cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3239
Views
0
Helpful
17
Replies

ASA5505 setup with MPLS

mzudansgcg
Level 1
Level 1

I have an ASA setup behind a T1 with pass though on port 0/0 on the ISP router

Internal ASA IP address is 10.130.1.1
The IPS also has an MPLS setup to another network with IP address of 10.130.1.2 on port 0/1 of the ISP router. The ip address of the other network is 192.168.5.0

I setup the static route for 192.168.5.0 to 10.130.1.2 on the ASA device but get the following error:

3     Jul 21 2010     17:28:38     305006     192.168.5.10           portmap translation  creation failed for tcp src inside:10.130.1.5/13135 dst  inside:192.168.5.10/3389

If I setup an exempt NAT rule from 10.130.1.0 to 192.168.5.0 and one  from 192.168.5.0 to 10.130.1.0 I can ping across the two networks, but  get the following error if I try to do  anything else like RDC

6     Jul 21 2010     17:39:46     302013     10.130.1.5     192.168.5.10      Built inbound TCP connection 243379 for inside:10.130.1.5/13412 (10.130.1.5/13412) to inside:192.168.5.10/3389 (192.168.5.10/3389)

6     Jul 21 2010     17:39:46     302014     10.130.1.5     192.168.5.10      Teardown TCP  connection 243379 for inside:10.130.1.5/13412 to  inside:192.168.5.10/3389 duration 0:00:00 bytes 0 TCP Reset-O

Not sure how to allow traffic to be sent to the MPLS.

If I change the gateway on a local PC to 10.130.1.2 I can communicate without issue to the 192.168.5.0 network, but lose internet so I know the MPLS is working.

Internet router ------>Public IP ----> ASA 5505-----> 10.130.1.1 -----> Internal network

|-------------->MPLS 192.168.5.0---------------->10.130.1.2-------------------------------^

17 Replies 17

Jitendriya Athavale
Cisco Employee
Cisco Employee

can you please past eyour nat config

show run nat

show run global

show run static

and also can you paste the routing table

show run route

show route

Result of the command: "show run nat"

nat (inside) 0 access-list NONAT

nat (inside) 101 access-list inside_nat_outbound

Result of the command: "show run global"

global (inside) 1 10.130.1.5 netmask 255.0.0.0

global (inside) 2 interface

global (inside) 3 10.130.1.0 netmask 255.255.255.0

global (inside) 4 192.168.0.0 netmask 255.255.0.0

global (outside) 101 interface

global (outside) 1 X.X.X.X netmask 255.0.0.0

Result of the command: "show run static"

static (inside,outside) X.X.X.X 10.130.1.5 netmask 255.255.255.255

static (inside,outside) X.X.X.X 10.130.1.6 netmask 255.255.255.255

Result of the command: "show run route"

route inside 159.1.0.0 255.255.0.0 10.130.1.6 1

route inside 192.168.5.0 255.255.255.0 10.130.1.2 1

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is X.X.X.X to network 0.0.0.0

C    X.X.X.X 255.255.255.248 is directly connected, outside

S    159.1.0.0 255.255.0.0 [1/0] via 10.130.1.6, inside

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C    10.130.1.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via X.X.X.X, outside

S    192.168.0.0 255.255.0.0 [1/0] via 10.130.1.2, inside

Magnus Mortensen
Cisco Employee
Cisco Employee

Matthew,

     From what you describe it sounds like you are trying to 'hair-pin' traffic on the ASA's inside interface. If that is the case, you issue is probably due to asymetric traffic flow whereby the ASA only sees one side of the conversation, THis breaks the traffic since the Sequence number randomization kicks in on the FW and messes up one flow when compared to the revrse flow. Your best bet would be to also configure TCP State Bypass for those flows in question and add it to the global policy.

access-list tsp-list permit tcp  10.130.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list tsp-list permit tcp  192.168.5.0 255.255.255.0 10.130.1.0 255.255.255.0

!

class-map tsp-class

  match access-list tcp-list

!

policy-map global_policy

  class tsp-class

    set connection advanced-options tcp-state-bypass

More information about this command is available here:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

and it requires you move to 8.2.1 or later... Like 8.2.2...

Hope this helps!

- Magnus

I inherited this appliance and it looks like old firmware:

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)

I guess I would need to update it if that is the only solution. Is there and order to which componenet I need to update first?

assuming you need to access 192.168.5.0 from 10.130.1.0 network

static (inside,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 norandomseq nailed

static (inside,inside) 10.1.130.0 10.1.130.0 netmask 255.255.255.0 norandomseq nailed

the key command here is norandonseq nailed

If I do that and remove the nat exempt rule I get the following error and can no long ping:

3    Jul 27 2010    10:56:16    305006    192.168.5.10         portmap translation creation failed for tcp src inside:10.130.1.5/48946 dst inside:192.168.5.10/3389

I get the following when I try to ping:

3    Jul 27 2010    10:57:40    305006    192.168.5.10         portmap translation creation failed for icmp src inside:10.130.1.5 dst inside:192.168.5.10 (type 8, code 0)

Result of the command: "show run static"

static (inside,outside)X.X.X.X 10.130.1.5 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.130.1.6 netmask 255.255.255.255
static (inside,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 norandomseq nailed
static (inside,inside) 10.1.130.0 10.1.130.0 netmask 255.255.255.0 norandomseq nailed

can you try this

nat (inside) 0 access-list NONAT norandomseq nailed

also can you paste the acl nonat

Result of the command: "nat (inside) 0 access-list NONAT norandomseq nailed"

nat (inside) 0 access-list NONAT norandomseq nailed
                                             ^
ERROR: % Invalid Hostname

What is the acl nonat?

i was talking about this access-list

Result of the command: "show run nat"

nat (inside) 0 access-list NONAT

nat (inside) 101 access-list inside_nat_outbound

this is what you sent us on the community

nat (inside) 0 access-list NONAT norandomseq

i was refering to this access-list used here

Result of the command: "nat (inside) 0 access-list NONAT norandomseq"

The command has been sent to the device

Result of the command: "show run nat"

nat (inside) 0 access-list NONAT

nat (inside) 101 access-list inside_nat_outbound

can you please paste the packet tracer output with the static nats

obvious question and dumb question

hope you have same-security command

I thinkI just bricked it. I was trying to upgrade teh ASA ASDM. I put mismat

ched versions 8.3(1) and 6.2(5) because I just grabbed what was at the top of the lists. now I can't login. Am I done?

I can telnet in but don't know the syntax for the downgrade command

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: