cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
769
Views
0
Helpful
3
Replies

cannot ping outside hosts after nat-control enabled

tsrader
Level 1
Level 1

Want to enable nat-control to restirct access to outside hosts from inside.  Outside hosts are an internal lab (not across internet) to main network.

Nat-control enabled causes inside hosts to stop access / ping outside hosts.  See NAT / statics configuration below.

Thanks for any input.

inside pc:  192.168.16.1

outside pc: 10.25.41.5 (assigned ip)

                 192.168.50.5 (virtual ip used when pinging from inside)


ASA Version 8.0(4) <context>
!
hostname fw
dns-guard
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.40.220 255.255.255.248
!
dns server-group DefaultDNS
domain-name local
same-security-traffic permit intra-interface
object-group network inside_hosts_permitted
network-object 192.168.16.1 255.255.255.255
network-object 192.168.17.0 255.255.255.0
object-group network outside_hosts_real
network-object 10.25.41.5 255.255.255.255
network-object 10.25.41.6 255.255.255.255
network-object 10.25.41.7 255.255.255.255
object-group service smt_udp_ports udp
port-object eq netbios-ns
object-group service smt_tcp_ports tcp
port-object eq 135
port-object eq netbios-ssn
port-object eq 445
object-group network server_nats
network-object 10.25.41.2 255.255.255.255
network-object 10.25.41.3 255.255.255.255
network-object 10.25.41.4 255.255.255.255
object-group network outside_hosts_nats
network-object 192.168.50.1 255.255.255.255
network-object 192.168.50.2 255.255.255.255
network-object 192.168.50.3 255.255.255.255
network-object 192.168.50.3 255.255.255.255

network-object 192.168.50.4 255.255.255.255

network-object 192.168.50.5 255.255.255.255
access-list external_access_in extended permit tcp 10.25.41.9 10.25.41.2 eq object-group_smt_tcp_ports
access-list external_access_in extended permit tcp 10.25.41.0 10.25.41.2 eq object-group smt_udp_ports
access-list external_access_in extended permit icmp any any
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit tcp host 192.168.16.1 any eq 3389
access-list internal_access_in extended permit tcp host 192.168.17.0  object-group outisde_hosts_nats eq ftp
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outside_hosts_nats eq ftp-data
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224
static (inside,outside) 10.25.41.2 192.168.10.137 netmask 255.255.255.255
static (inside,outside) 10.25.41.3 192.168.10.134 netmask 255.255.255.255
static (inside,outside) 10.25.41.4 192.168.10.161 netmask 255.255.255.255
access-group external_access_in in interface outside
access-group internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.25.41.1 1
route inside 192.168.0.0 255.255.0.0 192.168.40.217 1
http server enable
sysopt noproxyarp inside

1 Accepted Solution

Accepted Solutions

tsrader wrote:

192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network

1.  yes, inside hosts would ping 192.168.50.x address.

     192.168.50.5 > 10.25.41.5

is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?

global (outside) 2 interface

nat (inside) 2 192.168.16.0  (or whatever inside ip range range needed to come thru)

Thanks

You can just NAT the inside addresses to the same global ie.

nat (inside) 1 192.168.16.0 255.255.255.0

global (outside) 1 interface

you don't need

nat (inside) 1 192.168.50.0 255.255.255.0

it's not doing anything.

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

tsrader wrote:

Want to enable nat-control to restirct access to outside hosts from inside.  Outside hosts are an internal lab (not across internet) to main network.

Nat-control enabled causes inside hosts to stop access / ping outside hosts.  See NAT / statics configuration below.

Thanks for any input.

inside pc:  192.168.16.1

outside pc: 10.25.41.5 (assigned ip)

                 192.168.50.5 (virtual ip used when pinging from inside)


ASA Version 8.0(4)
!
hostname fw
dns-guard
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.40.220 255.255.255.248
!
dns server-group DefaultDNS
domain-name local
same-security-traffic permit intra-interface
object-group network inside_hosts_permitted
network-object 192.168.16.1 255.255.255.255
network-object 192.168.17.0 255.255.255.0
object-group network outside_hosts_real
network-object 10.25.41.5 255.255.255.255
network-object 10.25.41.6 255.255.255.255
network-object 10.25.41.7 255.255.255.255
object-group service smt_udp_ports udp
port-object eq netbios-ns
object-group service smt_tcp_ports tcp
port-object eq 135
port-object eq netbios-ssn
port-object eq 445
object-group network server_nats
network-object 10.25.41.2 255.255.255.255
network-object 10.25.41.3 255.255.255.255
network-object 10.25.41.4 255.255.255.255
object-group network outside_hosts_nats
network-object 192.168.50.1 255.255.255.255
network-object 192.168.50.2 255.255.255.255
network-object 192.168.50.3 255.255.255.255
network-object 192.168.50.3 255.255.255.255

network-object 192.168.50.4 255.255.255.255

network-object 192.168.50.5 255.255.255.255
access-list external_access_in extended permit tcp 10.25.41.9 10.25.41.2 eq object-group_smt_tcp_ports
access-list external_access_in extended permit tcp 10.25.41.0 10.25.41.2 eq object-group smt_udp_ports
access-list external_access_in extended permit icmp any any
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit tcp host 192.168.16.1 any eq 3389
access-list internal_access_in extended permit tcp host 192.168.17.0  object-group outisde_hosts_nats eq ftp
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outside_hosts_nats eq ftp-data
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224
static (inside,outside) 10.25.41.2 192.168.10.137 netmask 255.255.255.255
static (inside,outside) 10.25.41.3 192.168.10.134 netmask 255.255.255.255
static (inside,outside) 10.25.41.4 192.168.10.161 netmask 255.255.255.255
access-group external_access_in in interface outside
access-group internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.25.41.1 1
route inside 192.168.0.0 255.255.0.0 192.168.40.217 1
http server enable
sysopt noproxyarp inside

Just to clarify -

from the inside you do not ping a 10.25.x.x address you actually ping a 192.168.50 address ? This is what

static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224  is meant to be doing ?

If so your problem is you are not natting the actual source address ie. 192.168.16.1 so instead of

global (outside) 1 interface

nat (inside) 1 192.168.50.0 255.255.255.224

it should read

global (outside) 1 interface

nat (inside) 1 192.168.16.0 255.255.255.0  <-- note this subnet mask may not be right, modify if needed.

I'm not sure what "nat (inside) 1 192.168.50.0 255.255.255.224" is meant to achieve ?

Jon

192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network

1.  yes, inside hosts would ping 192.168.50.x address.

     192.168.50.5 > 10.25.41.5

is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?

global (outside) 2 interface

nat (inside) 2 192.168.16.0  (or whatever inside ip range range needed to come thru)

Thanks

tsrader wrote:

192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network

1.  yes, inside hosts would ping 192.168.50.x address.

     192.168.50.5 > 10.25.41.5

is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?

global (outside) 2 interface

nat (inside) 2 192.168.16.0  (or whatever inside ip range range needed to come thru)

Thanks

You can just NAT the inside addresses to the same global ie.

nat (inside) 1 192.168.16.0 255.255.255.0

global (outside) 1 interface

you don't need

nat (inside) 1 192.168.50.0 255.255.255.0

it's not doing anything.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: