09-11-2011 02:33 AM - edited 03-11-2019 02:23 PM
Hello Everyone!
I recently purchased an ASA 5505 running v8.4(2) and have been trying to get it to work for a week with no. It seems like a very cool product and design but feels like I am missing some magic command to make my config work. Discovered all kinds of interesting oddities (like if you set inside and outside to security level 0 with all open ACLs, the ASDM works but you can't telnet to the device ... would love an explanation for that one )!
To the problem at hand:
- 6 Public IP addresses translated to 6 internal IPs in two IP block ranges of 3 each.
- Allow all traffic to them (the internal IPs have their own firewalls).
- Optionally configure it to be as fast/efficient as possible.
I am upgrading from a Cisco (Linksys) RV082 because it would die / lock-up at 2M of traffic. But the configuration for the above was very easy and worked right off the bat (just turn on 1-to-1 NAT for the IP ranges).
In a nutshell, I just want 1-to-1 Static NAT for these IPs that lets everything through.
External_IP_1 10.0.0.10
External_IP_2 10.0.0.11
External_IP_3 10.0.0.11
External_IP_4 10.0.0.20
External_IP_5 10.0.0.21
External_IP_6 10.0.0.22
I just want to get things live at this point and will play with locking things down later. We have a sizable long-term budget so this is pilot testing the ASA but after a week of reading everything I can find about the ASA/8.4 trying like 15 different configurations and talking with some data center pros am still stuck at the "no joy" phase and have never gotten a single packet back to our servers as far as I know.
I attached our config, it's a mess, but we've tried simple ones, factory resets, etc. Other oddities include DNS working for some devices but not others on the inside network. We just switch unplug things and plug into the RV082 and it all works fine so its not our devices.
Anyone have a super simple 1-to-1 Static NAT config that lets everything through?
Edit: We can't use transparent mode because we need protected access 10.0.0.11<->10.0.0.21 for example and this can't be on the public net.
Solved! Go to Solution.
09-11-2011 07:26 AM
hello Mate ,
this is the super example :
internal ip :
10.0.0.1
external public ip :
11.0.0.1
config :
object network obj_10.0.0.1
host 10.0.0.1
object network obj_11.0.0.1
host 11.0.0.1
config :
i always prefer to put static rule as the first entries in the table :
nat (inside,outside) 1 source static obj_10.0.0.1 obj _11.0.0.1
on the access-list applied to the outside interface :
access-list outside_access_in permit ip any host 10.0.0.1
regarding the two 0 security level inside and outside . the rule is :
ASA we never allows you to telnet to the lowset security level interface
HTH.
cheers.
Mohammad
09-11-2011 07:36 AM
09-12-2011 12:07 AM
hi ,
ASA support .1q VLAN tagging . can you explain a little more regarding the TWO NICS how thery are connected to the ASA ?
cheers.
09-11-2011 07:26 AM
hello Mate ,
this is the super example :
internal ip :
10.0.0.1
external public ip :
11.0.0.1
config :
object network obj_10.0.0.1
host 10.0.0.1
object network obj_11.0.0.1
host 11.0.0.1
config :
i always prefer to put static rule as the first entries in the table :
nat (inside,outside) 1 source static obj_10.0.0.1 obj _11.0.0.1
on the access-list applied to the outside interface :
access-list outside_access_in permit ip any host 10.0.0.1
regarding the two 0 security level inside and outside . the rule is :
ASA we never allows you to telnet to the lowset security level interface
HTH.
cheers.
Mohammad
09-11-2011 07:32 AM
RE: "ASA we never allows you to telnet to the lowset security level interface "
That made me crack up ... because, of course it makes sense!
I am finally having some success in a test lab configuration and have had first successful NAT pass-through. Seems I keep adding more access rules and the test is starting to work. My config is a huge mess however.
09-11-2011 07:36 AM
cheers for the good news
please rate useful Fourms !
09-11-2011 07:03 PM
Okay, after another day down the toilet ...
I think your config is fantastic and exactly right. I've been able to eliminate a lot more things through selective testing and narrowing and the situation I have now:
- Everything works perfectly with a web server running on my laptop pretending to be a server with an
external IP.
- However, the two servers (each of which have two NICs running Linux), no matter what I do, they don't pass
packets through the ASA. But the laptop works perfectly in any swapped situation, exactly as written
and exactly as configured.
But no matter what I do, I can't get the servers to pass any packets through
So, at this point my best guess is there is some sort of switch incompatibility between the NICs on the ASA and the ones on my servers or something like this. However everything works great on the RV082 when I move it over. When the servers are connected even if it's only one NIC to the ASA logging into them goes really slow (this could be because of no DNS however).
Anyone have any ideas before I return the ASA? I can't really afford to burn another week on this.
Anyone recommend something better? Not too inclined to buy another one of these. Is there any method I can use to eliminate the NICs as an incompatibility issue?
The network cards we have are "Intel(R) PRO/1000 Network Connection".
Actually ... I just found this ...
"Do Intel (R) PRO/ 1000 family of Gigabit adapters support Cisco ISL VLANs?
Which VLAN standard does the ASA use? Let me guess .... (cry)
09-12-2011 12:07 AM
hi ,
ASA support .1q VLAN tagging . can you explain a little more regarding the TWO NICS how thery are connected to the ASA ?
cheers.
09-13-2011 12:10 AM
They were connected directly to the ASA and am now trying a switch in between.
I've tried completely different set of devices now and the behavior is sort of absurd.
- 1st device added/NATed ... works amazing.
- 2nd device added/NATed ... this device works but the 2nd device no longer works.
These new tests were re-enabling on a complete different network/etc., assigning outside IPs.
I have been unsuccessful in getting 2 outside IPs to work with NAT and the "object" method. I am now
trying to use the other NAT command sequences independently.
It really feels like the device is crippled or something or is somehow limited to only allow one outside NATed
IP.
Can anyone verify their own situation with the ASA 5505 working with more than 1 external public IP NATed? I've been able to make it work with many different devices but never more than 1 IP at a time.
09-13-2011 12:18 AM
Okay, I verified ... I connected multiple devices in the lab. it seems only the first NAT rule works. If I swap the order of the rules then the top one starts working and the follow on ones don't work.
Can anyone verify for me that they actually got more than one IP on the outside interface working ever before?
09-14-2011 12:22 AM
After a hellish week, finally isolated the issue. We couldn't allow for any downtime in swapping the ASA in and out so the 4 hour timeout on the ARP caches was never reached.
The ISP router ARP caches simply were ignoring our gear. The fix was to get the MAC from the old router and enter it in the new one as a clone and as soon as we did that, everything went live and pretty.
It is a great device. The upside is this hellish experience probably turned me into a baby-CCIE.
Thank you everyone for all the help.
If anyone has this issue again, just wait 4 hours or get the old router WAN MAC address and use the interfaces tab to clone it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: