Dynamic NAT on ASA 8.2

Unanswered Question
Feb 17th, 2012
User Badges:

I can't figure out why the ASA cannot send traffic to the internet with the below config. What did I do wrong?


interface Ethernet0/0

nameif Outside

security-level 0

ip address 4.28.x.x 255.255.255.252

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 172.18.170.1 255.255.255.0


access-list VibraRemote_splitTunnelAcl standard permit 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Level3-SIP 255.255.255.0

access-list Inside_nat0_outbound extended permit ip Level3-SIP 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Corporate 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Poway 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 LaSierra 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Fontana 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 MorenoValley 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Woodcrest 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 HighDesert 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.193.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Westminster 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Lakewood 255.255.255.0


global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

route Outside 0.0.0.0 0.0.0.0 4.28.x.x 1

route Inside Level3-SIP 255.255.255.0 172.18.170.3 1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Fri, 02/17/2012 - 11:18
User Badges:
  • Bronze, 100 points or more

Are there any NAT 0 access lists that specify the destination you're tryin to reach?  The PAT configuration is correct.  Try a packet tracer and see what NAT configurations it hits

jasonww04 Fri, 02/17/2012 - 11:30
User Badges:

There aren't but the line

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252

is the network for my ISP.


I took it out and I still can't ping. I'm trying "ping Inside 75.71.47.74"

Julio Carvajal Fri, 02/17/2012 - 19:23
User Badges:
  • Purple, 4500 points or more

Hello Jason,


As I can see on the first post, You want to be able to go to the outside:


So on the No_nat rules you only need the networks for the VPN, nothing more.


Also  access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252

is the network for my ISP


Why are you doing that??? I mean traffic should get nat it, dont you think-

Patrick0711 Fri, 02/17/2012 - 19:28
User Badges:
  • Bronze, 100 points or more

Why are you performing a "ping Inside 75.71.47.74"?  This command is sourcing a ping from the inside interface which is exempt from NAT so I would expect this to be PAT'd

Patrick0711 Fri, 02/17/2012 - 19:29
User Badges:
  • Bronze, 100 points or more

Err, I meant to say that I would expect that traffic NOT to be PAT'd

jasonww04 Mon, 02/20/2012 - 07:26
User Badges:

This is what my ACL looks like now and still users can't get out.


access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Level3-SIP 255.255.255.0

access-list Inside_nat0_outbound extended permit ip Level3-SIP 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Corporate 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Poway 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 LaSierra 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Fontana 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 MorenoValley 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Woodcrest 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 HighDesert 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.193.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Westminster 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Lakewood 255.255.255.0

jasonww04 Tue, 02/21/2012 - 07:27
User Badges:

How would I test if my NAT is correct if I don't start the ping from the inside?

Amit Rai Tue, 02/21/2012 - 07:29
User Badges:

you can use the packet-tracer command on the ASA to check if the NAT is correct or not for any specific soruce and destination.

jasonww04 Tue, 02/21/2012 - 08:46
User Badges:

Packet tracer makes no sense to me at all. Here is the result of packet tracer going to an external IP. Why is there no NAT Phase but there is a VPN Phase when 75.71.47.74 cannot be reached through any configured VPN.


firewallmchpa# packet-tracer input Outside icmp 172.18.170.1 8 0 75.71.47.74 d$


Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside


Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7e3f20, priority=3, domain=permit, deny=false

        hits=3, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7e5a08, priority=0, domain=inspect-ip-options, deny=true

        hits=351541, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7e5680, priority=66, domain=inspect-icmp-error, deny=false

        hits=12878, user_data=0xab7e5568, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac1465f8, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=141699, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 146737, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat


Module information for reverse flow ...


Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

Keith McElroy Tue, 02/21/2012 - 08:58
User Badges:

This will probably sound fairly stupid, but I have run into this at least 3 times in the past with new ASA installations. I always had to reboot the ASA once before the NAT would actually function if I set it up after it was already plugged in, otherwise the NAT setup looks perfectly fine assuming your NAT exemptions don't match the thing you are trying to hit. You may want to do testing with something like 4.2.2.2 so you know it will respond to ICMP.

jasonww04 Tue, 02/21/2012 - 09:15
User Badges:

Is there something in the ASA equivalent to a router's clear ip nat translations *?

Keith McElroy Tue, 02/21/2012 - 09:19
User Badges:

There is, you clear the xlate, but this never worked when I tried it. It seemed to always be that the NAT process wouldn't start unless it had been enabled from boot. I can only assume it is part of the way the code is made and it must boot with the box. Then again, it could have been just multiple flukes, but I suspect it is an actual issue with how the code loads on the ASA. Best bet would be to just save the config and do a quick reboot, really doesn't hurt much considering it doesn't work right now anyway. I never tried, but you can probably check the CPU processes and look for something related to NAT, although it may be stuck under an IP process of some sort, therefore not transparent.

Actions

This Discussion