Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - NAT Help

Hi,

I can’t seem to get the below to work, so hopefully someone can help. The ASA has 4 live interfaces as below.

1. Outside (security 0)

2. Inside (one sub interface, security 100)

- inside_11_infrastructure

- - PAT’d to the outside interface (works)

3. Lab (with 2 sub interfaces, security 90 and security 80).

- Lab_13_LAN

- - PAT’d to the outside interface (works)

- Lab_14_DMZ

- - PAT’d to the outside interface (works)

The Lab interfaces are routable between each other, and this works correctly. The Lab subnets are not routable from the ‘inside’ network but I want RDP (3389) NAT’d to one of the inside hosts, and this is where something isn’t quite working. NAT and ACL config below, but please let me know if you need any more info.

NAT

nat (outside,inside_11_infrastructure) source dynamic ANYCONNECT_VPN_SUBNET interface

nat (inside_11_infrastructure,outside) source dynamic CC_11 interface

nat (Lab_13_LAN,outside) source dynamic LAN_13 interface

nat (Lab_14_DMZ,outside) source dynamic DMZ_14 interface

nat (Lab_13_LAN,inside_11_infrastructure) source dynamic LAN_13 interface # added as a test

nat (Lab_14_DMZ,inside_11_infrastructure) source dynamic DMZ_14 interface # added as a test

!

… # few other static NATs

object network LAB_ManagementPC

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389

Access Lists

access-list DMZ_14_out extended permit tcp object DMZ_14 object LAN_13 eq https

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq domain

access-list DMZ_14_out extended permit udp object DMZ_14 object LAN_13 eq ntp

access-list DMZ_14_out extended permit icmp object DMZ_14 any

access-list LAN_13_out extended permit tcp object LAN_13 any eq https

access-list LAN_13_out extended permit tcp object LAN_13 any eq www

access-list LAN_13_out extended permit tcp object LAN_13 any eq ssh

access-list LAN_13_out extended permit udp object LAN_13 any eq domain

access-list LAN_13_out extended permit udp object LAN_13 any eq ntp

access-list LAN_13_out extended permit icmp object LAN_13 any

access-group inbound in interface outside

access-group LAN_13_out in interface Lab_13_LAN

access-group DMZ_14_out in interface Lab_14_DMZ

When I do a capture, while doing 'telnet ASA_inside_IP 3389', nothing comes up in the log.

Any help appreciated.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Where is the ACL for the

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network.  For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
11 REPLIES
VIP Purple

To be clear, you are saying

To be clear, you are saying their is no routable path from the inside network to the lab networks?  Can you change this?

New Member

Correct. I tried adding a

Correct. I tried adding a static route to one host but it still doesn't work. I can then ping this host from the lab network which verifies the PAT working. 

VIP Green

Where is the ACL for the

Where is the ACL for the inside_11_infrastructure interface?

You are using the interface IP which is already in use on the ASA and is most probably the default gateway for the inside_11_infrastructure network.  For proxy ARP to work you need to configure NAT to an IP that is not in use and will not be used on the inside_11_infrastructure network, so that only the ASA will answer ARP requests.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I had an any to any ACL in

I had an any to any ACL in there as a test but it still didn't work. Anyway, the security levels of the interfaces should allow this traffic. 

Its the default gateway for some devices, only a handful. 

Do you suggest I add a second IP to the inside_11_infrastructure interface? How do I then reference this second IP in the NAT statement?

VIP Green

you don't add an IP to the

you don't add an IP to the interface.  You just change the static NAT rule to translate to another IP on the same subnet as the inside_11_infrastructure.

Also run a packet tracer to see where it is stopping up.

packet-tracer input inside_11_infrastructure tcp <source IP> 12345 <destination IP> 3389

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Alright, I'll give that a go

Alright, I'll give that a go and post back. 

The packet trace was failing at an implicit ACL, that's when I tried adding the permit any to 11_infrastructure. 

New Member

That works, config below. Can

That works, config below. Can you explain to me why I can't use the ASA's interface IP?

Also, why wasn't I able to capture traffic for port 3389 on the ASA with the previous config? It was as if the traffic wasn't getting there at all, probably related to the first question :|

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389

Thanks so much Marius, much appreciated!

VIP Green

Well, theoretically you could

Well, theoretically you could use the interface, but I like to keep things seperate as I feel it will be easier to troubleshoot.  The problem you had was that you had a dynamic NAT which is unidirectional, while static NAT is by directional.  You didn't see anything in your capture because traffic is dropped before the capture is taken.  You would however have seen it in the logs if you had the logging level set to informational or lower.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I still don't understand this

I still don't understand this, weren't both NAT's static?

nat (Lab_13_LAN,inside_11_infrastructure) static interface service tcp 3389 3389 (not working)

nat (Lab_13_LAN,inside_11_infrastructure) static x.x.x.251 service tcp 3389 3389 (working)

In terms of logging, I was using 'debugging' mode from ASDM, so I would've expected it to show up.

VIP Green

I am not entirely sure why it

I am not entirely sure why it did not work. I would need to set this up in a lab to test it, and not sure when I will be able to do that.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

No problem, thanks again for

No problem, thanks again for your help. I'm happy knowing I didn't do anything obvious wrong :)

121
Views
0
Helpful
11
Replies