cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2533
Views
0
Helpful
22
Replies

NAT Issues continue with ASA 5510

I am still having access issues when using NAT on my ASA 5510. I think it is due to the way I have my ASA setup and the usage of PAT and NAT. I am not sure of the differences in them as of yet, but because I have routers behind my ASA, it seems to me that the issues might relate to the PAT, NAT and the Routers.

Can refer to this link to see my network diagram.

https://supportforums.cisco.com/message/4145313#4145313

The problem is, I cannot seem to access any devices behind the routers.

My initial thought when I started this learning process was to use the ASA as the one point of access to the internet as a firewall. Then behind that I would have my routers and the subnets behind them, including switches and all that stuff. But there is apparently different ways of doing this and the information I get doesn't seem to be consistent, or I should say it is consistent, but doesn't work.

For some reason, I cannot seem to forward packets from the external interface (internet) on the ASA, to resources behind the routers.

I create a network object. Assign it a host. Create the NAT statement. Create the access list. and yet the packets still get denied. The error I see on the ASDM is basically always the same.

6Jan 27 201410:36:46
98.22.xxx.xxx14979192.168.1.23389Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/14979 to Inside:192.168.1.2/3389

One thing I noticed is that no matter what I specify as the port leaving my network here at work, the ASA doesn't see it as that port. RDP, for example, is supposed to use 3389. But as you see from this caption of my ASA log, I initiated an RDP connection from my work computer and when it hit the ASA is is on port 14979 which if I read this correctly is 98.22.xxx.xxx 14979 then converted to 192.168.1.2 port 3389.

I created a Object Network Group:

object network RDP-DC1

host 192.168.1.2

Set NAT within the group:

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

Then created an Access-List:

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

But the result is the same as I get when I created the one to allow http traffic on port 8080 to hit an internal address on port 80.

I don't know where my NAT issue is, but I am beginning to think it is in the PAT. Maybe I should create only static routes from the ASA to the routers and then setup the routers to allow access as needed? Right now, I believe the routers are allowing any traffic, since I have the access-list permit any any statement. That does mean allow any traffic to any location, including from the 'Outside' source?

Is the PAT trying to bypass the routers?

Here are some outputs:

ASA5510(config)# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

ASA5510(config)# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA5510(config)# sh run object-group

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

Network.jpg

I seem to be missing something in my config preventing nat from working as it should and the work arounds that I do seem to not work properly.

The only statements that do work are the o nes that allow me to SSH into the Routers that are on each interface of the ASA. So I can ssh into the 2811, 2821 fine, but nothing behind them.

22 Replies 22

Jon Marshall
Hall of Fame
Hall of Fame

Mitchell

Do you have a route on your ASA telling it how to get to 192.168.1.2 ie.

route inside 192.168.1.0 255.255.255.0 10.10.1.2

In addition does the router have a route pointing to the ASA eg.

ip route 0.0.0.0 0.0.0.0 10.10.1.1

Jon

The 2811 has:

CISCO-2811#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 10.10.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.1.1

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.1.0/30 is directly connected, FastEthernet0/0

L        10.10.1.2/32 is directly connected, FastEthernet0/0

      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C        172.16.10.0/24 is directly connected, FastEthernet0/1.1

L        172.16.10.1/32 is directly connected, FastEthernet0/1.1

C        172.16.20.0/24 is directly connected, FastEthernet0/1.2

L        172.16.20.1/32 is directly connected, FastEthernet0/1.2

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, FastEthernet0/1.3

L        192.168.1.1/32 is directly connected, FastEthernet0/1.3

The ASA has:

ASA5510# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 199.195.xxx.xxx to network 0.0.0.0

C    199.195.xxx.xxx 255.255.255.240 is directly connected, Outside

C    10.10.0.0 255.255.255.252 is directly connected, DMZ

C    10.10.1.0 255.255.255.252 is directly connected, Inside

C    10.10.2.0 255.255.255.252 is directly connected, VOIP

S    192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S*   0.0.0.0 0.0.0.0 [1/0] via 199.195.xxx.xxx, Outside

ASA5510# sh ip address

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0/0              Inside                 10.10.1.1       255.255.255.252 CONFIG

Ethernet0/1              Outside                199.195.xxx.xxx 255.255.255.240 CONFIG

Ethernet0/2              DMZ                    10.10.0.1       255.255.255.252 manual

Ethernet0/3              VOIP                   10.10.2.1       255.255.255.252 manual

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0/0              Inside                 10.10.1.1       255.255.255.252 CONFIG

Ethernet0/1              Outside                199.195.xxx.xxx 255.255.255.240 CONFIG

Ethernet0/2              DMZ                    10.10.0.1       255.255.255.252 manual

Ethernet0/3              VOIP                   10.10.2.1       255.255.255.252 manual

Mitchell

One thing I noticed is that no matter what I specify as the port leaving my network here at work, the ASA doesn't see it as that port. RDP, for example, is supposed to use 3389. But as you see from this caption of my ASA log, I initiated an RDP connection from my work computer and when it hit the ASA is is on port 14979 which if I read this correctly is 98.22.xxx.xxx 14979 then converted to 192.168.1.2 port 3389.

I think you are reading it incorrectly. What it is saying is the source of the packet is 98.22.x.x using a random port and the destination is the 192.168.1.2 using RDP ie. it has already translated the destination IP from the interface IP to 192.168.1.2.

There is a route on the ASA for 192.168.1.0/24. From the ASA can you ping 192.168.1.2 ?

Jon

I cannot ping any addresses behind the routers, including 192.168.1.2.

ASA5510(config)# ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Mitchell

For some reason the ASA is not using the route for 192.168.1.0/24 you have added.

Can you post "sh xlate local 192.168.1.2"

Jon

ASA5510(config)# sh xlate local 192.168.1.2

21 in use, 784 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.xxx.xxx 3389-3389

    flags sr idle 3:19:10 timeout 0:00:00

Here is the one for the WEBCAM that is also not working:

ASA5510(config)# sh xlate local 192.168.1.5

36 in use, 784 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.xxx.xxx 8080-8080

    flags sr idle 0:43:27 timeout 0:00:00

Mitchell

I can't see anything obviously wrong with this.

It has the correct xlate entry and the correct route for this to work.

How are you accessing it ie. via VPN or not ?

Jon

From a static IP (not VPN) at work. No VPN tunnel, just from my works PC, which runs on a 192.168.116.0 subnet through a couple of routers and out a firewall with the static IP of 98.22.xxx.xxx and then to my ASA @ home.

Message was edited by: Mitchell Tuckness : IP (not VPN)

I noticed I had ip source-route enabled on the router, you don't think that could have any impact on this issue? I also read that depending on the license on the ASA it can only do so much?

I tured off ip source-route since it seems like most posts say it is not usually enabled. I am at a loss as to why I can't get this to work.

No more ideas? I am a /sad sad camper. I hate it when you're (think) doing things right and it doesn't work and your trying to learn and not sure what's up.

Is there anything I can run to help diagnose this? Something on the ASA or router? Some config I might run that would help figure it out?

Mitchell

I still can't see what's wrong with this. Can you try removing the NAT statement for the routers outside interface ie. the ssh one and see if you still see the same problem.

The failed to locate next hop is usually to do with VPN traffic which is why i asked about it.

I don't think it is anything on the router as it is the ASA that seems unable to use the route in it's routing table.

Jon

I'm sorry, which statement should I remove?

Mitchell

The NAT statement you have for the outside interface of the 2811. It is a long shot but i am wondering if because the next hop in the route also has a NAT statement for the same IP they are somehow conflicting.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: