03-31-2012 05:09 PM - edited 03-07-2019 05:53 AM
I cant seem to get NAT working for my DMZ interface. NAT works fine for Inside to Outside. My liscense is the the base so I have a limited DMZ, but I should still be able to NAT from DMZ to Outside. Here is my running config for the ASA.
CobraUnit-ASA# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname CobraUnit-ASA
domain-name CobraUnitASA.cobra-unit.net
enable password ***************************v encrypted
passwd ******************** encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 10.10.0.1 255.255.255.0
!
interface Vlan20
no forward interface Vlan10
nameif DMZ
security-level 50
ip address 10.20.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name CobraUnitASA.cobra-unit.net
access-list inside_nat0_outbound extended permit ip any 10.100.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPN 10.100.0.100-10.100.0.150 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 10 10.10.0.0 255.255.255.0
nat (inside) 10 10.30.0.0 255.255.255.0
nat (inside) 10 10.40.0.0 255.255.255.0
nat (DMZ) 10 10.20.0.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.10.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN internal
group-policy VPN attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol IPSec
username admin password ******************.Ew encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e4e76469540ece92e94a72be749de57
: end
03-31-2012 05:46 PM
update with bellow commands' result may provide some more valuable information:
pack in DMZ icmp 10.20.0.1 0 0 192.0.43.10
pack in DMZ tcp 10.20.0.2 10000 192.0.43.10 80
sh xlate count
sh conn count
03-31-2012 05:55 PM
Which ASA model and license are you using...are the devices in DMZ able to go outside? Below is for ASA5505
"In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active
VLANs with the Security Plus license.
An active VLAN is a VLAN with a nameif command configured."
03-31-2012 06:51 PM
Its a 5505. forgot to specify the model. And i already specified the liscense, which is the Base.
Heres the results of the commands you suggested:
CobraUnit-ASA# pack in DMZ icmp 10.20.0.1 0 0 192.0.43.10
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
CobraUnit-ASA# pack in DMZ tcp 10.20.0.2 10000 192.0.43.10 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ) 10 10.20.0.0 255.255.255.0
nat-control
match ip DMZ 10.20.0.0 255.255.255.0 outside any
dynamic translation to pool 10 (70.173.111.* [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.20.0.2/10000 to 70.173.111.*/2195 using netmask 255.255.2 55.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 10 10.20.0.0 255.255.255.0
nat-control
match ip DMZ 10.20.0.0 255.255.255.0 outside any
dynamic translation to pool 10 (70.173.111.* [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2779, packet dispatched to next module
Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 70.173.110.1 using egress ifc outside
adjacency Active
next-hop mac address 0030.b8ca.2540 hits 1
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
CobraUnit-ASA# sh xlate count
16 in use, 469 most used
CobraUnit-ASA# sh conn count
26 in use, 743 most used
03-31-2012 07:21 PM
from the result you provide, i can tell you have exactly the same situation I have in one of my site's 5510 with a 8.1 version of ASA that is you can broswe Internet but not ping Internet. So I wonder if you can broswe Internet from DMZ network while can't ping Internet.
03-31-2012 10:12 PM
Cant do updates from my Ubuntu Server boxes. so i doubt i can browse the web.
03-31-2012 10:19 PM
I think you should open browser and open google to check your natted Internet IP address. If you can get google showing your IP address is 70.173.111.* then you get everything work just fine except ICMP (ping, traceroute).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide