ASA5505, multiple subnets to internet, how to nat?

Answered Question
Jul 27th, 2010

Dear friends,

I`m breaking my head over this one:

having as Cisco ASA5505.

Configured 4 interfaces.

Interface 0 is internet

Other 3 interfaces are computer networks.

Other 3 interfaces must be able to talk to eachother. (works)

Other 3 interfaces must be able to access the internet. <- This part i cannot get to work properly.

I tried different security levels, at one point one interface had internet, but couldnt access internet, at a other point an interface had internet and access to the other subnet, but the other subnet could not internet. I tried allot of settings, but perhaps somebody that truly understands this thin can help me out here.

This is my current config. The problem is propably in the nat pools, but i dont know how to fix anymore.

Can somebody please advice?

Regards,

: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
enable password 7wUUeGwey3pFwlBT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside_192.168.8.0
 security-level 100
 ip address 192.168.8.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 50
 ip address dhcp setroute 
!
interface Vlan12
 nameif inside_192.168.4.0
 security-level 100
 ip address 192.168.4.1 255.255.255.0 
!
interface Vlan22
 nameif inside_10.0.0.0
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 22
!
interface Ethernet0/4
 switchport access vlan 22
!
interface Ethernet0/5
 switchport access vlan 22
!
interface Ethernet0/6
 switchport access vlan 22
!
interface Ethernet0/7
 switchport access vlan 22
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit ip any host 192.168.1.108 
access-list inside_10.0.0.0_access_in extended permit ip any any 
access-list inside_192.168.4.0_access_in extended permit ip any any 
access-list inside_192.168.8.0_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside_192.168.8.0 1500
mtu outside 1500
mtu inside_192.168.4.0 1500
mtu inside_10.0.0.0 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside_192.168.8.0) 1 interface
global (outside) 1 interface
global (inside_192.168.4.0) 1 interface
global (inside_10.0.0.0) 1 interface
nat (inside_192.168.8.0) 1 0.0.0.0 0.0.0.0
nat (inside_192.168.4.0) 1 0.0.0.0 0.0.0.0
nat (inside_10.0.0.0) 1 0.0.0.0 0.0.0.0
access-group inside_192.168.8.0_access_in in interface inside_192.168.8.0
access-group outside_access_in in interface outside
access-group inside_192.168.4.0_access_in in interface inside_192.168.4.0
access-group inside_10.0.0.0_access_in in interface inside_10.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside_192.168.8.0
http 0.0.0.0 0.0.0.0 inside_10.0.0.0
http 0.0.0.0 0.0.0.0 inside_192.168.4.0
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside_192.168.4.0
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
!
prompt hostname context 
Cryptochecksum:95bc131016e4ad242ea55d690f9d97b9
: end
no asdm history enable
I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

The issue could be due to NAT. Please try the following:

no global (inside_192.168.8.0) 1 interface
no global (inside_192.168.4.0) 1 interface
no global (inside_10.0.0.0) 1 interface

static (inside_192.168.8.0,inside_10.0.0.0) 192.168.8.0 182.168.8.0 netmask 255.255.255.0
static (inside_192.168.8.0,inside_192.168.4.0) 192.168.8.0 182.168.8.0 netmask 255.255.255.0

static (inside_192.168.4.0,inside_10.0.0.0) 192.168.4.0 182.168.4.0 netmask 255.255.255.0
static (inside_192.168.4.0,inside_192.168.8.0) 192.168.4.0 182.168.4.0 netmask 255.255.255.0

static (inside_10.0.0.0,inside_192.168.8.0) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (inside_10.0.0.0,inside_192.168.4.0) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

Once the above configurations are done, please make sure that you have proper DNS settings on your hosts.
If you are not certain of the DNS Server for your ISP, you can use 4.2.2.2 as the DNS server. That should fix your issue.

Hope this helps.

Regards,

NT
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Tue, 07/27/2010 - 05:53

Hello,

The issue could be due to NAT. Please try the following:

no global (inside_192.168.8.0) 1 interface
no global (inside_192.168.4.0) 1 interface
no global (inside_10.0.0.0) 1 interface

static (inside_192.168.8.0,inside_10.0.0.0) 192.168.8.0 182.168.8.0 netmask 255.255.255.0
static (inside_192.168.8.0,inside_192.168.4.0) 192.168.8.0 182.168.8.0 netmask 255.255.255.0

static (inside_192.168.4.0,inside_10.0.0.0) 192.168.4.0 182.168.4.0 netmask 255.255.255.0
static (inside_192.168.4.0,inside_192.168.8.0) 192.168.4.0 182.168.4.0 netmask 255.255.255.0

static (inside_10.0.0.0,inside_192.168.8.0) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (inside_10.0.0.0,inside_192.168.4.0) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

Once the above configurations are done, please make sure that you have proper DNS settings on your hosts.
If you are not certain of the DNS Server for your ISP, you can use 4.2.2.2 as the DNS server. That should fix your issue.

Hope this helps.

Regards,

NT
r.salomons Tue, 07/27/2010 - 07:43

HI There,

This indeed solves my problem, thank you!!

I perhaps need to do some more study about natin' on cisco devices.

Is there a simple explanation you can give me about why this solved the problem?

Thanks again,

Robert

Actions

This Discussion