Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Nat Issues

Out setup consists of two locations, one ASA 5505 (security license) \ at our main site and the other is a remote site with a cisco 1921 acting as the edge device. 

The ASA 5505 acting as an edge device at our main site.  From our ISP, two vlans come into the ASA (one for public internet traffic, one for the remote site, set up as a VC).  The main site and the remote site are both separate LAN subnets, with a third subnet acting as a serial between the two locations.

At our main site, the ASA can access the public internet just fine, it can also ping to the gateway address on the 1921 (for their lan10.34.60.245: below) and receive a reply.  The idea in this case is to have the remote site send all data back to the ASA5505 (think of the VC as one long cable connecting the two) and the ASA will handle the actual public internet connectivity as well as allowing connectivity to their private LAN (to access servers).  I.E both LANs need to be able to talk to eachother and access the internet.

Remote Site LAN:

10.34.60.0/24 (gateway is 10.34.60.245)

ASA LAN

10.25.102.0/24 (gateway is 10.25.102.245)

Serial connecting the two:

10.1.1.0/30

Currently, this setup is working however, I'm not sure that it is working exactly like it should be.  Juding by the nat translation table as well as the sh log command, it appears that the remote site Lan (10.34.60.0/24) is sending traffic to the ASA at which point the ASA is translating this to one if its local LAN Ips, then sending it out (See sh xlate below)

Remote Site LAN:

10.34.60.0/24 (gateway is 10.34.60.245)

ASA LAN

10.25.102.0/24 (gateway is 10.25.102.245)

Serial connecting the two:

10.1.1.0/30

sh xlate

PAT Global 204.186.244.194(42917) Local 10.25.102.109(2374)

PAT Global 204.186.244.194(39218) Local 10.25.102.109(2373)

PAT Global 204.186.244.194(28823) Local 10.25.102.109(2372)

PAT Global 204.186.244.194(4634) Local 10.25.102.109(2371)

PAT Global 204.186.244.194(36157) Local 10.25.102.37(58908)

PAT Global 204.186.244.194(32242) Local 10.25.102.37(65095)

PAT Global 204.186.244.194(8808) Local 10.25.102.37(63713)

PAT Global 204.186.244.194(19164) Local 10.25.102.37(59592)

PAT Global 204.186.244.194(38526) Local 10.25.102.37(51375)

PAT Global 204.186.244.194(9415) Local 10.25.102.37(58885)

PAT Global 204.186.244.194(16250) Local 10.25.102.37(58884)

PAT Global 204.186.244.194(14876) Local 10.25.102.79(3561)

PAT Global 204.186.244.194(53173) Local 10.25.102.79(3560)

PAT Global 204.186.244.194(3287) Local 10.25.102.79(3559)

PAT Global 204.186.244.194(33262) Local 10.25.102.79(3558)

sh log has plenty of these

Jan 05 2012 02:07:15: %ASA-7-710005: UDP request discarded from 10.25.102.49/137 to inside:10.25.102.255/137

this makes it look like the ASA's Lan is going to be flooded with broadcasts whenever packets on the remote site want to get out to the internet.  I suppose my questions are: Is this normal behavior?  Is this what I should be seeing in the xlate table despite the data coming from another lan?  What happens when one of the ASA Lan IPs overlap with a randomly assigned 10.25 for PAT?

Below are my NAT commands as they stay now, also keep in mind that the extra commands exist to allow the separate lans to communitcate with eachother since their int have the same security level.

global (inside) 11 interface

global (Internet) 1 interface

global (BartonsvilleVC) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.25.102.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (remotesite) 2 10.64.30.0 255.255.255.0

nat (remotesite) 11 0.0.0.0 0.0.0.0

static (inside,remotesite) 10.25.102.100 10.25.102.100 netmask 255.255.255.255

static (inside,remotesite) 10.1.1.100 10.1.1.100 netmask 255.255.255.255

static (remotesite,Internet) 204.186.113.194 10.1.1.2 netmask 255.255.255.255

2 REPLIES
Cisco Employee

ASA Nat Issues

Hi John,

The xlates you listed are unrelated to the remote site's traffic. They are created when hosts behind the ASA (10.25.102.x) send traffic to the Internet. The following commands are responsible for creating those PAT entries so inside hosts can get a publicly routable address on the Internet:

nat (inside) 1 10.25.102.0 255.255.255.0

global (Internet) 1 interface

Based on your config, it looks like the way this is working now is that all Internet-bound traffic from users at the remote site has it's source address translated to 10.1.1.2 by the 1921 and then routed to the ASA's "remotesite" interface. When it arrives there, the ASA translates the source address again to become 204.186.113.194 before it routes it out the Internet interface. As a result, you should only have a single static NAT xlate in your table between a global address of 204.186.113.194 and a local address of 10.1.1.2.

Also, the syslog you referenced is completely normal but also unrelated to the remote site's traffic. By default, MS Windows PCs will send NetBIOS traffic on UDP/137 to the subnet's broadcast address (10.25.102.255). The ASA will not process or forward these packets and just drops them. The debugging level syslog is just letting you know that the ASA dropped the broadcast.

Hope that helps.

-Mike

New Member

ASA Nat Issues

Mike,

that definitely helps.  i've been too deep into this that I'm overthinking the whole thing and I should probably check the xlate table with actual traffic from the remote site destined for the public internet.  It makes total sense that since I'm pinging from the remote site router, that the translation looks a bit different that if it were actual traffic from the remote LAN.

429
Views
5
Helpful
2
Replies
CreatePlease to create content