05-27-2008 07:15 AM - edited 03-11-2019 05:50 AM
Hi
i am trying to configure static nat for one address and as soon as i add the nat rule the internal host stops seeing the outside world. what have i forgotten to do?
All help greatly appreciated, First timer!!
05-27-2008 09:18 AM
Most likely, you will need to post your NAT configuration for review.
05-27-2008 11:28 PM
Hi thanks for your interest here you are.
ASA Version 7.2(3)
!
hostname N***********
domain-name d***********
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
dhcp client update dns
ip address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 6**.***.***.2 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.20
name-server 192.168.10.202
domain-name *****************
same-security-traffic permit intra-interface
object-group network Trusted-LAN-Hosts
network-object host 192.168.10.10
network-object host 192.168.10.197
network-object host 192.168.10.198
network-object host 192.168.10.202
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list inside_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq isakmp
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq ldap
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit esp any 6**.***.***.0 255.255.255.0
access-list outside_access_in extended permit gre any 6**.***.***.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Remote-pool 192.168.4.1-192.168.4.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) 6**.***.***.10 192.168.10.202 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 6**.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
05-28-2008 05:48 AM
I'll let someone more familiar with the ASA help you.
05-28-2008 07:48 AM
Thanks
I also have dug this out if it helps
Result of the command: "sh running-config nat"
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
All I need to do is set NAT for a couple of IP for a couple of services.
thanks all for yyour assitance in advance.
Greg
05-28-2008 07:55 AM
Greg,
Could you be more specific about your problem. Config looks fine.
05-28-2008 11:26 PM
Ok the issue is I need to NAT a couple of address'. with it all configured as above the issue is as follows; the hosts that have the NAT address cannot access the outside network (internet) nor can the outside see the selected services that have been set for them.
I have run Packet tracer for www packets out and it fails on an access list which is the system default deny any any Implicit rule.
I have rules that allow www from inside and they work fine when there are no NAT configured address' I have conpared this with another ASA that works and can't see any difference.
I am lost at this point and all help is greatly appreciated.
Regards
Greg
05-29-2008 01:31 AM
Greg
would you please clarify why you have both the .10 n/w and the .2 n/w in your no nat statement? What network are the users (who cant access the outside) on? Also, have you ran the Live log in debugging mode to see why the packets are being dropped?
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
05-29-2008 02:17 AM
hi
the access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 refers to the vpn tunel that is in place between the two networks.
static ip address' from the .10 network can not access the outside world ( internet )
05-29-2008 05:10 AM
Grege
try changing the seq number of your nat's (not your statics). as seq 0 is a no nat and seq1 is then asking the same network .10 to to be translated.
Have you tried using the Live Log viewer? try this and let me know how you get on
Regards
Sol
05-30-2008 12:25 AM
Hi
thanks for that. I have looked at the live viewer and it doesn't display any deny's etc. it does display the tear down on the particular NAT address. so this would say to me it is getting out but the response is not getting back in. I am not sure really.
how do i change teh seq no's?
thanks for your assistance.
Greg
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: