cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2900
Views
0
Helpful
12
Replies

Dynamic NAT on ASA 8.2

jasonww04
Level 1
Level 1

I can't figure out why the ASA cannot send traffic to the internet with the below config. What did I do wrong?

interface Ethernet0/0

nameif Outside

security-level 0

ip address 4.28.x.x 255.255.255.252

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 172.18.170.1 255.255.255.0

access-list VibraRemote_splitTunnelAcl standard permit 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Level3-SIP 255.255.255.0

access-list Inside_nat0_outbound extended permit ip Level3-SIP 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Corporate 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Poway 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 LaSierra 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Fontana 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 MorenoValley 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Woodcrest 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 HighDesert 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.193.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Westminster 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Lakewood 255.255.255.0

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

route Outside 0.0.0.0 0.0.0.0 4.28.x.x 1

route Inside Level3-SIP 255.255.255.0 172.18.170.3 1

12 Replies 12

Patrick0711
Level 3
Level 3

Are there any NAT 0 access lists that specify the destination you're tryin to reach?  The PAT configuration is correct.  Try a packet tracer and see what NAT configurations it hits

There aren't but the line

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252

is the network for my ISP.

I took it out and I still can't ping. I'm trying "ping Inside 75.71.47.74"

Hello Jason,

As I can see on the first post, You want to be able to go to the outside:

So on the No_nat rules you only need the networks for the VPN, nothing more.

Also  access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 4.28.x.x 255.255.255.252

is the network for my ISP

Why are you doing that??? I mean traffic should get nat it, dont you think-

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Patrick0711
Level 3
Level 3

Why are you performing a "ping Inside 75.71.47.74"?  This command is sourcing a ping from the inside interface which is exempt from NAT so I would expect this to be PAT'd

Err, I meant to say that I would expect that traffic NOT to be PAT'd

This is what my ACL looks like now and still users can't get out.

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Level3-SIP 255.255.255.0

access-list Inside_nat0_outbound extended permit ip Level3-SIP 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.170.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Corporate 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Poway 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 LaSierra 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Fontana 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 MorenoValley 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Woodcrest 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 HighDesert 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 172.18.193.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Westminster 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 172.18.170.0 255.255.255.0 Lakewood 255.255.255.0

How would I test if my NAT is correct if I don't start the ping from the inside?

you can use the packet-tracer command on the ASA to check if the NAT is correct or not for any specific soruce and destination.

Packet tracer makes no sense to me at all. Here is the result of packet tracer going to an external IP. Why is there no NAT Phase but there is a VPN Phase when 75.71.47.74 cannot be reached through any configured VPN.

firewallmchpa# packet-tracer input Outside icmp 172.18.170.1 8 0 75.71.47.74 d$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7e3f20, priority=3, domain=permit, deny=false

        hits=3, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7e5a08, priority=0, domain=inspect-ip-options, deny=true

        hits=351541, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7e5680, priority=66, domain=inspect-icmp-error, deny=false

        hits=12878, user_data=0xab7e5568, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac1465f8, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=141699, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 146737, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

This will probably sound fairly stupid, but I have run into this at least 3 times in the past with new ASA installations. I always had to reboot the ASA once before the NAT would actually function if I set it up after it was already plugged in, otherwise the NAT setup looks perfectly fine assuming your NAT exemptions don't match the thing you are trying to hit. You may want to do testing with something like 4.2.2.2 so you know it will respond to ICMP.

Is there something in the ASA equivalent to a router's clear ip nat translations *?

There is, you clear the xlate, but this never worked when I tried it. It seemed to always be that the NAT process wouldn't start unless it had been enabled from boot. I can only assume it is part of the way the code is made and it must boot with the box. Then again, it could have been just multiple flukes, but I suspect it is an actual issue with how the code loads on the ASA. Best bet would be to just save the config and do a quick reboot, really doesn't hurt much considering it doesn't work right now anyway. I never tried, but you can probably check the CPU processes and look for something related to NAT, although it may be stuck under an IP process of some sort, therefore not transparent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: