07-27-2010 04:45 PM - edited 03-11-2019 11:17 AM
Hello,
I tried searching for the answer but I couldn't relevant data, so I apologize if this is a repost.
Anyways, I have an ASA 5505 base model. On the inside vlan I have directly connected another router. The ASA and the router are OSPF peers. I can ping the router's interfaces from the ASA, but I can't ping them from a pc that is connected to the inside vlan. I did notice that if I take out the statement nat (inside) 1 0.0.0.0 0.0.0.0 then the ping goes ok, but I have no internet connectivity. How can I enable NAT for all devices outbound the internet interface but still disable NAT for all internal networks?
Thanks in advance.
ASA Version 7.2(4)
!
!
interface Vlan1
description Default internal vlan on max
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description Internet vlan on max
nameif Internet
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
description DMZ vlan on max
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.100.100.1 255.0.0.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Xbox_port tcp-udp
description TCP-UDP 3074
port-object eq 3074
object-group service Xbox_port_2 udp
description UDP port 88
port-object eq 88
object-group network Internal_Networks
network-object 10.0.0.0 255.255.255.0
network-object 10.1.0.0 255.255.255.0
network-object 172.16.0.0 255.255.255.0
access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive
access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive
access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive
access-list inside_access_in extended permit ip any any
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended permit icmp any any unreachable
access-list acl-outside extended permit icmp any any traceroute
access-list acl-outside extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffer-size 10000
logging buffered critical
logging asdm informational
logging debug-trace
mtu inside 1500
mtu Internet 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any Internet
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group acl-outside in interface Internet
!
router ospf 1
router-id 192.168.1.1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
default-information originate
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 76.10.192.197 255.255.255.255 Internet
ssh timeout 30
console timeout 0
dhcpd auto_config Internet
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
07-27-2010 05:19 PM
You need an Nat Exempt statement :-
access-list nonat ext permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
{ x.x.x.x are the subnets you dont want any natting to be done }
then add a statement
nat (inside) 0 access-list nonat
thanks
Manish
07-27-2010 05:46 PM
Hi Manish,
I tried that but still same result. It still keeps pointing to that dynamic NAT statement:
max# packet-tracer input inside icmp 192.168.1.2 0 8 10.0.0.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.1.0 255.255.255.0 inside 10.0.0.0 255.255.255.0
NAT exempt
translate_hits = 2, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 2, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 2, untranslate_hits = 0
Additional Information:
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 2, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-27-2010 07:12 PM
Ok , so you are trying to ping from inside to dmz interface or vice versa. since DMZ is security 50 .., so you need to allow that range to have access to inside interface using access-list inside permit dmz any any and applying it to out direction of the inside interface. also add no nat for
nat ( DMZ) 0 access-list nonat1
nat ( DMZ) 1 0.0.0.0 0.0.0.0
i will follow up in more detail later on.
Thanks
Manish
07-27-2010 07:25 PM
No, the DMZ is not touched in this example. The PC(192.168.1.2) attached at eth0/1 on the ASA, is attempting to ping an interface(10.0.0.1) on a router that is reached thru the same vlan(192.168.1.0/24) via eth0/2.
The router has an IP of 192.168.1.30 on the near interface:
max# traceroute 10.0.0.1
Type escape sequence to abort.
Tracing the route to 10.0.0.1
1 192.168.1.30 0 msec * 0 msec
07-27-2010 10:01 PM
try this
static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (inside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
same-security permit intra interface
sysopt noproxy-arp inside
07-27-2010 10:17 PM
I figured it out!
First thing I did was take out this statement: nat (inside) 1 0.0.0.0 0.0.0.0
This temporarily killed my Internet access but no big deal for now. Then I created an object group of my internal networks adjacent to my ASA:
object-group network Internal_Networks
network-object 10.0.0.0 255.255.255.0
network-object 10.1.0.0 255.255.255.0
network-object 172.16.0.0 255.255.255.0
Then I created an ACL exemption that permitted nonat from my ASA vlan to the internal networks:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks
Then I added this statement:
nat (inside) 0 access-list nonat
Connectivity between the internal networks has been established! However, Internet access is still limited because I'm not natting data passing thru the Internet interface, so I put in this statement:
nat (inside) 1 192.168.1.0 255.255.255.0
This returns internet connectivity. At this point all internal interfaces can ping each other, as well as internet IP's. I'm not entirely sure why this works, but it does. If anybody can explain the logic behind this, I'd love to hear it!
Thanks for your help, Manish!
07-27-2010 10:24 PM
Hello,
The issue is due to asymmetric routing in the network. The easiest/best solution would be to make the router the default gateway for 192.168.1.0 subnet. This will ensure that you have two-way connectivity between the 192.168.1.0 subnet and 10.0.0.0 subnet. If you are not worried about two-way communication and all you are looking for is ICMP connectivity, then you could do the following:
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
same-security-traffic permit intra-interface
This will ensure that all traffic originated from 192.168.1.0 subnet towards 10.0.0.0 subnet will go to the router with ASA's inside interface IP address. In this way, the return traffic will come to the firewall and then the firewall will deliver it to the actual host. This way, you can also initiate TCP sessions from 192.168.1.0 subnet to 10.0.0.0 subnet (not vice versa) and have successful communication.
On the other hand, if you configure the router as the default gateway for 192.168.1.0 subnet and then configure ASA as the default gateway for the router, then all the 10.0.0.0 subnet will be locally routed by the router and all other traffic will be sent to the ASA.
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: