Re: Static NAT on ASA5505

gregwilmot · ‎05-27-2008

Hi

i am trying to configure static nat for one address and as soon as i add the nat rule the internal host stops seeing the outside world. what have i forgotten to do?

All help greatly appreciated, First timer!!

michael.leblanc · ‎05-27-2008

Most likely, you will need to post your NAT configuration for review.

gregwilmot · ‎05-27-2008

Hi thanks for your interest here you are.

ASA Version 7.2(3)

!

hostname N***********

domain-name d***********

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

dhcp client update dns

ip address 192.168.10.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 6**.***.***.2 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.2.20

name-server 192.168.10.202

domain-name *****************

same-security-traffic permit intra-interface

object-group network Trusted-LAN-Hosts

network-object host 192.168.10.10

network-object host 192.168.10.197

network-object host 192.168.10.198

network-object host 192.168.10.202

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list inside_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq domain

access-list inside_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq isakmp

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq ldap

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_access_in extended permit esp any 6**.***.***.0 255.255.255.0

access-list outside_access_in extended permit gre any 6**.***.***.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Remote-pool 192.168.4.1-192.168.4.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) 6**.***.***.10 192.168.10.202 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 6**.***.***.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

michael.leblanc · ‎05-28-2008

I'll let someone more familiar with the ASA help you.

gregwilmot · ‎05-28-2008

Thanks

I also have dug this out if it helps

Result of the command: "sh running-config nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.10.0 255.255.255.0

All I need to do is set NAT for a couple of IP for a couple of services.

thanks all for yyour assitance in advance.

Greg

acomiskey · ‎05-28-2008

Greg,

Could you be more specific about your problem. Config looks fine.

gregwilmot · ‎05-28-2008

Ok the issue is I need to NAT a couple of address'. with it all configured as above the issue is as follows; the hosts that have the NAT address cannot access the outside network (internet) nor can the outside see the selected services that have been set for them.

I have run Packet tracer for www packets out and it fails on an access list which is the system default deny any any Implicit rule.

I have rules that allow www from inside and they work fine when there are no NAT configured address' I have conpared this with another ASA that works and can't see any difference.

I am lost at this point and all help is greatly appreciated.

Regards

Greg

SOL10 · ‎05-29-2008

Greg

would you please clarify why you have both the .10 n/w and the .2 n/w in your no nat statement? What network are the users (who cant access the outside) on? Also, have you ran the Live log in debugging mode to see why the packets are being dropped?

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0

gregwilmot · ‎05-29-2008

hi

the access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 refers to the vpn tunel that is in place between the two networks.

static ip address' from the .10 network can not access the outside world ( internet )

SOL10 · ‎05-29-2008

Grege

try changing the seq number of your nat's (not your statics). as seq 0 is a no nat and seq1 is then asking the same network .10 to to be translated.

Have you tried using the Live Log viewer? try this and let me know how you get on

Regards

Sol

gregwilmot · ‎05-30-2008

Hi

thanks for that. I have looked at the live viewer and it doesn't display any deny's etc. it does display the tear down on the particular NAT address. so this would say to me it is getting out but the response is not getting back in. I am not sure really.

how do i change teh seq no's?

thanks for your assistance.

Greg