Solved: Re: cannot ping outside hosts after nat-control enabled

tsrader · ‎02-01-2010

Want to enable nat-control to restirct access to outside hosts from inside. Outside hosts are an internal lab (not across internet) to main network.

Nat-control enabled causes inside hosts to stop access / ping outside hosts. See NAT / statics configuration below.

Thanks for any input.

inside pc: 192.168.16.1

outside pc: 10.25.41.5 (assigned ip)

192.168.50.5 (virtual ip used when pinging from inside)

ASA Version 8.0(4) <context>
!
hostname fw
dns-guard
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.40.220 255.255.255.248
!
dns server-group DefaultDNS
domain-name local
same-security-traffic permit intra-interface
object-group network inside_hosts_permitted
network-object 192.168.16.1 255.255.255.255
network-object 192.168.17.0 255.255.255.0
object-group network outside_hosts_real
network-object 10.25.41.5 255.255.255.255
network-object 10.25.41.6 255.255.255.255
network-object 10.25.41.7 255.255.255.255
object-group service smt_udp_ports udp
port-object eq netbios-ns
object-group service smt_tcp_ports tcp
port-object eq 135
port-object eq netbios-ssn
port-object eq 445
object-group network server_nats
network-object 10.25.41.2 255.255.255.255
network-object 10.25.41.3 255.255.255.255
network-object 10.25.41.4 255.255.255.255
object-group network outside_hosts_nats
network-object 192.168.50.1 255.255.255.255
network-object 192.168.50.2 255.255.255.255
network-object 192.168.50.3 255.255.255.255
network-object 192.168.50.3 255.255.255.255

network-object 192.168.50.4 255.255.255.255

network-object 192.168.50.5 255.255.255.255
access-list external_access_in extended permit tcp 10.25.41.9 10.25.41.2 eq object-group_smt_tcp_ports
access-list external_access_in extended permit tcp 10.25.41.0 10.25.41.2 eq object-group smt_udp_ports
access-list external_access_in extended permit icmp any any
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit tcp host 192.168.16.1 any eq 3389
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outisde_hosts_nats eq ftp
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outside_hosts_nats eq ftp-data
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224
static (inside,outside) 10.25.41.2 192.168.10.137 netmask 255.255.255.255
static (inside,outside) 10.25.41.3 192.168.10.134 netmask 255.255.255.255
static (inside,outside) 10.25.41.4 192.168.10.161 netmask 255.255.255.255
access-group external_access_in in interface outside
access-group internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.25.41.1 1
route inside 192.168.0.0 255.255.0.0 192.168.40.217 1
http server enable
sysopt noproxyarp inside

Jon Marshall · ‎02-01-2010

tsrader wrote:

192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network

1. yes, inside hosts would ping 192.168.50.x address.

192.168.50.5 > 10.25.41.5

is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?

global (outside) 2 interface

nat (inside) 2 192.168.16.0 (or whatever inside ip range range needed to come thru)

Thanks

You can just NAT the inside addresses to the same global ie.

nat (inside) 1 192.168.16.0 255.255.255.0

global (outside) 1 interface

you don't need

nat (inside) 1 192.168.50.0 255.255.255.0

it's not doing anything.

Jon

View solution in original post

Jon Marshall · ‎02-01-2010

tsrader wrote:
Want to enable nat-control to restirct access to outside hosts from inside.  Outside hosts are an internal lab (not across internet) to main network.
Nat-control enabled causes inside hosts to stop access / ping outside hosts.  See NAT / statics configuration below.
Thanks for any input.
inside pc:  192.168.16.1
outside pc: 10.25.41.5 (assigned ip)
                 192.168.50.5 (virtual ip used when pinging from inside)

ASA Version 8.0(4) 
!
hostname fw
dns-guard
!
interface GigabitEthernet0/0.515
 nameif outside
 security-level 0
 ip address 10.25.41.1 255.255.255.224 
!
interface GigabitEthernet0/1.533
 nameif inside
 security-level 100
 ip address 192.168.40.220 255.255.255.248 
!
dns server-group DefaultDNS
 domain-name local
same-security-traffic permit intra-interface
object-group network inside_hosts_permitted
 network-object 192.168.16.1 255.255.255.255
 network-object 192.168.17.0 255.255.255.0
object-group network outside_hosts_real
 network-object 10.25.41.5 255.255.255.255
 network-object 10.25.41.6 255.255.255.255
 network-object 10.25.41.7 255.255.255.255
object-group service smt_udp_ports udp
 port-object eq netbios-ns
object-group service smt_tcp_ports tcp
 port-object eq 135
 port-object eq netbios-ssn
 port-object eq 445
object-group network server_nats
 network-object 10.25.41.2 255.255.255.255
 network-object 10.25.41.3 255.255.255.255
 network-object 10.25.41.4 255.255.255.255
object-group network outside_hosts_nats
 network-object 192.168.50.1 255.255.255.255
 network-object 192.168.50.2 255.255.255.255
 network-object 192.168.50.3 255.255.255.255
 network-object 192.168.50.3 255.255.255.255
 network-object 192.168.50.4 255.255.255.255
 network-object 192.168.50.5 255.255.255.255
access-list external_access_in extended permit tcp 10.25.41.9 10.25.41.2 eq object-group_smt_tcp_ports
access-list external_access_in extended permit tcp 10.25.41.0 10.25.41.2 eq object-group smt_udp_ports
access-list external_access_in extended permit icmp any any 
access-list internal_access_in extended permit icmp any any 
access-list internal_access_in extended permit tcp host 192.168.16.1 any eq 3389 
access-list internal_access_in extended permit tcp host 192.168.17.0  object-group outisde_hosts_nats eq ftp
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outside_hosts_nats eq ftp-data 
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224 
static (inside,outside) 10.25.41.2 192.168.10.137 netmask 255.255.255.255 
static (inside,outside) 10.25.41.3 192.168.10.134 netmask 255.255.255.255 
static (inside,outside) 10.25.41.4 192.168.10.161 netmask 255.255.255.255 
access-group external_access_in in interface outside
access-group internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.25.41.1 1
route inside 192.168.0.0 255.255.0.0 192.168.40.217 1
http server enable
sysopt noproxyarp inside

Just to clarify -

from the inside you do not ping a 10.25.x.x address you actually ping a 192.168.50 address ? This is what

static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224 is meant to be doing ?

If so your problem is you are not natting the actual source address ie. 192.168.16.1 so instead of

global (outside) 1 interface

nat (inside) 1 192.168.50.0 255.255.255.224

it should read

global (outside) 1 interface

nat (inside) 1 192.168.16.0 255.255.255.0 <-- note this subnet mask may not be right, modify if needed.

I'm not sure what "nat (inside) 1 192.168.50.0 255.255.255.224" is meant to achieve ?

Jon

tsrader · ‎02-01-2010

192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network

1. yes, inside hosts would ping 192.168.50.x address.

192.168.50.5 > 10.25.41.5

is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?

global (outside) 2 interface

nat (inside) 2 192.168.16.0 (or whatever inside ip range range needed to come thru)

Thanks

Jon Marshall · ‎02-01-2010

tsrader wrote:

192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network

1. yes, inside hosts would ping 192.168.50.x address.

192.168.50.5 > 10.25.41.5

is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?

global (outside) 2 interface

nat (inside) 2 192.168.16.0 (or whatever inside ip range range needed to come thru)

Thanks

You can just NAT the inside addresses to the same global ie.

nat (inside) 1 192.168.16.0 255.255.255.0

global (outside) 1 interface

you don't need

nat (inside) 1 192.168.50.0 255.255.255.0

it's not doing anything.

Jon