ASA 5510 v8.3, problem with static NAT

Answered Question
Jun 9th, 2010

Hi,

I have problem to create static NAT between public IP address range (ie. 222.222.222.2 - 222.222.222.6) and private IP address range (192.168.101.2 - 192.168.101.6). When I try to ping the PC (192.168.101.2) in my private network from the public network (ping 222.222.222.2) or vice versa nothing happend. The "debug nat" command shows the following error message: nat: untranslation - outside0:222.222.222.2/0 to inside0/3:192.168.101.2/0.

Here is my configuration:


ASA Version 8.3(1)
!
hostname Firewall
enable password ZcWMFYW8y4cSHoCz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside0
security-level 100
ip address 222.222.222.221 255.255.255.192          (ip address is an example address)
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside0/3
security-level 100
no ip address
!
interface Ethernet0/3.10
description VLAN 10
vlan 10
nameif inside_netwok1
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
object network MAPPED_INSIDE
range 192.168.101.2 192.168.101.6
object network MAPPED_OUTSIDE
range 222.222.222.2 222.222.222.6
access-list Traffic_in extended permit ip any 222 222.222.2.255.255.255.248
access-list Traffic_in extended permit ip any 192.168.101.0 255.255.255.0

pager lines 24
mtu inside_netwok1 1500
mtu outside0 1500
mtu inside0/3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network MAPPED_INSIDE
nat (inside0/3,outside0) static MAPPED_OUTSIDE
object network MAPPED_JULKINEN
nat (outside0,inside0/3) static MAPPED_INSIDE
access-group Traffic_in in interface outside0

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username jklp password q0MTHZ/Tiy/UXjqC encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:87409b9bc0a2eedf2f98857d07991d71
: end

Thanks,

Tuomas

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 5 months ago

Your config is right, there is something else that is happening.

Try packet tracer

packet-tracer input outside icmp host 8 0 host <222.222.222.4

And see what the ASA will do with the packet.

Also use

capture capin interface inside0/3 match icmp host host 192.168.101.4

capture capout interface outside match icmp host host 222.222.222.4

sh cap capin

show cap capout

to capture packets and see if they are sent.

I hope it helps.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
edadios Thu, 06/10/2010 - 05:23

Please remove the following lines  as there is no need for them:

access-list Traffic_in extended permit ip any 222 222.222.2.255.255.255.248

object network MAPPED_JULKINEN
nat (outside0,inside0/3) static MAPPED_INSIDE

(actually removing the network object should also remove the nat statement)

Once you have done this, you may have to do "clear local-host" , "clear xlate" .

Then try again.

ysptimoma Thu, 06/10/2010 - 06:03

Thank you for the answer! Unfornately it did not help me. I removed unnecessary lines from my configurartion but the NAT not works. Below is my current configuration:


: Saved
:
ASA Version 8.3(1)
!
hostname Jyvas-P
enable password ZcWMFYW8y4cSHoCz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside0
security-level 100
ip address 222.222.222.194 255.255.255.192    (ip address is an example address)
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside0/3
security-level 100
no ip address
!
interface Ethernet0/3.10
description TAC-yhteydet
vlan 10
nameif TAC-verkko
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
object network MAPPED_INSIDE
range 192.168.101.2 192.168.101.6
object network MAPPED_OUTSIDE
range 222.222.222.222 222.222.222.226
access-list Traffic_in extended permit ip any 192.168.101.0 255.255.255.0
pager lines 24
mtu outside0 1500
mtu inside0/3 1500
mtu TAC-verkko 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network MAPPED_INSIDE
nat (inside0/3,outside0) static MAPPED_OUTSIDE
access-group Traffic_in in interface outside0
route outside0 0.0.0.0 0.0.0.0 222.222.222.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username jklp password q0MTHZ/Tiy/UXjqC encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d9d41b39442c2e7c793ca4f7e724e1a
: end

Thanks,

-Tuomas

Correct Answer
Panos Kampanakis Thu, 06/10/2010 - 11:25

Your config is right, there is something else that is happening.

Try packet tracer

packet-tracer input outside icmp host 8 0 host <222.222.222.4

And see what the ASA will do with the packet.

Also use

capture capin interface inside0/3 match icmp host host 192.168.101.4

capture capout interface outside match icmp host host 222.222.222.4

sh cap capin

show cap capout

to capture packets and see if they are sent.

I hope it helps.

PK

ysptimoma Thu, 06/10/2010 - 22:39

Hi,

Thanks for your help! I used the command "packet-tracer input outside icmp host 8 0 host  <222.222.222.4" and I saw that there was some implicit rule which denied the traffic. I have configured same security-level on each interface and the traffic between same security level interfaces is denied.

There was also another mistake in command " nat (inside0/3,outside0) static MAPPED_OUTSIDE" because I use subinterface "TAC-verkko". So the right command is " nat (TAC-verkko,outside0) static MAPPED_OUTSIDE.

- Tuomas

Actions

This Discussion