Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
2
Replies

ASA 5505 NAT issue

thord0001
Level 1
Level 1

‎03-31-2014 11:23 AM - edited ‎03-11-2019 09:00 PM

I am trying to get a cisco asa 5505 up and running but every time I try to create a NAT for the servers, the NAT will not work and the server loses communication. I have pasted my running-config in hopes that it's something simple that I have overlooked.

 

Thank you in advanced for any help!

 

 

: Saved

: Written by enable_15 at 02:51:41.439 CDT Tue Mar 25 2014

!

ASA Version 9.1(4)

!

hostname goode-ciscoasa

domain-name goodeco.int

enable password zaPfq2iO5oGgF4HK encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.217 255.255.255.240

!

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name goodeco.int

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network EXCHANGE1

host 192.168.1.25

description EXCHANGE1

object network EXCHANGE2

host 192.168.1.26

description EXCHANGE2

object network EXCHANGEHOSTED

host 192.168.1.121

description EXCHANGEHOSTED

object network QUICKBOOKS

host 192.168.1.30

description QUICKBOOKS

object network FILESERVER

host 192.168.1.128

description FILESERVER

object service CRM-42001

service tcp destination eq 42001

 description CRM-42001

object service RDP

service tcp destination eq 3389

 description RDP

object-group service EXCHANGE-PORTS tcp

description imap

port-object eq www

port-object eq https

port-object eq 55

port-object eq imap4

access-list global_access extended permit ip 192.168.1.0 255.255.255.0 any

access-list global_access extended permit tcp any object EXCHANGE1 object-group EXCHANGE-PORTS

access-list global_access extended permit tcp any object EXCHANGE2 object-group EXCHANGE-PORTS

access-list global_access extended permit tcp any object EXCHANGEHOSTED object-group EXCHANGE-PORTS

access-list global_access extended permit object CRM-42001 any object FILESERVER

access-list global_access extended permit object RDP any object QUICKBOOKS

access-list global_access extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network EXCHANGE1

nat (inside,outside) static x.x.x.210

object network EXCHANGE2

nat (inside,outside) static x.x.x.211

object network EXCHANGEHOSTED

nat (inside,outside) static x.x.x.220

object network QUICKBOOKS

nat (inside,outside) static x.x.x.218

object network FILESERVER

nat (inside,outside) static x.x.x.215

!

nat (inside,outside) after-auto source dynamic any interface

access-group global_access global

route outside 0.0.0.0 0.0.0.0 x.x.x.222 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5a058cefae4ff01b835ba396ae49039e

: end

 

Labels:
0 Helpful
2 Replies 2

Ruben Cocheno
Spotlight
Spotlight

‎04-03-2014 11:07 AM

try a clear xlate for a particular static NAT after you appliy it

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

ddawson
Level 1
Level 1

‎04-11-2014 09:59 AM

Your config is a little unusual in that you're using a single access-list globally on both your interfaces, but I can't see anything obvious that shouldn't keep it from working.  The "packet-tracer" command can be exceptionally useful in situations like this, so if the clear xlate doesn't help I'd try that.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card