07-24-2013 02:31 PM - edited 03-11-2019 07:16 PM
I am new to using ASA firewalls so what might be considered a basic question which is how can I configure the firewall to permit/allow pinging the differnet public IP addresses. I have it already set so I can ping the WAN interface on the ASA and it replies, but not the other public IP address.
The firewall is a 5505 running 9.1(2) with a base license. I've read that there have been changes to how NAT works after 8.3. Here is what I currently have.
* WAN IP addresses are not the real ones being used
WAN IP for firewall: 100.125.150.218
LAN IP for firewall: 192.168.1.1
WAN IP for server: 100.125.150.161
LAN IP for server: 192.168.1.21
----------
asa# sh config
: Saved
: Written by enable_15 at 15:35:55.329 CDT Wed Jul 24 2013
!
ASA Version 9.1(2)
!
hostname asa
domain-name test.com
enable password ******** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ******** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LAN interface
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description WAN interface
nameif outside
security-level 0
ip address 100.125.150.218 255.255.255.252
!
boot system disk0:/asa912-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name test.com
object network server
host 192.168.1.21
object network server-SPAT
host 192.168.1.21
object-group network obj_any
access-list INTERNET_TO_INSIDE extended permit tcp any4 object server eq 3389
access-list INTERNET_TO_INSIDE extended permit icmp any4 object server echo
access-list INTERNET_TO_INSIDE extended permit icmp any4 any4 echo
access-list INSIDE_TO_INTERNET extended permit ip any4 any4
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network server
nat (inside,outside) dynamic 100.125.150.161
object network server-SPAT
nat (inside,outside) static 100.125.150.161 service tcp 3389 3389
!
nat (inside,outside) after-auto source dynamic any interface
access-group INTERNET_TO_INSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 100.125.150.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
Cryptochecksum:51694d9dd562042b39b272c2eba831d3
----------
Any help would be appreciated.
Solved! Go to Solution.
07-24-2013 02:41 PM
Hi,
You have the following NAT configurations in addition to the Dynamic PAT for all LAN users
object network server
host 192.168.1.21
nat (inside,outside) dynamic 100.125.150.161
object network server-SPAT
host 192.168.1.21
nat (inside,outside) static 100.125.150.161 service tcp 3389 3389
I would suggest that you remove both of these.
The first NAT configuration is a Dynamic PAT. So it only enables initiating connections from the LAN to the WAN.
The second NAT configuration is a Static PAT that only forward a single port using the same public IP address as the first one.
If you actually have spare public IP addresses to dedicate for your server then your NAT configuration should be a single Static NAT for this server.
object network SERVER
host 192.168.1.21
nat (inside,outside) static 100.125.150.161
And then allow the services from the WAN that you require. For example ICMP and TCP/3389 using the above "object network" name as the destination.
- Jouni
07-24-2013 02:41 PM
Hi,
You have the following NAT configurations in addition to the Dynamic PAT for all LAN users
object network server
host 192.168.1.21
nat (inside,outside) dynamic 100.125.150.161
object network server-SPAT
host 192.168.1.21
nat (inside,outside) static 100.125.150.161 service tcp 3389 3389
I would suggest that you remove both of these.
The first NAT configuration is a Dynamic PAT. So it only enables initiating connections from the LAN to the WAN.
The second NAT configuration is a Static PAT that only forward a single port using the same public IP address as the first one.
If you actually have spare public IP addresses to dedicate for your server then your NAT configuration should be a single Static NAT for this server.
object network SERVER
host 192.168.1.21
nat (inside,outside) static 100.125.150.161
And then allow the services from the WAN that you require. For example ICMP and TCP/3389 using the above "object network" name as the destination.
- Jouni
07-25-2013 10:06 AM
That worked! Thanks for your help regarding this. I also appreciate you explaining about the NAT statements I had with one being for dynamic PAT and the other for static PAT.
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: