Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Configuration.....Possibly NAT

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing


     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   

show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA Configuration.....Possibly NAT

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.

Traffic will not pass between interfaces that have the same security level.

Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092

Let me know if that helps.

Dmitry.

3 REPLIES
Hall of Fame Super Blue

Re: ASA Configuration.....Possibly NAT

niall-wilkins wrote:

Hi,
I am trying to configure an ASA but I am overlooking something simple I think.  Its been a few years since I have used an ASA.  I am trying to get my PC on the Inside Network connected to Ethernet 0/1 on the ASA out to my router.
from the PC I can ping Eth 0/1 (IP 192.168..150.1)
From the ASA I can ping the Interface of the router (IP 10.1.20.1) and from the router I can ping Eth 0/0 on the ASA (IP 10.1.20.10)
I am not able to get the PC past the ASA's Eth 0/1 interface

I am wondering if it is NAT thats missing


     PC ------------------------>             ASA     --------------------------->  Router
                                      E 0/1                E0/0                            FE 0/1
  IP 192.168.150.2          192.168.150.1     10.1.20.10                  10.1.20.1
  DG 192.168.150.1   

show route


Gateway of last resort is not set

C    192.168.150.0 255.255.255.0 is directly connected, Inside
C    10.1.20.0 255.255.255.0 is directly connected, Outside

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_access_in; 3 elements
access-list Inside_access_in line 1 extended permit tcp host 192.168.150.2 10.1.20.0 255.255.255.0 eq www (hitcnt=0) 0xdcb4dc10
access-list Inside_access_in line 2 extended permit udp host 192.168.150.2 10.1.20.0 255.255.255.0 eq domain (hitcnt=0) 0xc6121d1b
access-list Inside_access_in line 3 extended permit icmp any any (hitcnt=100) 0xb34531ad
access-list Outside_access_in; 1 elements
access-list Outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x2d93ecad

Niall

Yes it is NAT. You can do a number of things -

1) turn off NAT globally on the firewall ie. "no nat-control"

2) use a nat exemption on your firewall for your host ie.

access-list NATEX permit ip host 192.168.150.2 any

nat (inside) 0 access-list NATEX

3) use a static ie.

static (inside,outside) 192.168.150.2 192.168.150.2 netmask 255.255.255.255

all of the above will mean your host address is unchanged on the outside

if you want to change the host address then -

4)  nat (inside) 1 192.168.150.2 255.255.255.255

     global (outside) 1 interface

this will change your IP of 192.168.150.2 to 10.1.20.10 as it goes to the outside. This would mean you wouldn't need a route back on the router to the 192.168.150.0/24 network.

Jon

New Member

Re: ASA Configuration.....Possibly NAT

Hi,

Thanks for the repsonse.

I added the no nat-control command and tried again but it still fails.

To simplify things I removed the router and added a PC to the outside interface.  However I can ping the outside interface from the outside pc and I can ping the inside interface from the Inside PC but I can get through the firewall.

I have added the following ACL

access-list Inside-Interface_access_in extended permit ip host Inside-Host host Outside-Host
access-list Outside-Interface_access_in extended permit ip any any

Inside-Host is 192.168.150. and Outside-host is 10.1.20.2

PC(192.168.150.2)-------->Eth0/1 (192.168.150.1) ASA Eth0/0 (10.1.20.1)--------->PC2 (10.1.20.2)

If I check the logs I see the following:

%ASA-6-106015: Deny TCP (no connection) from Inside-Host/2360 to 192.168.150.1/443 flags FIN ACK  on interface Inside-Interface
%ASA-7-710005: TCP request discarded from Inside-Host/2360 to Inside-Interface:192.168.150.1/443
%ASA-3-106014: Deny inbound icmp src Inside-Interface:Inside-Host dst Outside-Interface:Outside-Host (type 8, code 0)
%ASA-7-710005: UDP request discarded from Inside-Host/137 to Inside-Interface:192.168.150.255/137
SSL-VPN#
SSL-VPN#

I know that it is something really,really simple that I am overlooking but I have not figured it out yet.  I have included a copy of my config to assist.

Anyway thanks again

New Member

Re: ASA Configuration.....Possibly NAT

Based on your configuration, the security levels that you set for the inside and the outside interfaces are the same - equal to 0.

Traffic will not pass between interfaces that have the same security level.

Either change one interface to have a different security level - typically the inside interface has a security level of 100 (most secure), or allow communication between interface that have the same security levels as documented here : http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/intparam.html#wpxref49092

Let me know if that helps.

Dmitry.

979
Views
0
Helpful
3
Replies