Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA 5505 Static NAT issues

Hello,

I have a problem, when I use this command to create a nat

static (inside,outside) 10.50.50.12 10.65.71.37 netmask 255.255.255.255

The host 10.50.50.12 loses internet connectivity. However, the nat address does work. I have a few clients that have a vpn tunnel to 10.50.50.12 directly and it is not working either.

However, if I delete that entry, eveything works as it should. Am I missing something after I create the static nat?

Thanks

5 REPLIES
Hall of Fame Super Silver

ASA 5505 Static NAT issues

I assume you are using ASA software 8.2(x) or earlier - please confirm. (8.3(x) or greater uses different syntax for NAT.)

If so, your syntax is reversed it is based on:

     static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask]

If not, please provide more details.

Community Member

ASA 5505 Static NAT issues

Here is the full config

Actually it's

static (inside,outside) 10.65.71.37 172.10.10.2 netmask 255.255.255.255

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password C2QJsYkgkb97IK0e encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.10.10.1 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

ip address 108.38.217.68 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group network obj-172.10.10.0

object-group network obj-10.10.50.0

object-group network obj-10.2.61.22

object-group network obj-10.2.61.50

object-group network obj-10.2.61.38

object-group network obj-10.2.61.32

object-group network obj-10.15.254.238

object-group network obj-10.15.1.1

object-group network obj-172.10.10.8

object-group network obj_any

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 10.10.50.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.22

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.50

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.38

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.32

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.15.254.238

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.15.1.1

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 172.10.10.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.40

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.100

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.70

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.1.4.18

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 170.220.248.50

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 170.220.255.88

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 10.143.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.12

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.10

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.14

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.15

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.25

access-list inside_nat0_outbound extended permit ip host 172.10.10.2 host 206.210.161.13

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.10.8.176

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 10.30.20.20

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 10.32.15.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.10.10.0 255.255.255.248 host 192.168.1.11

access-list inside_nat0_outbound extended permit ip host 10.65.71.37 10.50.50.0 255.255.255.0

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp host 10.2.61.50 172.10.10.0 255.255.255.248

access-list outside_access_in extended permit udp any any

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp 172.10.10.0 255.255.255.248 host 10.2.61.50

access-list outside_2_cryptomap remark Holy Cross

access-list outside_2_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.22

access-list outside_cryptomap_3 remark Holy Cross

access-list outside_cryptomap_3 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.32

access-list outside_cryptomap_4 remark Holy Cross

access-list outside_cryptomap_4 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.38

access-list outside_cryptomap_5 remark Holy Cross

access-list outside_cryptomap_5 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.40

access-list outside_cryptomap_5 remark Holy Cross

access-list outside_cryptomap_5 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.100

access-list outside_cryptomap_5 remark Holy Cross

access-list outside_cryptomap_5 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.70

access-list outside_cryptomap_5 remark Holy Cross

access-list outside_cryptomap_5 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.60.50

access-list outside_cryptomap_5 remark Holy Cross

access-list outside_cryptomap_5 extended permit ip 172.10.10.0 255.255.255.248 host 10.2.61.50

access-list outside_cryptomap_6 remark Holy Cross

access-list outside_cryptomap_6 extended permit ip 172.10.10.0 255.255.255.248 host 10.15.254.238

access-list outside_cryptomap_17 remark Holy Cross

access-list outside_cryptomap_17 extended permit ip 172.10.10.0 255.255.255.248 host 10.1.4.18

access-list outside_cryptomap_17 remark Holy Cross

access-list outside_cryptomap_17 extended permit ip 172.10.10.0 255.255.255.248 host 170.220.248.50

access-list outside_cryptomap_17 remark Holy Cross

access-list outside_cryptomap_17 extended permit ip 172.10.10.0 255.255.255.248 host 170.220.255.88

access-list outside_cryptomap_17 remark Holy Cross

access-list outside_cryptomap_17 extended permit ip 172.10.10.0 255.255.255.248 host 10.15.1.1

access-list Jarrod_Access_splitTunnelAcl standard permit 172.10.10.0 255.255.255.248

access-list outside_7_cryptomap remark Encino

access-list outside_7_cryptomap extended permit ip 172.10.10.0 255.255.255.248 10.143.5.0 255.255.255.0

access-list outside_7_cryptomap remark Sherman Oak

access-list outside_7_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.15

access-list outside_7_cryptomap remark Sherman Oak

access-list outside_7_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.10

access-list outside_7_cryptomap remark Sherman Oak

access-list outside_7_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.25

access-list outside_7_cryptomap remark Sherman Oak

access-list outside_7_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.12

access-list outside_7_cryptomap remark Sherman Oak

access-list outside_7_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 192.168.253.14

access-list outside_8_cryptomap remark White Memorial

access-list outside_8_cryptomap extended permit ip host 172.10.10.2 host 206.210.161.13

access-list outside_9_cryptomap remark Washington

access-list outside_9_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 10.10.8.176

access-list outside_10_cryptomap remark Brotman

access-list outside_10_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 10.30.20.20

access-list outside_11_cryptomap remark MHG

access-list outside_11_cryptomap extended permit ip 172.10.10.0 255.255.255.248 10.32.15.0 255.255.255.0

access-list outside_12_cryptomap remark Western Image Center

access-list outside_12_cryptomap extended permit ip 172.10.10.0 255.255.255.248 host 192.168.1.11

access-list outside_1_cryptomap extended permit ip host 10.65.71.37 10.50.50.0 255.255.255.0

access-list VPN extended permit ip host 10.65.71.37 172.10.10.0 255.255.255.248

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Administrator 172.10.10.10-172.10.10.12 mask 255.255.255.248

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 3 10.65.71.35-10.65.71.40

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.65.71.37 172.10.10.2 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 108.38.217.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.10.10.0 255.255.255.248 inside

http 172.10.10.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 108.38.217.66

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 69.238.162.252

crypto map outside_map 2 set transform-set ESP-AES-256-MD5

crypto map outside_map 3 match address outside_cryptomap_3

crypto map outside_map 3 set peer 69.238.162.252

crypto map outside_map 3 set transform-set ESP-AES-256-MD5

crypto map outside_map 4 match address outside_cryptomap_4

crypto map outside_map 4 set peer 69.238.162.252

crypto map outside_map 4 set transform-set ESP-AES-256-MD5

crypto map outside_map 4 set nat-t-disable

crypto map outside_map 5 match address outside_cryptomap_5

crypto map outside_map 5 set peer 69.238.162.252

crypto map outside_map 5 set transform-set ESP-AES-256-MD5

crypto map outside_map 6 match address outside_cryptomap_6

crypto map outside_map 6 set peer 69.238.162.252

crypto map outside_map 6 set transform-set ESP-AES-256-MD5

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set peer 208.176.168.130

crypto map outside_map 7 set transform-set ESP-3DES-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set pfs group5

crypto map outside_map 8 set peer 206.210.160.11

crypto map outside_map 8 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 match address outside_9_cryptomap

crypto map outside_map 9 set peer 67.115.139.21

crypto map outside_map 9 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address outside_10_cryptomap

crypto map outside_map 10 set peer 208.29.153.130

crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 11 match address outside_11_cryptomap

crypto map outside_map 11 set peer 206.190.85.99

crypto map outside_map 11 set transform-set ESP-AES-256-MD5

crypto map outside_map 12 match address outside_12_cryptomap

crypto map outside_map 12 set peer 205.147.21.68

crypto map outside_map 12 set transform-set ESP-AES-256-MD5

crypto map outside_map 17 match address outside_cryptomap_17

crypto map outside_map 17 set peer 69.238.162.252

crypto map outside_map 17 set transform-set ESP-AES-256-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd auto_config outside

!

dhcpd address 172.10.10.2-172.10.10.6 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy Jarrod_Access internal

group-policy Jarrod_Access attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Jarrod_Access_splitTunnelAcl

username jarrod password 7F8IwrDULRQdo.vN encrypted privilege 15

username jarrod attributes

vpn-group-policy Jarrod_Access

tunnel-group 69.238.162.252 type ipsec-l2l

tunnel-group 69.238.162.252 ipsec-attributes

pre-shared-key *****

tunnel-group 208.176.168.130 type ipsec-l2l

tunnel-group 208.176.168.130 ipsec-attributes

pre-shared-key *****

isakmp keepalive disable

tunnel-group 206.210.160.11 type ipsec-l2l

tunnel-group 206.210.160.11 ipsec-attributes

pre-shared-key *****

tunnel-group 67.115.139.21 type ipsec-l2l

tunnel-group 67.115.139.21 ipsec-attributes

pre-shared-key *****

tunnel-group 208.29.153.130 type ipsec-l2l

tunnel-group 208.29.153.130 ipsec-attributes

pre-shared-key *****

isakmp keepalive disable

tunnel-group 206.190.85.99 type ipsec-l2l

tunnel-group 206.190.85.99 ipsec-attributes

pre-shared-key *****

tunnel-group 205.147.21.68 type ipsec-l2l

tunnel-group 205.147.21.68 ipsec-attributes

pre-shared-key *****

tunnel-group 108.38.217.66 type ipsec-l2l

tunnel-group 108.38.217.66 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:04f5be04989de8d5167b1b6f6a4b84ed

: end

Hall of Fame Super Silver

Re: ASA 5505 Static NAT issues

So, if you introduce the command you cited:

     static (inside,outside) 10.65.71.37 172.10.10.2 netmask 255.255.255.255

You are telling the ASA to translate real IP 172.10.10.2 to mapped IP 10.65.71.37 from the inside to the outside.

However your outside network also has a NAT pool defined in :

     global (outside) 3 10.65.71.35-10.65.71.40

which also includes that mapped IP. Per the Configuration Guide, it instructs:

"Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface"

So you need to change either the global (outside) 3 pool or pick a different mapped IP that does not overlap.

Community Member

Re: ASA 5505 Static NAT issues

Thanks for the reply Marvin,

Let's say when I remove both of those entries.

Which route would be best for my scenario.

From the client end, they are sending to 10.65.71.37, which establish the tunnel, but from there I am unsure how to NAT it to my host 172.10.10.2. Without causing the host to lose internet and breaking all the other VPN connections.

Hall of Fame Super Silver

Re: ASA 5505 Static NAT issues

If your clients are all at your sites, the cryptomap and nat0 ("nonat") access lists you already have would allow the 172.10.10.2 address to be reached without any NAT - i.e, via it's true address.

You only need to introduce NAT if you either cannot (often because of dealing with customers or partners who cannot or will not accommodate your private IP addressing scheme) or don't want (perhaps for security) the the distant end to know your true IP.

When you look at it at the ASA device level, the establishment of a VPN tunnel to your ASA's outside interface is distinct from what internal services (IP addresses plus ports and protocols) are allowed to travel over it.

746
Views
0
Helpful
5
Replies
CreatePlease to create content