Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
3
Replies

Config of no Nat between two interfaces

Go to solution
mahesh18
Level 6
Level 6

‎06-28-2015 08:12 AM - edited ‎03-11-2019 11:11 PM

 

Hi everyone,

 

I have below nat config on ASA

 

nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source static inside inside destination static inside inside
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
nat (sales,outside) source static Sales Sales destination static Sales Sales
nat (inside,outside) source dynamic inside interface description Allow R1 to ping to Internet Sites
nat (sales,outside) source dynamic Sales interface description Allow 2950 to Pint to Internet Sites
nat (sales,outside) source static Sales Sales destination static vpn_pool_ip vpn_pool_ip description Allow Ping to 2950 Switch while connected Via Anyconnect Full tunnel
 

 

I am trying ssh  from PC connected to inside interface to switch connected to intterface MGMT_WLC

From firewall i can ping ip 10.31.2.34 but from PC ping does not work.

 

Jun 28 2015 09:04:38: %ASA-6-302013: Built outbound TCP connection 212386 for MGMT_WLC:10.31.2.34/22 (10.31.2.34/22) to inside:10.0.0.15/61436 (10.0.0.15/61436)
 

My ASA version is 9.1

Need to know what NAT config i need to allow ssh from host behind inside interface to switch connected to MGMT_WLC interface of ASA?

 

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-28-2015 10:32 AM

Mahesh,

In the absence of any NAT statement having been defined, ASA 9.1 will not NAT the addresses.

Can you check the ssh flow in packet-tracer? That will inject an artificial packet into the data plane and tell us how the ASA will handle them.

Assuming your PC is at 10.0.0.15 and trying to ssh to the WLC interface at 10.31.2.34, the syntax would be: 

packet-tracer input inside tcp 10.0.0.15 1025 10.31.2.34 22

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-28-2015 10:32 AM

Mahesh,

In the absence of any NAT statement having been defined, ASA 9.1 will not NAT the addresses.

Can you check the ssh flow in packet-tracer? That will inject an artificial packet into the data plane and tell us how the ASA will handle them.

Assuming your PC is at 10.0.0.15 and trying to ssh to the WLC interface at 10.31.2.34, the syntax would be: 

packet-tracer input inside tcp 10.0.0.15 1025 10.31.2.34 22
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-28-2015 11:14 AM

 

Hi Marvin,

 

Here is output

 


pri/act/ASA1# packet-tracer input inside tcp 10.0.0.10 1025 10.31.2.34 22

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.31.2.0       255.255.255.0   MGMT_WLC

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 host 10.31.2.34 eq ssh
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216707, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: MGMT_WLC
output-status: up
output-line-status: up
Action: allow

 

log shows

 

Jun 28 2015 12:07:28: %ASA-6-302013: Built outbound TCP connection 216703 for MGMT_WLC:10.31.2.34/22 (10.31.2.34/22) to inside:10.0.0.10/52553 (10.0.0.10/52553)


Jun 28 2015 12:07:58: %ASA-6-302014: Teardown TCP connection 216703 for MGMT_WLC:10.31.2.34/22 to inside:10.0.0.10/52553 duration 0:00:30 bytes 0 SYN Timeout

 

Seems there was no route from switch to subnet 10.0.0.0.

I added the static route and it is working now.

 

Best regards

MAhesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-28-2015 12:22 PM

Great - problem solved and it was not the firewall. :)

Thanks for the rating.

Best regards,

- Marvin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card