ASA 5505 and NAT headaches...

Adrian.Kielbowicz · ‎06-10-2012

Hi everyone, hopefully someone will help me out here as it's been two days and still no biscuit with trying to get my internal network talking to the world

Background stuff:

======================================================================================

SPN-ASA-01# show ver

Cisco Adaptive Security Appliance Software Version 8.4(3)

Device Manager Version 6.4(7)

Compiled on Fri 06-Jan-12 10:24 by builders

System image file is "disk0:/asa843-k8.bin"

Config file at boot was "startup-config"

SPN-ASA-01 up 46 mins 59 secs

Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 2048MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Int: Internal-Data0/0 : address is c84c.7527.a2fc, irq 11

1: Ext: Ethernet0/0 : address is c84c.7527.a2f4, irq 255

2: Ext: Ethernet0/1 : address is c84c.7527.a2f5, irq 255

3: Ext: Ethernet0/2 : address is c84c.7527.a2f6, irq 255

4: Ext: Ethernet0/3 : address is c84c.7527.a2f7, irq 255

5: Ext: Ethernet0/4 : address is c84c.7527.a2f8, irq 255

6: Ext: Ethernet0/5 : address is c84c.7527.a2f9, irq 255

7: Ext: Ethernet0/6 : address is c84c.7527.a2fa, irq 255

8: Ext: Ethernet0/7 : address is c84c.7527.a2fb, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Standby perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 25 perpetual

Total VPN Peers : 25 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

======================================================================================

SPN-ASA-01# show config

: Saved

: Written by enable_15 at 18:27:36.729 UTC Sun Jun 10 2012

!

ASA Version 8.4(3)

!

hostname SPN-ASA-01

domain-name Alex.com

enable password qWIYV3TAiNmF9uuz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 100

!

interface Ethernet0/1

switchport access vlan 101

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 102

!

interface Vlan100

nameif OUTSIDE

security-level 0

ip address dhcp setroute

!

interface Vlan101

nameif INSIDE

security-level 100

ip address 10.10.0.99 255.255.255.0

!

interface Vlan102

nameif DMZ

security-level 50

ip address 10.10.2.1 255.255.255.0

!

boot system disk0:/asa843-k8.bin

ftp mode passive

dns domain-lookup OUTSIDE

dns server-group DefaultDNS

name-server 194.168.4.100

name-server 192.168.8.100

domain-name Alex.com

pager lines 24

mtu INSIDE 1500

mtu OUTSIDE 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (INSIDE,OUTSIDE) source dynamic any interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http server idle-timeout 5

http 10.10.0.0 255.255.255.0 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 10.10.0.0 255.255.255.0 INSIDE

telnet timeout 5

ssh 10.10.0.0 255.255.255.0 INSIDE

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3d3bdc95cf3bf31cf7dfa800e3cdf7c4

======================================================================================

ISP is Virgin Media, their modem (192.168.100.1) is connected to eth 0/0. Internet connectivity works like a charm on the ASA itself although I have only tested by pinging google and 8.8.8.8 - in both cases replies are received back.

Now, what doesn't work for is the connectivity from my LAN through the ASA on eth 0/1 - I could swear that the config has all the relevant bits to actually be able to talk out?

Can anyone see any holes and/or have suggestions why it's not working?

I would really appreciate any input!

cheers,

Adrian

mvsheik123 · ‎06-10-2012

Hi,

Try adding:

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

Remove:

nat (INSIDE,OUTSIDE) source dynamic any interface

Also enable 'inspect icmp'. Make sure your PC can ping ASA inside and have correct DNS settings for internet browsing.

hth

MS