Solved: ASA 5505 NAT failure

bmhoskinson · ‎08-12-2013

Good morning. I am having some trouble setting up a new ASA 5505. I finished the config and before I put the ASA into production I decided to run the packet tracer on the ASDM. the test packets seemed to pass fine through my ACLs however keep getting dropped by NAT. An error along the lines of no matching nat rule availalbe for the connection. I need certain traffic to pass from the DMZ to the INSIDE and I have some static mappings that open some things on the DMZ up to the internet as well as from the internet to the inside network. According to the packet tracer no traffic will flow any where. I have no specific ACL for going from the INSIDE to the DMZ because I expect the implied allow from higer security to lower security to take care of that. I still get a NAT deny on this traffic too and there should be no nat between the INSIDE and DMZ. I know I have missed something silly with the nat but I can't see it. Here is my nat config.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (perimter) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www Exchange-Server www netmask 255.255.255.255

static (inside,outside) tcp interface https Exchange-Server https netmask 255.255.255.255

static (inside,outside) tcp interface 4020 Access-Server 4020 netmask 255.255.255.255

static (perimter,outside) 66.76.12.183 Web-Server netmask 255.255.255.255

and my ACLs too

access-group outside_access_in_1 in interface outside

access-group perimter_access_in in interface perimter

access-list perimter_access_in extended permit tcp host Web-Server host Access-Server eq 1433
access-list perimter_access_in extended permit udp host Web-Server host Access-Server eq 1434

access-list perimter_access_in extended permit tcp host Web-Server host Domain-Controller eq domain

access-list perimter_access_in extended permit udp host Web-Server host Domain-Controller eq domain

access-list perimter_access_in extended permit tcp host Web-Server host Exchange-Server eq smtp

access-list perimter_access_in extended permit udp host Web-Server host Exchange-Server eq 465

access-list perimter_access_in extended permit tcp host Web-Server host Exchange-Server eq 50389

access-list perimter_access_in extended permit udp host Web-Server host Exchange-Server eq 50389

access-list outside_access_in_1 extended permit tcp any host Web-Server eq www

access-list outside_access_in_1 extended permit tcp any host Web-Server eq https
access-list outside_access_in_1 extended permit tcp any host Web-Server eq smtp

access-list outside_access_in_1 extended permit tcp any host Web-Server eq 465

access-list outside_access_in_1 extended permit tcp any host Web-Server eq 135

access-list outside_access_in_1 extended permit tcp any host Exchange-Server eq www
access-list outside_access_in_1 extended permit tcp any host Exchange-Server eq https

access-list outside_access_in_1 extended permit tcp any host Access-Server eq 4020

Jouni Forss · ‎08-12-2013

Hi,

Generally in this case you would configure Static Identity NAT

Format is as follows

static (inside,perimter) netmask

So for example if you "inside" would have network 10.10.10.0/24 you would add

static (inside,perimter) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

For multiple networks you add multiple similiar statements.

This should enable the networks connectivity.

I am not however sure what your "security-level" values are. You first mention connection going from DMZ to INSIDE and later INSIDE to DMZ. Naturally only one of those directions is possible without ACL. Unless ofcourse you have "same-security-traffic permit inter-interface" configured and the "security-level" values identical on both interfaces.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎08-12-2013

Hi,

Generally in this case you would configure Static Identity NAT

Format is as follows

static (inside,perimter) netmask

So for example if you "inside" would have network 10.10.10.0/24 you would add

static (inside,perimter) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

For multiple networks you add multiple similiar statements.

This should enable the networks connectivity.

I am not however sure what your "security-level" values are. You first mention connection going from DMZ to INSIDE and later INSIDE to DMZ. Naturally only one of those directions is possible without ACL. Unless ofcourse you have "same-security-traffic permit inter-interface" configured and the "security-level" values identical on both interfaces.

Hope this helps

- Jouni

bmhoskinson · ‎08-12-2013

Jouni, thanks I will give that nat statement a try. Adding this nat statement (with the proper IP addresses) i assune will allow traffic that is allowed by acl to flow either way from the DMZ-to-INSIDE and INSIDE-to-DMZ un-nated? or will I need to put a similar nat statement in for the DMZ interface.

My security interfaces are set with security levels as follows.

Inside 100

perimter 50 (which is the DMZ)

outside 0

I have ACLs that allow traffic to flow from the DMZ to the INSIDE segments as well os the ones needed from the internet.

Jouni Forss · ‎08-12-2013

Hi,

I don't think you should need any additional "static" command.

Naturally after you have issue the needed commands you can confirm functionality and also use "packet-tracer" to do the same.

You could also probably achieve this with NAT0 / NAT Exempt configuration if you wanted.

- Jouni