cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4624
Views
0
Helpful
8
Replies

ASA 5505 v8.4 - Most simple 'allow everything' 1-to-1 Static NAT Config?

Atl_Gator
Level 1
Level 1

Hello Everyone!

I recently purchased an ASA 5505 running v8.4(2) and have been trying to get it to work for a week with no.  It seems like a very cool product and design but feels like I am missing some magic command to make my config work.  Discovered all kinds of interesting oddities (like if you set inside and outside to security level 0 with all open ACLs, the ASDM works but you can't telnet to the device ... would love an explanation for that one )!

To the problem at hand:

- 6 Public IP addresses translated to 6 internal IPs in two IP block ranges of 3 each.

- Allow all traffic to them (the internal IPs have their own firewalls).

- Optionally configure it to be as fast/efficient as possible.

I am upgrading from a Cisco (Linksys) RV082 because it would die / lock-up at 2M of traffic.  But the configuration for the above was very easy and worked right off the bat (just turn on 1-to-1 NAT for the IP ranges).

In a nutshell, I just want 1-to-1 Static NAT for these IPs that lets everything through.

External_IP_1   10.0.0.10

External_IP_2   10.0.0.11

External_IP_3   10.0.0.11

External_IP_4   10.0.0.20

External_IP_5   10.0.0.21

External_IP_6   10.0.0.22

I just want to get things live at this point and will play with locking things down later.  We have a sizable long-term budget so this is pilot testing the ASA but after a week of reading everything I can find about the ASA/8.4 trying like 15 different configurations and talking with some data center pros am still stuck at the "no joy" phase and have never gotten a single packet back to our servers as far as I know.

I attached our config, it's a mess, but we've tried simple ones, factory resets, etc.  Other oddities include DNS working for some devices but not others on the inside network.  We just switch unplug things and plug into the RV082 and it all works fine so its not our devices.

Anyone have a super simple 1-to-1 Static NAT config that lets everything through?

Edit: We can't use transparent mode because we need protected access 10.0.0.11<->10.0.0.21 for example and this can't be on the public net.

3 Accepted Solutions

Accepted Solutions

Mohammad Alhyari
Cisco Employee
Cisco Employee

hello Mate ,

this is the super example :

internal ip :

10.0.0.1

external public ip :

11.0.0.1

config :

object network obj_10.0.0.1

host 10.0.0.1

object network obj_11.0.0.1

host 11.0.0.1

config :

i always prefer to put static rule as the first entries in the table :

nat (inside,outside)  1 source static obj_10.0.0.1 obj _11.0.0.1

on the access-list applied to the  outside interface :

access-list outside_access_in permit ip any host 10.0.0.1

regarding the two 0 security level inside and outside . the rule is :

ASA we never allows you to telnet to the lowset security level interface

HTH.

cheers.

Mohammad

View solution in original post

cheers for the good news

please rate useful Fourms !

View solution in original post

hi ,

ASA support .1q VLAN tagging .  can you explain a little more regarding the TWO NICS how thery are connected to the ASA ?

cheers.

View solution in original post

8 Replies 8

Mohammad Alhyari
Cisco Employee
Cisco Employee

hello Mate ,

this is the super example :

internal ip :

10.0.0.1

external public ip :

11.0.0.1

config :

object network obj_10.0.0.1

host 10.0.0.1

object network obj_11.0.0.1

host 11.0.0.1

config :

i always prefer to put static rule as the first entries in the table :

nat (inside,outside)  1 source static obj_10.0.0.1 obj _11.0.0.1

on the access-list applied to the  outside interface :

access-list outside_access_in permit ip any host 10.0.0.1

regarding the two 0 security level inside and outside . the rule is :

ASA we never allows you to telnet to the lowset security level interface

HTH.

cheers.

Mohammad

RE: "ASA we never allows you to telnet to the lowset security level interface "

That made me crack up ... because, of course it makes sense!

I am finally having some success in a test lab configuration and have had first successful NAT pass-through. Seems I keep adding more access rules and the test is starting to work. My config is a huge mess however.

cheers for the good news

please rate useful Fourms !

Okay, after another day down the toilet ...

I think your config is fantastic and exactly right.  I've been able to eliminate a lot more things through selective testing and narrowing and the situation I have now:

- Everything works perfectly with a web server running on my laptop pretending to be a server with an

   external IP.

- However, the two servers (each of which have two NICs running Linux), no matter what I do, they don't pass

   packets through the ASA.  But the laptop works perfectly in any swapped situation, exactly as written

   and exactly as configured.

But no matter what I do, I can't get the servers to pass any packets through

So, at this point my best guess is there is some sort of switch incompatibility between the NICs on the ASA and the ones on my servers or something like this.  However everything works great on the RV082 when I move it over.  When the servers are connected even if it's only one NIC to the ASA logging into them goes really slow (this could be because of no DNS however).

Anyone have any ideas before I return the ASA?  I can't really afford to burn another week on this.

Anyone recommend something better?  Not too inclined to buy another one of these.  Is there any method I can use to eliminate the NICs as an incompatibility issue? 

The network cards we have are "Intel(R) PRO/1000 Network Connection".

Actually ... I just found this ...

"Do  Intel (R) PRO/ 1000 family of Gigabit adapters support Cisco ISL VLANs?

No.  Intel(R)'s Gigabit adapters do not support ISL VLANs. They do support  the 802.3 VLAN standard, which is much more commonly used.
http://www.ask.com/faqcentral/INTEL_1000.html..."

Which VLAN standard does the ASA use?  Let me guess .... (cry)

hi ,

ASA support .1q VLAN tagging .  can you explain a little more regarding the TWO NICS how thery are connected to the ASA ?

cheers.

They were connected directly to the ASA and am now trying a switch in between.

I've tried completely different set of devices now and the behavior is sort of absurd.

- 1st device added/NATed ... works amazing.

- 2nd device added/NATed ... this device works but the 2nd device no longer works.

These new tests were re-enabling on a complete different network/etc., assigning outside IPs.

I have been unsuccessful in getting 2 outside IPs to work with NAT and the "object" method.  I am now

trying to use the other NAT command sequences independently.

It really feels like the device is crippled or something or is somehow limited to only allow one outside NATed

IP.

Can anyone verify their own situation with the ASA 5505 working with more than 1 external public IP NATed?  I've been able to make it work with many different devices but never more than 1 IP at a time.

Okay, I verified ... I connected multiple devices in the lab.  it  seems only the first NAT rule works.  If I swap the order of the rules  then the top one starts working and the follow on ones don't work.

Can anyone verify for me that they actually got more than one IP on the outside interface working ever before?

After a hellish week, finally isolated the issue.   We couldn't allow for any downtime in swapping the ASA in and out so the 4 hour timeout on the ARP caches was never reached.

The ISP router ARP caches simply were ignoring our gear.  The fix was to get the MAC from the old router and enter it in the new one as a clone and as soon as we did that, everything went live and pretty.

It is a great device.  The upside is this hellish experience probably turned me into a baby-CCIE.

Thank you everyone for all the help.

If anyone has this issue again, just wait 4 hours or get the old router WAN MAC address and use the interfaces tab to clone it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: