ASA 5505 - No Internet Using Static NAT Rules

Unanswered Question
Jan 29th, 2012

I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.

Here's my Cisco ASA configuration:

ASA Version 7.2(3)

!

hostname domain

domain-name domain.ca

enable password M6aAV/2UhVYeSYwL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.126 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.xx.xx.60 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.226.226 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd M6aAV/2UhVYeSYwL encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name domain.ca

access-list crypto_acl_10 extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.205.0 255.255.255.0

access-list nonat extended permit ip 192.168.123.0 255.255.255.0 192.168.99.0 255.255.255.224

access-list inbound extended permit tcp any host 69.xx.xx.61 eq www

access-list inbound extended permit tcp any host 69.xx.xx.61 eq https

access-list inbound extended permit tcp any host 69.xx.xx.61 eq smtp

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pop3

access-list inbound extended permit gre any host 69.xx.xx.61

access-list inbound extended permit tcp any host 69.xx.xx.61 eq pptp

access-list inbound extended permit tcp any host 69.xx.xx.58 eq 8080

access-list inbound extended permit tcp any host 69.xx.xx.61 eq ftp

access-list inbound extended permit tcp any host 69.xx.xx.63 eq www

access-list inbound extended permit tcp any host 69.xx.xx.63 eq https

access-list inbound extended permit tcp any host 69.xx.xx.63 eq smtp

access-list inbound extended permit icmp any host 69.xx.xx.63

access-list vpnclient_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

access-list guest_access_in extended deny ip 192.168.226.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list guest_access_in extended permit ip 192.168.226.0 255.255.255.0 any

access-list guest_access_in extended permit ip any any inactive

access-list guest_access_in extended permit tcp any host 192.168.226.4

access-list guest_access_in extended permit tcp any eq smtp host 192.168.226.4 eq smtp

access-list guest_access_out extended permit ip host 192.168.226.2 host 69.70.178.122

access-list outside_access_out extended permit ip host 69.xx.xx.63 host 69.70.178.122

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool remotevpn 192.168.99.10-192.168.99.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any guest

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0 dns

static (inside,outside) 69.xx.xx.61 192.168.123.4 netmask 255.255.255.255 dns

static (inside,outside) 69.xx.xx.58 192.168.123.200 netmask 255.255.255.255

static (inside,outside) 69.xx.xx.63 192.168.123.58 netmask 255.255.255.255

access-group inbound in interface outside

access-group guest_access_in in interface guest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 64.254.232.224 255.255.255.224 outside

http 69.70.4.112 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address crypto_acl_10

crypto map outside_map 10 set peer 64.254.232.248

crypto map outside_map 10 set transform-set ESP-AES-MD5 ESP-AES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 64.254.232.224 255.255.255.224 outside

ssh 69.70.4.112 255.255.255.248 outside

ssh 69.70.178.122 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.226.4-192.168.226.100 guest

dhcpd dns 24.200.241.37 interface guest

dhcpd enable guest

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

ntp server 199.212.17.21 source outside

ntp server 199.212.17.22 source outside

ntp server 209.87.233.53 source outside

ntp server 132.246.168.148 source outside

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 192.168.123.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value domain.local

split-dns value domain.local

username mmintzberg password 8fAM98BTuTuY/jU2 encrypted

username fross password Ykti5THH7ftFZeWp encrypted

username jsilver password 0VSZ094cAtFEZuxW encrypted

username mgadmin password 3Nrrh9/fcmJrMiH2 encrypted privilege 15

username smintzberg password .RPWyyJt7YbCb94T encrypted

username smintzberg attributes

vpn-framed-ip-address 192.168.99.22 255.255.255.0

username mruiz password j8Scwuudo9vNlzVa encrypted privilege 15

tunnel-group 64.254.232.248 type ipsec-l2l

tunnel-group 64.254.232.248 ipsec-attributes

pre-shared-key *

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool remotevpn

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:ca6a95011ce78d4d850a5127af0d245c

: end

Message was edited by: Moises Ruiz Updated ASA running configuration

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2.6 (7 ratings)
rizwanr74 Mon, 01/30/2012 - 08:03

the static nat you trying to add is the same public IP which is config on the outside interface?

moises.ruiz Wed, 02/01/2012 - 18:22

I'm sorry guys, I've been rushing with other stuff.

Right now I have a static NAT Rule set to 192.168.123.100 but there's no DHCP reservation for that IP, as soon as I set a DHCP reservation for the server in the Inside interface I will loose the internet.

I've updated the running configuration in my original message.

mvsheik123 Wed, 02/01/2012 - 18:35

Hello,

Iam not sure if this is normal behaviour, but you can try clearing the existing 'xlate' for this single ip (local or global) after setting up the reservation.

hth

MS

mvsheik123 Wed, 02/01/2012 - 18:52

Here is the syntax...

clear xlate

To clear current translation and connection information, use the clear xlate command in privileged EXEC mode.

clear xlate [global ip1[-ip2] [netmask mask]] [local ip1[-ip2] [netmask mask]]
[gport port1[-port2]] [lport port1[-port2]] [interface if_name] [state state]

In your scenario, you can issue the command.. clear xlate local 192.168.123.200

Make sure the server still holds IP & DNS once you reserve the IP. From server end, you can release & renew IP config.

Thx

MS

moises.ruiz Thu, 02/02/2012 - 15:59

Ok I forgot how to connect and run on the exec mode but on the ASDM I executed the command and nothing changed.

i'm newbie to Cisco appliances.

lcambron Thu, 02/02/2012 - 16:37

Moises,

I think this is an issue with DHCP instead of NAT.

You said the issue starts when you reserve the IP.

Just to confirm the ASA is not the DCHP server for the inside network.

If you clear the arp table (after you reserve the IP of the server) and then try to access the internet, do you see arp entries on the ASA? Or can you still ping the ASA?

Felipe.

mvsheik123 Thu, 02/02/2012 - 19:36

Thanks for the update Moises. But when you reserve the IP, have you checked if the server still holds IP & DNS ?

I beiieve you need to release & renew IP config on the server.

Thx

MS

jyothydas Fri, 02/03/2012 - 02:42

static (inside,outside) 69.xx.xx.63 192.168.123.100 netmask 255.255.255.255 dns ?

Looks like wrong NAT config if you want to browse net.

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

!--- The "dns" keyword is added to instruct the security appliance to modify 
!--- DNS records related to this entry.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

moises.ruiz Fri, 02/03/2012 - 14:38

Not sure what I need to do lyothydas?

All I want is to be able to assign an static IP 9inside and outside) so that I can setup services that go to the outside world.

moises.ruiz Fri, 02/03/2012 - 14:31

The issue starts when I add the NAT rule.

No, there's a different DHCP server on the inside network.

I cleared the ARP table, I can still ping the router and the ASA and I do see entries in the ARP table.

moises.ruiz Sat, 02/04/2012 - 13:40

I tried removing the DNS in the NAT rule but didn't change anything.

jyothydas Mon, 02/06/2012 - 01:40

You mean your command was

static (inside,outside)  69.70.71.72 192.168.123.100 netmask 255.255.255.255 and it did not work?

And you should have similar ACL which should allow http/dns commn. (Or did I miss to see it in your config)

access-list inbound extended permit tcp any any eq www

access-list inbound extended permit tcp any any eq domain

moises.ruiz Mon, 02/06/2012 - 06:24

I actually just removed: "Translate the DNS replies that match the translation rule" from the NAT Options in the ASDM and that didn't make a difference.

I do have:

access-list inbound extended permit tcp any host 69.xx.xx.63 eq www

(since my 192.168.123.100 NAT rule points to 69.xx.xx.63)

But I don't have:

access-list inbound extended permit tcp any any eq domain

What is that one for?

I apologize again but I'm not savy with Cisco's configuration and commands, I was not the one who configured this environment, and since it's a production environment I don't want to change stuff if I don't full understand what is doing so I appreciate your patience.

Actions

Login or Register to take actions

This Discussion

Posted January 29, 2012 at 6:14 PM
Stats:
Replies:16 Avg. Rating:2.57143
Views:3446 Votes:1
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446