ASA 5505 v8.4 - Most simple 'allow everything' 1-to-1 Static NAT Config?

Answered Question
Sep 11th, 2011

Hello Everyone!

I recently purchased an ASA 5505 running v8.4(2) and have been trying to get it to work for a week with no.  It seems like a very cool product and design but feels like I am missing some magic command to make my config work.  Discovered all kinds of interesting oddities (like if you set inside and outside to security level 0 with all open ACLs, the ASDM works but you can't telnet to the device ... would love an explanation for that one )!

To the problem at hand:

- 6 Public IP addresses translated to 6 internal IPs in two IP block ranges of 3 each.

- Allow all traffic to them (the internal IPs have their own firewalls).

- Optionally configure it to be as fast/efficient as possible.

I am upgrading from a Cisco (Linksys) RV082 because it would die / lock-up at 2M of traffic.  But the configuration for the above was very easy and worked right off the bat (just turn on 1-to-1 NAT for the IP ranges).

In a nutshell, I just want 1-to-1 Static NAT for these IPs that lets everything through.

External_IP_1   10.0.0.10

External_IP_2   10.0.0.11

External_IP_3   10.0.0.11

External_IP_4   10.0.0.20

External_IP_5   10.0.0.21

External_IP_6   10.0.0.22

I just want to get things live at this point and will play with locking things down later.  We have a sizable long-term budget so this is pilot testing the ASA but after a week of reading everything I can find about the ASA/8.4 trying like 15 different configurations and talking with some data center pros am still stuck at the "no joy" phase and have never gotten a single packet back to our servers as far as I know.

I attached our config, it's a mess, but we've tried simple ones, factory resets, etc.  Other oddities include DNS working for some devices but not others on the inside network.  We just switch unplug things and plug into the RV082 and it all works fine so its not our devices.

Anyone have a super simple 1-to-1 Static NAT config that lets everything through?

Edit: We can't use transparent mode because we need protected access 10.0.0.11<->10.0.0.21 for example and this can't be on the public net.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Mohammad Alhyari about 3 years 6 months ago

hi ,

ASA support .1q VLAN tagging .  can you explain a little more regarding the TWO NICS how thery are connected to the ASA ?

cheers.

Correct Answer by Mohammad Alhyari about 3 years 6 months ago

cheers for the good news

please rate useful Fourms !

Correct Answer by Mohammad Alhyari about 3 years 6 months ago

hello Mate ,

this is the super example :

internal ip :

10.0.0.1

external public ip :

11.0.0.1

config :

object network obj_10.0.0.1

host 10.0.0.1

object network obj_11.0.0.1

host 11.0.0.1

config :

i always prefer to put static rule as the first entries in the table :

nat (inside,outside)  1 source static obj_10.0.0.1 obj _11.0.0.1

on the access-list applied to the  outside interface :

access-list outside_access_in permit ip any host 10.0.0.1

regarding the two 0 security level inside and outside . the rule is :

ASA we never allows you to telnet to the lowset security level interface

HTH.

cheers.

Mohammad

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Correct Answer
Mohammad Alhyari Sun, 09/11/2011 - 07:26

hello Mate ,

this is the super example :

internal ip :

10.0.0.1

external public ip :

11.0.0.1

config :

object network obj_10.0.0.1

host 10.0.0.1

object network obj_11.0.0.1

host 11.0.0.1

config :

i always prefer to put static rule as the first entries in the table :

nat (inside,outside)  1 source static obj_10.0.0.1 obj _11.0.0.1

on the access-list applied to the  outside interface :

access-list outside_access_in permit ip any host 10.0.0.1

regarding the two 0 security level inside and outside . the rule is :

ASA we never allows you to telnet to the lowset security level interface

HTH.

cheers.

Mohammad

Atl_Gator Sun, 09/11/2011 - 07:32

RE: "ASA we never allows you to telnet to the lowset security level interface "

That made me crack up ... because, of course it makes sense!

I am finally having some success in a test lab configuration and have had first successful NAT pass-through. Seems I keep adding more access rules and the test is starting to work. My config is a huge mess however.

Correct Answer
Mohammad Alhyari Sun, 09/11/2011 - 07:36

cheers for the good news

please rate useful Fourms !

Atl_Gator Sun, 09/11/2011 - 19:03

Okay, after another day down the toilet ...

I think your config is fantastic and exactly right.  I've been able to eliminate a lot more things through selective testing and narrowing and the situation I have now:

- Everything works perfectly with a web server running on my laptop pretending to be a server with an

   external IP.

- However, the two servers (each of which have two NICs running Linux), no matter what I do, they don't pass

   packets through the ASA.  But the laptop works perfectly in any swapped situation, exactly as written

   and exactly as configured.

But no matter what I do, I can't get the servers to pass any packets through

So, at this point my best guess is there is some sort of switch incompatibility between the NICs on the ASA and the ones on my servers or something like this.  However everything works great on the RV082 when I move it over.  When the servers are connected even if it's only one NIC to the ASA logging into them goes really slow (this could be because of no DNS however).

Anyone have any ideas before I return the ASA?  I can't really afford to burn another week on this.

Anyone recommend something better?  Not too inclined to buy another one of these.  Is there any method I can use to eliminate the NICs as an incompatibility issue? 

The network cards we have are "Intel(R) PRO/1000 Network Connection".

Actually ... I just found this ...

"Do  Intel (R) PRO/ 1000 family of Gigabit adapters support Cisco ISL VLANs?

No.  Intel(R)'s Gigabit adapters do not support ISL VLANs. They do support  the 802.3 VLAN standard, which is much more commonly used.
http://www.ask.com/faqcentral/INTEL_1000.html..."

Which VLAN standard does the ASA use?  Let me guess .... (cry)

Correct Answer
Mohammad Alhyari Mon, 09/12/2011 - 00:07

hi ,

ASA support .1q VLAN tagging .  can you explain a little more regarding the TWO NICS how thery are connected to the ASA ?

cheers.

Atl_Gator Tue, 09/13/2011 - 00:10

They were connected directly to the ASA and am now trying a switch in between.

I've tried completely different set of devices now and the behavior is sort of absurd.

- 1st device added/NATed ... works amazing.

- 2nd device added/NATed ... this device works but the 2nd device no longer works.

These new tests were re-enabling on a complete different network/etc., assigning outside IPs.

I have been unsuccessful in getting 2 outside IPs to work with NAT and the "object" method.  I am now

trying to use the other NAT command sequences independently.

It really feels like the device is crippled or something or is somehow limited to only allow one outside NATed

IP.

Can anyone verify their own situation with the ASA 5505 working with more than 1 external public IP NATed?  I've been able to make it work with many different devices but never more than 1 IP at a time.

Atl_Gator Tue, 09/13/2011 - 00:18

Okay, I verified ... I connected multiple devices in the lab.  it  seems only the first NAT rule works.  If I swap the order of the rules  then the top one starts working and the follow on ones don't work.

Can anyone verify for me that they actually got more than one IP on the outside interface working ever before?

Atl_Gator Wed, 09/14/2011 - 00:22

After a hellish week, finally isolated the issue.   We couldn't allow for any downtime in swapping the ASA in and out so the 4 hour timeout on the ARP caches was never reached.

The ISP router ARP caches simply were ignoring our gear.  The fix was to get the MAC from the old router and enter it in the new one as a clone and as soon as we did that, everything went live and pretty.

It is a great device.  The upside is this hellish experience probably turned me into a baby-CCIE.

Thank you everyone for all the help.

If anyone has this issue again, just wait 4 hours or get the old router WAN MAC address and use the interfaces tab to clone it.

Actions

Login or Register to take actions

This Discussion

Posted September 11, 2011 at 2:33 AM
Updated September 11, 2011 at 4:12 AM
Stats:
Replies:8 Overall Rating:5
Views:2574 Votes:0
Shares:0
 

Discussions Leaderboard

Rank Username Points
1
Jouni Forss
8,441
2
Julio Carvajal
6,223
3
Jon Marshall
3,325
4
Marvin Rhoads
2,498
5
Marius Gunnerud
1,695
Rank Username Points
Jon Marshall
125
Andre Neethling
45
Marius Gunnerud
37
Jouni Forss
35
Marvin Rhoads
34