Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

um...nat...broken?

I came into my job a while ago and somebody had been messing around in this ASA and they were using a different firewall for thier PAT.  I want to use my ASA (shouldn't need to explain why on this forum).

As far as I can tell, traffic is clearing the access lists and being past out the interface, but the NAT isn't happening,

Here's what I mean, this was captured from the public interface showing the original source address:

1: 21:41:38.009154 192.168.2.82 > 66.102.7.104: icmp: echo request

the same sort of thing happens when I try a source address that should trigger the PAT.

Can somebody please help me see what I'm missing in this config, I'm going insane.

ASA Version 7.0(6)
!
hostname cs-ais-asa
names
dns-guard
!
interface Ethernet0/0
nameif PUBLIC
security-level 0
ip address yyy.yyy.yyy.yyy 255.255.255.0
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.2.50 255.255.255.0
!
interface Ethernet0/2
description SIP INT
nameif DMZ_SIP
security-level 50
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd eKmqHO4KGDP8LA6F encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list LAN_nat0_inbound extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list LAN_nat0_inbound extended permit ip any any
access-list LAN_nat0_inbound extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list LAN_nat0_inbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list PUBLIC_access_in extended permit tcp any any
access-list split standard permit 192.168.1.0 255.255.255.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list split standard permit 172.16.1.0 255.255.255.0
access-list split standard permit 192.168.32.0 255.255.255.0
access-list split standard permit 192.168.33.0 255.255.255.0
access-list split standard permit 192.168.34.0 255.255.255.0
access-list split remark Vlan 10
access-list split standard permit 192.168.12.0 255.255.255.0
access-list Firewall extended permit ip any any
access-list PUBLIC_access_in_V1 extended permit icmp any host 192.168.2.82 log
access-list PUBLIC_cryptomap_20 remark Convergence Office
access-list PUBLIC_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list capture extended permit icmp any any
access-list icmp_capture extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu PUBLIC 1500
mtu LAN 1500
mtu DMZ_SIP 1500
mtu management 1500
ip local pool ASAPOOL2 192.168.2.55-192.168.2.65 mask 255.255.255.0
ip local pool ASAPOOL1 192.168.2.66-192.168.2.75 mask 255.255.255.0
icmp permit any PUBLIC
icmp permit any LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (PUBLIC) 10 interface
nat (LAN) 0 access-list LAN_nat0_inbound
nat (LAN) 10 192.168.0.0 255.255.0.0
nat (LAN) 10 0.0.0.0 0.0.0.0
static (LAN,PUBLIC) 206.71.187.6 192.168.2.82 netmask 255.255.255.255
access-group PUBLIC_access_in_V1 in interface PUBLIC
route PUBLIC 0.0.0.0 0.0.0.0 206.71.187.1 1
route LAN 192.168.34.0 255.255.255.0 192.168.2.1 1
route LAN 192.168.33.0 255.255.255.0 192.168.2.1 1
route LAN 192.168.32.0 255.255.255.0 192.168.2.1 1
route LAN 172.16.1.0 255.255.255.0 192.168.2.50 1
route LAN 192.168.1.0 255.255.255.0 192.168.2.50 1
route LAN 192.168.3.0 255.255.255.0 192.168.2.50 1
route LAN 192.168.12.0 255.255.255.0 192.168.2.1 1
route LAN 192.168.253.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Mitel "200icp ssl" https://192.168.2.2
url-list Mitel "3300icp ssl" https://192.168.2.3
url-list Mitel "3300Mxe" https://192.168.12.3
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
  port-forward-name value Application Access
group-policy convergencesys internal
group-policy convergencesys attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
http server enable
http 0.0.0.0 0.0.0.0 LAN
http 192.168.0.0 255.255.0.0 LAN
http 192.168.200.0 255.255.255.0 LAN
http 192.168.2.0 255.255.255.0 LAN
snmp-server host LAN 192.168.2.32 community public udp-port 161
snmp-server location AIS datacenter
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
ssh timeout 5
ssh version 2
console timeout 4
management-access LAN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
webvpn
enable PUBLIC
logo file disk0:/signature.jpg
authorization-server-group LOCAL
default-group-policy convergencesys
authentication aaa certificate
: end

Everyone's tags (4)
2 REPLIES
New Member

Re: um...nat...broken?

I didnt spend too much time looking at this but one thing sticks out at first glance. you have a permit any any line in your nat0 ACL. This line says: " do not nat packets from any source address to any destination address". It could be overiding you nat10 statement. I would remove that line and try again.

New Member

Re: um...nat...broken?

Thanks, I'll try playing with the NAT0 and see what happens!

1181
Views
0
Helpful
2
Replies
CreatePlease login to create content