cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
1
Replies

ASA 5510 - implicit NAT rule?

ISCONTACT
Level 1
Level 1

verions 7.0(2)

I had 1 internal server that is getting out through asa. I added a 2nd server but it does not have access. I've read that the implicit nat rule should work for both and I see nothing in the config that would show otherwise.

10.9.1.3 can currently ping out, browse , etc.  10.9.1.4 cannot.

10.9.1.4 can ping the inside interface and leave the asa, but it does not return.

when I ping with 10.9.1.3 the ping message returns and includes the outside interface in the message.

when the 10.9.1.4 pings, it tries to return, but the outside interface isnt included in the messae.

Pertinent lines on the config.

interface Ethernet0/0
nameif CTC
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx

asdm location 10.9.1.0 255.255.255.0 SKYHAWK
asdm location 10.9.1.2 255.255.255.255 SKYHAWK
asdm location 10.9.1.4 255.255.255.255 SKYHAWK

object-group service Internet tcp
description HTTP; DNS; HTTPS
port-object eq www
port-object eq domain
port-object eq https

access-list SBC_access_in extended permit tcp any interface CTC eq https
access-list SBC_access_in extended permit tcp any interface CTC eq www

access-list site-tosite1 extended permit ip 10.10.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list site-to-stie1 extended permit ip 10.9.1.0 255.255.255.0 172.17.3.0 255.255.255.0

access-list site-tosite2 extended permit ip 10.10.0.0 255.255.0.0 172.17.4.0 255.255.255.0
access-list site-to-stie2 extended permit ip 10.9.1.0 255.255.255.0 172.17.4..0 255.255.255.0

access-list SKYHAWK_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.17.3.0 255.255.255.0
access-list SKYHAWK_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.17.4.0 255.255.255.0

global (CTC) 10 interface
nat (SKYHAWK) 0 access-list SKYHAWK_nat0_outbound
nat (management) 10 0.0.0.0 0.0.0.0

icmp permit any CTC
icmp permit any echo SKYHAWK
icmp permit any echo-reply SKYHAWK

these 2 lines bother me, Ive had technicians look at the device before, these appear left over, there is no other reference to the names.

access-list SKYHAWK_access_out extended permit ip any any
access-list SKYHAWK_access_in extended permit ip any any

should they be deleted?

1 Reply 1

ISCONTACT
Level 1
Level 1

should have posted the routes and few static nats inside

static (SKYHAWK,CTC) tcp interface ftp 10.9.1.3 ftp netmask 255.255.255.255

static (SKYHAWK,CTC) tcp interface www 10.9.1.3 www netmask 255.255.255.255
access-group SBC_access_in in interface CTC
route CTC 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

route SKYHAWK 10.10.0.0 255.255.0.0 10.9.1.2 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: