um...nat...broken?

Unanswered Question
Jun 18th, 2010

I came into my job a while ago and somebody had been messing around in this ASA and they were using a different firewall for thier PAT.  I want to use my ASA (shouldn't need to explain why on this forum).

As far as I can tell, traffic is clearing the access lists and being past out the interface, but the NAT isn't happening,

Here's what I mean, this was captured from the public interface showing the original source address:

1: 21:41:38.009154 192.168.2.82 > 66.102.7.104: icmp: echo request

the same sort of thing happens when I try a source address that should trigger the PAT.

Can somebody please help me see what I'm missing in this config, I'm going insane.

ASA Version 7.0(6)
!
hostname cs-ais-asa
names
dns-guard
!
interface Ethernet0/0
nameif PUBLIC
security-level 0
ip address yyy.yyy.yyy.yyy 255.255.255.0
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.2.50 255.255.255.0
!
interface Ethernet0/2
description SIP INT
nameif DMZ_SIP
security-level 50
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd eKmqHO4KGDP8LA6F encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list LAN_nat0_inbound extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list LAN_nat0_inbound extended permit ip any any
access-list LAN_nat0_inbound extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list LAN_nat0_inbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list PUBLIC_access_in extended permit tcp any any
access-list split standard permit 192.168.1.0 255.255.255.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list split standard permit 172.16.1.0 255.255.255.0
access-list split standard permit 192.168.32.0 255.255.255.0
access-list split standard permit 192.168.33.0 255.255.255.0
access-list split standard permit 192.168.34.0 255.255.255.0
access-list split remark Vlan 10
access-list split standard permit 192.168.12.0 255.255.255.0
access-list Firewall extended permit ip any any
access-list PUBLIC_access_in_V1 extended permit icmp any host 192.168.2.82 log
access-list PUBLIC_cryptomap_20 remark Convergence Office
access-list PUBLIC_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list capture extended permit icmp any any
access-list icmp_capture extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu PUBLIC 1500
mtu LAN 1500
mtu DMZ_SIP 1500
mtu management 1500
ip local pool ASAPOOL2 192.168.2.55-192.168.2.65 mask 255.255.255.0
ip local pool ASAPOOL1 192.168.2.66-192.168.2.75 mask 255.255.255.0
icmp permit any PUBLIC
icmp permit any LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (PUBLIC) 10 interface
nat (LAN) 0 access-list LAN_nat0_inbound
nat (LAN) 10 192.168.0.0 255.255.0.0
nat (LAN) 10 0.0.0.0 0.0.0.0
static (LAN,PUBLIC) 206.71.187.6 192.168.2.82 netmask 255.255.255.255
access-group PUBLIC_access_in_V1 in interface PUBLIC
route PUBLIC 0.0.0.0 0.0.0.0 206.71.187.1 1
route LAN 192.168.34.0 255.255.255.0 192.168.2.1 1
route LAN 192.168.33.0 255.255.255.0 192.168.2.1 1
route LAN 192.168.32.0 255.255.255.0 192.168.2.1 1
route LAN 172.16.1.0 255.255.255.0 192.168.2.50 1
route LAN 192.168.1.0 255.255.255.0 192.168.2.50 1
route LAN 192.168.3.0 255.255.255.0 192.168.2.50 1
route LAN 192.168.12.0 255.255.255.0 192.168.2.1 1
route LAN 192.168.253.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Mitel "200icp ssl" https://192.168.2.2
url-list Mitel "3300icp ssl" https://192.168.2.3
url-list Mitel "3300Mxe" https://192.168.12.3
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
  port-forward-name value Application Access
group-policy convergencesys internal
group-policy convergencesys attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
http server enable
http 0.0.0.0 0.0.0.0 LAN
http 192.168.0.0 255.255.0.0 LAN
http 192.168.200.0 255.255.255.0 LAN
http 192.168.2.0 255.255.255.0 LAN
snmp-server host LAN 192.168.2.32 community public udp-port 161
snmp-server location AIS datacenter
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
ssh timeout 5
ssh version 2
console timeout 4
management-access LAN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
webvpn
enable PUBLIC
logo file disk0:/signature.jpg
authorization-server-group LOCAL
default-group-policy convergencesys
authentication aaa certificate
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
djh278778 Sat, 06/19/2010 - 12:05

I didnt spend too much time looking at this but one thing sticks out at first glance. you have a permit any any line in your nat0 ACL. This line says: " do not nat packets from any source address to any destination address". It could be overiding you nat10 statement. I would remove that line and try again.

egoepfert Mon, 06/21/2010 - 14:36

Thanks, I'll try playing with the NAT0 and see what happens!

Actions

This Discussion

Related Content