ASA 5510 NAT issue??

Unanswered Question
Aug 30th, 2010
User Badges:

I am trying to upgrade from a Pix501 to a new ASA 5510. I ran the

pixtoasa tool and now have the following

configuration:


ASA Version 7.2(2)
boot system disk0:/asa831-k8.bin
:::: Interface mapping - {'ethernet1': 'Ethernet0/1', 'ethernet0': 'Ethernet0/0'}
:::: Original Interface id ethernet0
interface Ethernet0/0
  ip address 216.x.x.x 255.255.255.252
  nameif outside
  security-level 0
  speed auto
  duplex auto
  no shutdown
:::: Original Interface id ethernet1
interface Ethernet0/1
  ip address 192.168.1.2 255.255.255.0
  nameif inside
  security-level 100
  speed 100
  duplex full
  no shutdown
enable password ******************* encrypted
passwd ******************* encrypted
hostname JMSBCFW
domain-name JMS
names
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any interface outside eq 1000
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003
access-list outside_in permit tcp any interface outside eq 1004
access-list outside_in permit tcp any interface outside eq 1005
access-list outside_in permit tcp any interface outside eq 1006
access-list outside_in permit tcp any interface outside eq 1007
access-list outside_in permit tcp any interface outside eq 1008
access-list outside_in permit tcp any interface outside eq 1009
access-list outside_in permit tcp any interface outside eq 1010
access-list outside_in permit tcp any interface outside eq 1011
access-list outside_in permit tcp any interface outside eq 1012
access-list outbound permit tcp any any
access-list outbound permit ip any any
access-list HCA_cryptomap permit ip 10.129.64.0 255.255.255.252 170.x.x.x 255.255.255.128
access-list HCA permit ip 192.168.1.0 255.255.255.0 170.x.x.x 255.255.255.128
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 10.129.64.1
nat (inside) 2 10.129.64.0 255.255.255.252 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1001 192.168.1.67 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.85 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.29 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1004 192.168.1.12 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1005 192.168.1.64 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1006 192.168.1.62 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1007 192.168.1.18 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1008 192.168.1.70 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1009 192.168.1.68 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1010 192.168.1.44 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1011 192.168.1.37 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1012 192.168.1.73 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
:::: Not supported - floodguard enable
:::: sysopt renamed from 'sysopt connection permit-ipsec' to 'sysopt connection permit-vpn'
sysopt connection permit-vpn
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map hca 10 ipsec-isakmp
crypto map hca 10 match address HCA_cryptomap
crypto map hca 10 set peer 199.x.x.x
crypto map hca 10 set transform-set myset
crypto map hca interface outside
isakmp enable outside
:::: Your key is set to all STARS(*) Please fix!'isakmp key ******** address 199.x.x.x netmask 255.255.255.255'
isakmp key ******** address 199.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password ******************** encrypted privilege 2
terminal width 90
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect tftp
!
service-policy global_policy global


I tested the ASA5510 and was only able to get out (ping or otherwise) from the internal IP of 192.168.1.4. This was also the first box I tried to get out on, all others would not ping or anything. Is this a NAT issue? Is there something I neglected to do in the conversion? Forgive my crude configuration of individual user access to their desktops (RDP sessions) but I have been having to use the console port in PIX to set those up for the past year.


Any help will be greatly appreciated. Thank You!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 08/30/2010 - 11:07
User Badges:
  • Green, 3000 points or more

Hi,


Add ICMP inspection to be able to PING from the internal network to the internet


policy-map global_policy
class inspection_default
  inspect icmp


All your internal LAN should be able to have Internet because of these commands:


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Federico.

mikentosh Mon, 08/30/2010 - 11:56
User Badges:

Thanks for the reply Federico. So there is nothing special I need to do for the NAT commands between the PIX and ASA? Is there a special order for NAT1, NAT2 and so on... I will add the command you suggested and try again.


Mike

Edward Dutra Mon, 08/30/2010 - 16:17
User Badges:
  • Cisco Employee,

Can you clear up some questions Mike. I see the boot is set to ASA 8.3.1, but you have pre 8.3.1 NAT configurations. What image are you currently running? Are you trying to ping from an inside host to the internet or from the ASA?

mikentosh Tue, 08/31/2010 - 08:07
User Badges:

Hi Edward, I did nothing to the configuration as it was in the PIX, other than run the PIXTOASA.exe conversion utility. Is there something I else I should do for the NAT configuration in the ASA? I don't have it handy, but I am pretty sure it is running the 831 image. Please pardon my ignorance on the subject, I am by no means proficient in firewall setup. Yes, I was trying to ping from inside to internet. I was able to ping and get to internet only from 192.168.1.4, which happens to be the server and the first machine I tried to use. Any other LAN machine was unable to ping out (used 4.2.2.2). I would appreciate any light you can shed on the subject.


Regards,


Mike Townsend

mikentosh Tue, 08/31/2010 - 11:27
User Badges:

Assuming my LAN is 192.168.1.1 through 255 and there may be 100 users connected to the outside at any given time, would either of these configurations work:

# object network my-outside-ips

# range 10.1.1.1 10.1.1.101

# object network my-inside-net
# subnet 192.168.1.0 255.255.255.0

# nat (inside,outside) dynamic my-outside-ips

My understanding of this example is that there would be a pool of addresses 10.1.1.1 through 101, which each would be assigned individually to inside>out traffic. Would port 80 and 25 be separate connections per inside IP?

OR

# object network my-inside-net

# subnet 192.168.1.0 255.255.255.0

# nat (inside,outside) dynamic interface

My understanding of this example is that it translates any inside>out traffic to use the public IP (interface) address?

OR

If I flashed back to say 8.2 would I be able to use the converted PIX configuration I currently have?

Edward Dutra Tue, 08/31/2010 - 10:49
User Badges:
  • Cisco Employee,

Hi Mike...


Kay...just focusing on the NAT, I see the following:


global (outside) 1 interface
global (outside) 2 10.129.64.1
nat (inside) 2 10.129.64.0 255.255.255.252 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


From what I see configured just based on the nat configurations I see, I would not expect a NAT issue if you are pinging from another machine on the 192.168.1.0 network. Are the other machines you pinging from on the 192.168.1.0 network? Do you have any logs from the ASA showing that the issue is NAT? Collect the logs from the ASA and verify the issue is NAT.

manish arora Tue, 08/31/2010 - 10:58
User Badges:
  • Silver, 250 points or more

Hi !

I donot see command "nat-control" in the configuration, so please enable "nat-control" , this will enable nat/pat for devices accessing the internet from inside network.

Thanks

Manish

manish arora Tue, 08/31/2010 - 11:33
User Badges:
  • Silver, 250 points or more

Mike ! I would say you should try running a pre 8.3 code as it is very new code and not only does it changes the nat configuration it also changes the acl configuration. I would say change the code , issue command nat-control and we will troubleshoot it from there.

I am not familiar with 8.3 as of right now , try to set it up in test set up right now myself .

Thanks

Manish

mikentosh Tue, 08/31/2010 - 11:41
User Badges:

I am going to try the nat-control command and then the ping process from inside IPs. I will post the results. It may be Monday before I am able to do so, as I have to do request the temporary outage on the company network. Thanks to all who are following this thread and supporting my effort to upgrade from the PIX to ASA5510.


Regards,


Mike Townsend

mikentosh Tue, 08/31/2010 - 11:43
User Badges:

Oh yeah, and I will take it back to say ASA 8.0 ???

Edward Dutra Tue, 08/31/2010 - 11:52
User Badges:
  • Cisco Employee,

Any code is fine Mike. Was curious if you collected those logs?

mikentosh Tue, 08/31/2010 - 11:59
User Badges:

Thanks! No, unfortunately I only provide onsite service to that office every Friday. I was planning on configuring the 5510 before I went to save time and test it early Friday before the office opens. I should have known better than to try the bleeding edge version of ASA. Reading up on 8.0 right now.... Thanks for your help. If there are problems I will post logs when I return with results.


Thanks guys!!!


Mike T

Actions

This Discussion