Help Needed with ASA 8.3+ NAT

paulstone80 · ‎05-16-2012

Hi,

I'm having an issue configuring NAT on an ASA running 8.3. Hopefully someone can point me in the right direction.

I've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.

object network obj_any-18

subnet 0.0.0.0 0.0.0.0

object network obj_any-18

nat (inside,dmz1.005) dynamic interface

The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!

What would be the best way to configure the return traffic from the DMZ to the Inside.

Thanks,

Paul

HTH Paul ****Please rate useful posts****

varrao · ‎05-16-2012

I hope you not using the same object network again for it, since you cannot do that with auto nat, try this:

object network obj_any-100

subnet 0.0.0.0 0.0.0.0

nat (dmz1.005,inside) dynamic interface

Moreover what device are you using?? is it 5505?? what license does it have??

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

paulstone80 · ‎05-16-2012

Hi Varun,

I tried that config already using a different unused 0.0.0.0 0.0.0.0 object. When applied traffic doesn't flow in either direction, when removed traffic flows from the inside to dmz as per config above.

I'm using a cisco asa 5510, with a security plus license.

Thanks,

Paul

HTH Paul ****Please rate useful posts****

varrao · ‎05-16-2012

Can you share your configuration??

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

paulstone80 · ‎05-16-2012

Do you just want the NAT parts, or the entire config?

HTH Paul ****Please rate useful posts****

varrao · ‎05-16-2012

nat, routes,acl should be fine

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

paulstone80 · ‎05-16-2012

Hi Varun,

ACLs and NAT config attached. All routing is learnt via OSPF.

The NAT statements in the config are all from the 8.3 upgrade process, with the exception of the Inside, dmz1.005 statements.

Thanks

Paul

HTH Paul ****Please rate useful posts****

varrao · ‎05-16-2012

Hi Paul,

can you please tell me the purpose for this nat statement in your configuration:

nat (dmz1.005_8.3_nat_test,inside) source static net_dmz1.005 net_dmz1.005 destination static grp_dmz1.005_nonat grp_dmz1.005_nonat unidirectional

I guess this might interfere, can you do this, add a nat:

nat (dmz1.005_8.3_nat_test,inside) 1 source dynamic any interface

and test again.

I might need your complete configuration to check other things, you can PM me if you want.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

paulstone80 · ‎05-16-2012

Hi Varun,

I think that may have been left in there whilst I was testing!

I'll remove it and add the nat you suggested, but I can't do that until I'm back in the office tomorrow am.

Thanks for you help so far

Paul

HTH Paul ****Please rate useful posts****

varrao · ‎05-16-2012

No Issues, do let me know how it goes

Thanks,
Varun Rao

paulstone80 · ‎05-17-2012

Hi Varun,

I have removed the nat statement below from the config;

nat (dmz1.005_8.3_nat_test,inside) source static net_dmz1.005 net_dmz1.005 destination static grp_dmz1.005_nonat grp_dmz1.005_nonat unidirectional

And then added;

nat (dmz1.005_8.3_nat_test,inside) 1 source dynamic any interface

Traffic doesn't flow in either direction now.

If I disable the new nat statement, I can ping from the inside to dmz1.005, and the IP is hidden behind the dmz1.005 interface. But I can't ping in the other direction.

Do you want me to PM you the config?

Paul

HTH Paul ****Please rate useful posts****

varrao · ‎05-17-2012

Hi Paul,

Yes please, you can PM me the config, I'll try at my end

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

paulstone80 · ‎05-17-2012

Hi Varun,

Did you get my PM ok?

Thanks,

Paul

HTH Paul ****Please rate useful posts****