ASA DMZ NAT help

The.Sorrow · ‎03-31-2012

I cant seem to get NAT working for my DMZ interface. NAT works fine for Inside to Outside. My liscense is the the base so I have a limited DMZ, but I should still be able to NAT from DMZ to Outside. Here is my running config for the ASA.

CobraUnit-ASA# sh run

: Saved

:

ASA Version 8.2(2)

!

hostname CobraUnit-ASA

domain-name CobraUnitASA.cobra-unit.net

enable password ***************************v encrypted

passwd ******************** encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan10

nameif inside

security-level 100

ip address 10.10.0.1 255.255.255.0

!

interface Vlan20

no forward interface Vlan10

nameif DMZ

security-level 50

ip address 10.20.0.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 20

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name CobraUnitASA.cobra-unit.net

access-list inside_nat0_outbound extended permit ip any 10.100.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip local pool VPN 10.100.0.100-10.100.0.150 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

nat (inside) 10 10.10.0.0 255.255.255.0

nat (inside) 10 10.30.0.0 255.255.255.0

nat (inside) 10 10.40.0.0 255.255.255.0

nat (DMZ) 10 10.20.0.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.10.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 10.10.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.10.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VPN internal

group-policy VPN attributes

dns-server value 4.2.2.2 8.8.8.8

vpn-tunnel-protocol IPSec

username admin password ******************.Ew encrypted privilege 15

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPN

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4e4e76469540ece92e94a72be749de57

: end

thomas.satafer.fan · ‎03-31-2012

update with bellow commands' result may provide some more valuable information:

pack in DMZ icmp 10.20.0.1 0 0 192.0.43.10

pack in DMZ tcp 10.20.0.2 10000 192.0.43.10 80

sh xlate count

sh conn count

siddhartham · ‎03-31-2012

Which ASA model and license are you using...are the devices in DMZ able to go outside? Below is for ASA5505

"In transparent firewall mode, you can configure two active VLANs in the Base license and three active

VLANs in the Security Plus license, one of which must be for failover.

In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active

VLANs with the Security Plus license.

An active VLAN is a VLAN with a nameif command configured."

Siddhartha

The.Sorrow · ‎03-31-2012

Its a 5505. forgot to specify the model. And i already specified the liscense, which is the Base.

Heres the results of the commands you suggested:

CobraUnit-ASA# pack in DMZ icmp 10.20.0.1 0 0 192.0.43.10

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

CobraUnit-ASA# pack in DMZ tcp 10.20.0.2 10000 192.0.43.10 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (DMZ) 10 10.20.0.0 255.255.255.0

nat-control

match ip DMZ 10.20.0.0 255.255.255.0 outside any

dynamic translation to pool 10 (70.173.111.* [Interface PAT])

translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 10.20.0.2/10000 to 70.173.111.*/2195 using netmask 255.255.2 55.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 10 10.20.0.0 255.255.255.0

nat-control

match ip DMZ 10.20.0.0 255.255.255.0 outside any

dynamic translation to pool 10 (70.173.111.* [Interface PAT])

translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2779, packet dispatched to next module

Phase: 9

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 70.173.110.1 using egress ifc outside

adjacency Active

next-hop mac address 0030.b8ca.2540 hits 1

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

CobraUnit-ASA# sh xlate count

16 in use, 469 most used

CobraUnit-ASA# sh conn count

26 in use, 743 most used

thomas.satafer.fan · ‎03-31-2012

from the result you provide, i can tell you have exactly the same situation I have in one of my site's 5510 with a 8.1 version of ASA that is you can broswe Internet but not ping Internet. So I wonder if you can broswe Internet from DMZ network while can't ping Internet.

The.Sorrow · ‎03-31-2012

Cant do updates from my Ubuntu Server boxes. so i doubt i can browse the web.

thomas.satafer.fan · ‎03-31-2012

I think you should open browser and open google to check your natted Internet IP address. If you can get google showing your IP address is 70.173.111.* then you get everything work just fine except ICMP (ping, traceroute).