Static NAT Drops the Packets on ASA 5520

Answered Question
Sep 26th, 2010
User Badges:

Hi Team,


I have just configred ASA 5520 and put it in production, and every thing seems to work except i can not access the hosts on the inside network from OUTSIDE.


When i run Packet Tracer command from ASDM it tells me NAT is an issue,  i have tried few comobinations but struggling to get it working and trying to work out what i might have missed.


OUTSIDE IP: x.x.x.196

Outside IP Ueseable Range provided by the SP: x.x.x.197,x.x.x.198, and so on


Configuraion

================

name 10.10.10.10 ABA-Pilot description ABA-Pilot Server
name 10.10.10.11 ABA-NAS description ABACisco NAS Device
name 192.168.0.0 dmz description DMZ LAN
name 10.10.10.0 inside description Inside LAN
name x.x.x.192 internet description Outside Network
name 10.100.100.0 managment description Managenet LAN
!
interface GigabitEthernet0/0
description Connection to the Internet
nameif outside
security-level 100
ip address x.x.x.196 255.255.255.240
!
interface GigabitEthernet0/1
description Inside Interface
nameif inside
security-level 0
ip address 10.10.10.254 255.255.255.0
!
access-list inside_access_in remark Access to Internet
access-list inside_access_in extended permit ip inside 255.255.255.0 any
access-list dmz_access_in remark Access to Internet
access-list dmz_access_in extended permit ip dmz 255.255.255.0 any
access-list outside_access_in extended permit icmp any host ABA-Pilot
access-list outside_access_in extended permit tcp any host ABA-NAS object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host ABA-Pilot object-group ABA-pilot
access-list outside_access_in remark Management Access from Outside
access-list outside_access_in extended permit tcp any interface outside object-group Management-Access
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400


global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 outside
nat (dmz) 2 dmz 255.255.255.0 outside
static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
=========================================


Any help greatly appriciated

Correct Answer by Jennifer Halim about 6 years 10 months ago

The following commands have been configured the other way round:

static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255


Please kindly remove the above and change it to the following:

static (inside,outside) tcp x.x.x.198 3389 ABA-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https ABA-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www ABA-Pilot www netmask 255.255.255.255
static (inside,outside) x.x.x.197 ABA-NAS netmask 255.255.255.255


After the above changes, please clear the xlate: clear xlate


Also your "outside_access_in" the destination address should be the public ip address (NATed address), not the private ip address.

For example the following line:

access-list outside_access_in extended permit icmp any host ABA-Pilot

It should be towards the public ip address (x.x.x.198), not the private IP (ABA-Pilot - 10.10.10.10)


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Sun, 09/26/2010 - 21:38
User Badges:
  • Cisco Employee,

The following commands have been configured the other way round:

static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255


Please kindly remove the above and change it to the following:

static (inside,outside) tcp x.x.x.198 3389 ABA-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https ABA-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www ABA-Pilot www netmask 255.255.255.255
static (inside,outside) x.x.x.197 ABA-NAS netmask 255.255.255.255


After the above changes, please clear the xlate: clear xlate


Also your "outside_access_in" the destination address should be the public ip address (NATed address), not the private ip address.

For example the following line:

access-list outside_access_in extended permit icmp any host ABA-Pilot

It should be towards the public ip address (x.x.x.198), not the private IP (ABA-Pilot - 10.10.10.10)


Hope that helps.

tariqmansoor Sun, 09/26/2010 - 21:47
User Badges:

Thanks for your Excellent Help on this, My issue has been resolved.

Cheers Again

Actions

This Discussion