firewall ie. "no nat-control"

2) use a nat exemption on your firewall for your host ie.

access-list NATEX permit ip host 192.168.150.2 any

nat (inside) 0 access-list NATEX

3) use a static ie.

static (inside,outside) 192.168.150.2 192.168.150.2 netmask 255.255.255.255

all of the above will mean your host address is unchanged on the outside

if you want to change the host address then -

4)  nat (inside) 1 192.168.150.2 255.255.255.255

     global (outside) 1 interface

this will change your IP of 192.168.150.2 to 10.1.20.10 as it goes to the outside. This would mean you wouldn't need a route back on the router to the 192.168.150.0/24 network.

Jon

Hi,

Thanks for the repsonse.

I added the no nat-control command and tried again but it still fails.

To simplify things I removed the router and added a PC to the outside interface.  However I can ping the outside interface from the outside pc and I can ping the inside interface from the Inside PC but I can get through the firewall.

I have added the following ACL

access-list Inside-Interface_access_in extended permit ip host Inside-Host host Outside-Host
access-list Outside-Interface_access_in extended permit ip any any

Inside-Host is 192.168.150. and Outside-host is 10.1.20.2

PC(192.168.150.2)-------->Eth0/1 (192.168.150.1) ASA Eth0/0 (10.1.20.1)--------->PC2 (10.1.20.2)

If I check the logs I see the following:

%ASA-6-106015: Deny TCP (no connection) from Inside-Host/2360 to 192.168.150.1/443 flags FIN ACK  on interface Inside-Interface
%ASA-7-710005: TCP request discarded from Inside-Host/2360 to Inside-Interface:192.168.150.1/443
%ASA-3-106014: Deny inbound icmp src Inside-Interface:Inside-Host dst Outside-Interface:Outside-Host (type 8, code 0)
%ASA-7-710005: UDP request discarded from Inside-Host/137 to Inside-Interface:192.168.150.255/137
SSL-VPN#
SSL-VPN#

I know that it is something really,really simple that I am overlooking but I have not figured it out yet.  I have included a copy of my config to assist.

Anyway thanks again

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.

Traffic will not pass between interfaces that have the same security level.

Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092

Let me know if that helps.

Dmitry.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: