cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2011
Views
0
Helpful
31
Replies

Auto NAT and outside pool ip address

mahesh18
Level 6
Level 6

Hi Everyone,

If i do Auto NAT  from DMZ  interface to outside  interface using config below

object network Auto_NAT

subnet 192.168.70.0 255.255.255.0                           *********************DMZ  subnet

description Auto NAT  DMZ Interface

object network Outside_pool

range 192.168.51.3 192.168.51.100

object network Auto_NAT

nat (DMZ,outside) dynamic Outside_pool

My outside interface has IP  of 192.168.71.2

I am unable to access the internet using above config 

when i change the range in outside_pool  to 192.168.71.3 192.168.71.100  i am able to access the internet.

Does this mean that using auto nat using dynamic NAT  the outside pool range should be in same subnet as outside interface  ip address?

Regards

MAhesh

31 Replies 31

Hello Mahesh,

But I mean that traffic is on the same subnet, I mean 70.3 to 70.1...

Can you share the configuration please Or you can email me the setup

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

config is atatched under the original post.

Regards

Mahesh

Hello Mahesh,

Configuration looks good ( I did not see something wrong)

Add

fixup protocol icmp

cap capin interface inside match icmp any any eq 4.2.2.2

cap capout interface outside match icmp any any eq 4.2.2.2

Then ping from an inside PC to 4.2.2.2

and provide

show cap capin

show cap capout

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

I will test that later today and will update you.

Yesterday i ran the packet capture when i did ping to 4.2.2.2    and  i did show packet for inside  interface it was 0 packets

but outside interface  was showing some output.

I will do again today after putting the command fixup protocol icmp.

Regards

Mahesh

Hello Mahesh,

Then it would be a problem with the LAN as the traffic is not reaching the ASA, make sure the computers have the right default gateway.

Note: we are testing from a 10.x.x.x host right?

Let us know any update

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Below command does not work

ap capture  interface  DMZ match  icmp  any any  eq 4.2.2.2

                                                             ^

ERROR: % Invalid Hostname

Also i am behind the DMZ  subnet  192.168.70.x

Also here is more info

ciscoasa# debug icmp trace

debug icmp trace enabled at level 1

ciscoasa# ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=17

len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=18 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=19 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=20 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=21 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=22 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=23 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.63

ICMP echo request from DMZ:192.168.70.4 to outside:4.2.2.2 ID=1 seq=24 len=32

ICMP echo request translating DMZ:192.168.70.4 to outside:192.168.72.

Where 192.168.70.4  is PC  IP 

Thanks

Mahesh

Hello Mahesh,

I must have been really tired when I send the capture syntax lol. It's completely wrong.

It should be

cap capdmz interface dmz match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

I am sorry

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi  Julio,

Thanks  for replying back

ciscoasa# sh cap capdmz

4 packets captured

   1: 23:36:38.000350       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

   2: 23:36:42.849779       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

   3: 23:36:47.841860       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

   4: 23:36:52.849428       802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo

request

4 packets shown

ciscoasa# sh cap capout

36 packets captured

   1: 22:03:42.616057       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   2: 22:03:47.348538       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   3: 22:03:52.340741       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   4: 22:03:57.348233       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   5: 22:06:25.034544       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   6: 22:06:29.839144       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   7: 22:06:34.846864       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   8: 22:06:39.838854       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

   9: 22:08:08.405313       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  10: 22:08:13.345929       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  11: 22:08:18.337842       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  12: 22:08:23.345486       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  13: 22:08:28.337491       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  14: 22:51:16.824237       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  15: 22:51:21.333799       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  16: 22:51:26.333066       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  17: 22:51:31.334409       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  18: 22:52:32.936276       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  19: 22:52:37.844743       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  20: 22:52:42.834734       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  21: 22:52:47.834185       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  22: 22:52:52.834307       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  23: 22:52:57.834643       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  24: 22:53:02.834917       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  25: 22:53:07.834246       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  26: 22:53:12.834536       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  27: 22:53:17.845979       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  28: 22:53:22.834154       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  29: 22:53:27.834475       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  30: 22:53:32.834780       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  31: 22:53:37.834078       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  32: 22:53:42.833422       802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo

request

  33: 23:36:38.000671       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

  34: 23:36:42.850084       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

  35: 23:36:47.842104       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

  36: 23:36:52.849733       802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo

request

36 packets shown

ciscoasa#

Regards

Mahesh

There are no packets comming back from the Switch.

Add the following to the ASA

arp permit-nonconnected

Can you share the show ip route from the Switch (I just need the entry for the 192.168.72.0)

also show arp | include 192.168.72.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Here is info

3550SMIA#show arp | include 192.168.72.56

3550SMIA#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.5.3 to network 0.0.0.0

S    192.168.72.0/24 [1/0] via 192.168.71.2

     100.0.0.0/32 is subnetted, 1 subnets

O       100.100.100.100 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11

     3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

O       3.3.3.3/32 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11

C       3.4.4.0/24 is directly connected, Loopback0

C    192.168.30.0/24 is directly connected, Vlan30

     64.0.0.0/32 is subnetted, 1 subnets

O E2    64.59.135.150 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

S    192.168.77.0/24 [1/0] via 192.168.10.2

C    192.168.10.0/24 is directly connected, Vlan10

     172.31.0.0/24 is subnetted, 4 subnets

O E2    172.31.3.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2    172.31.2.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2    172.31.1.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2    172.31.0.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O    192.168.98.0/24 [110/2] via 192.168.99.1, 5d02h, FastEthernet0/8

C    192.168.99.0/24 is directly connected, FastEthernet0/8

C    192.168.20.0/24 is directly connected, Vlan20

     192.168.5.0/31 is subnetted, 1 subnets

C       192.168.5.2 is directly connected, FastEthernet0/11

     192.168.6.0/31 is subnetted, 1 subnets

O       192.168.6.2 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11

S    192.168.69.0/24 [1/0] via 192.168.10.2

C    192.168.71.0/24 is directly connected, FastEthernet0/22

O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 5d02h, FastEthernet0/11

3550SMIA#

Regards

MAhesh

Hello.

Do the following on the ASA side

arp permit non-connected and then try again

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

No luck

Hello,

At the moment, the only thing that I could possibly think of is make sure that the router 192.168.5.3 has a route to the 192.168.72 subnet and that it's  also Natting this Subnet range

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Seems adding static route did the magic to the router

2691Router(config)#ip route 192.168.72.0 255.255.255.0 192.168.5.2

2691Router(config)#end

2691Router#

Now i can access the internet from pc and also ping works fine.

Can you tell how adding route to router made the difference?

Regards

MAhesh

Hello Mahesh,

Well basically:

  • The ASA had the right configuration (we could see the packets going out to the outside interface)
  • We make sure the ASA reply to ARP packets not on the same subnet that it's interfaces (arp permit non-conected)
  • We make sure the Switch knew how to get to the subnet being used by the DMZ
  • I check the switch to see if the NAT was being done there but that was not the case so only 2 options more :A-the device doing the NAT does not include the subnet used by the DMZ.B- The device on the edge of the network does not know how to get to that subnet on the DMZ.

Long troubleshooting Mahesh But we did it.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: