Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
3
Replies

problem with nat-ing on asa 5505

goran ljubic
Level 1
Level 1

‎07-07-2012 09:07 AM - edited ‎03-11-2019 04:27 PM

i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is: 

Result of the command: "show runn"
: Saved
:
ASA Version 8.4(2) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.17 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.13.74.33 255.255.255.0 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network server
 host 192.168.0.20
object network sharepointdri
 host 192.168.0.22
object network paragraflex
 host 192.168.0.20
object network dri.local
 subnet 192.168.0.0 255.255.255.0
object service ParagrafLex1
 service tcp source eq 6190 
 description Odlazni
object service paragraf
 service tcp destination eq 6190 
 description dolazni
object network nonat
 host 192.168.0.20
object network lokalnamreza
 range 192.168.0.1 192.168.0.254
object network natnetwork
 subnet 192.168.0.0 255.255.255.0
object network natmreze
 subnet 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
 service-object ip 
 service-object icmp echo-reply
 service-object tcp 
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo-reply
 service-object tcp 
 service-object ip 
 service-object tcp destination eq domain 
 service-object tcp destination eq ldap 
 service-object object ParagrafLex1 
object-group service DM_INLINE_SERVICE_8
 service-object ip 
 service-object tcp 
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
 service-object tcp 
 service-object tcp destination eq domain 
 service-object tcp destination eq ldap 
object-group service DM_INLINE_SERVICE_4
 service-object tcp 
 service-object icmp echo-reply
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_5
 service-object ip 
 service-object icmp echo-reply
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group service DM_INLINE_SERVICE_6
 service-object ip 
 service-object tcp 
 service-object icmp echo-reply
 service-object icmp 
 service-object tcp destination eq https 
object-group service DM_INLINE_SERVICE_7
 service-object ip 
 service-object tcp 
 service-object icmp echo-reply
 service-object tcp destination eq https 
object-group network DM_INLINE_NETWORK_1
 network-object 10.13.74.0 255.255.255.0
 network-object 10.15.100.0 255.255.255.0
object-group service DM_INLINE_SERVICE_9
 service-object tcp-udp 
 service-object tcp destination eq https 
 service-object tcp destination eq domain 
object-group service DM_INLINE_SERVICE_10
 service-object ip 
 service-object tcp 
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_11
 service-object ip 
 service-object tcp 
 service-object icmp echo-reply
access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any 
access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 
access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any 
access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 
access-list outside_access_in_1 extended permit object paragraf any object server 
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server 
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri 
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any 
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any 
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp outside 10.13.74.1 000d.bd64.a8e2 
arp timeout 14400
!
object network server
 nat (inside,outside) static 10.13.74.34 dns
object network sharepointdri
 nat (any,any) static 10.13.74.39
object network nonat
 nat (inside,outside) static 192.168.0.20
object network natmreze
 nat (any,any) static 10.13.74.42 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route outside 10.15.100.0 255.255.255.0 10.13.74.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect ftp paragraf
 parameters
policy-map global_policy
 class inspection_default
  inspect dns 
  inspect icmp 
  inspect ip-options 
  inspect netbios 
  inspect tftp 
  inspect h323 h225 
  inspect h323 ras 
!
service-policy global_policy global
prompt hostname context state priority domain 
no call-home reporting anonymous
Cryptochecksum:61572938ed01b1c7447e43fcb2df4bc8
: end

what i do? plz help me?

thanks

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎07-07-2012 10:48 AM

Hi Goran,

You don need to do NAT when you have Source and destination in the private range..... if u have the proper access rules and route.... it should work

0 Helpful

goran ljubic
Level 1
Level 1
In response to nkarthikeyan

‎07-07-2012 01:46 PM

the access rules in my ACE are allright from my config file?

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-28-2012 12:55 PM

Please do this, and let me know how it goes

no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0


access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any

access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0

no object network nonat


no access-group inside_access_out out interface inside
no access-group outside_access_out out interface outside

no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card