Announcement

Collapse
No announcement yet.

Cisco ASA 5505 NAT Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5505 NAT Problem

    Hello Everyone,

    I'm having some issues with my ASA 5505 that I've been trying to resolve for a few days and I cannot seem to figure out what I need to do. We created a new webserver and I am trying to configure a NAT Rule to forward all traffic from a specific outside interface IP address to that Box.

    We have 3 Interfaces
    Outside
    Inside
    DMZ

    The DMZ only has one server in it, whose IP address is 10.1.1.10 (our Webserver)

    Now when I use the Cisco ASDM: Packet Tracer, it always gets hosed at the same location. The NAT.

    Here are The Results of the Packet Trace
    Code:
    Type- NAT
    Subtype - rpf-check
    Action - Drop
    
    Config:
    
    nat (dmz) 1 10.1.1.10 255.255.255.255
    match ip dmz host 10.1.1.10 outside any
    dynamic translation to pool 1 (71.41.121.234 [Interface PAT])
    translation_hits = 348, untranslated_hits = 27
    Now what I am unaware of is if the outside interface is the problem or not.
    Our ISP has given us 3 Static IP addresses which are available to us. These IP addresses end in 234, 235 & 236. I am attempting to route ALL 236 Traffic to the Web Server, but as I noticed in the Packet Trace the Outside interface is set to 234. Does this Matter?

  • #2
    Re: Cisco ASA 5505 NAT Problem

    Here is my Config File Part 1

    Code:
    Result of the command: "show running-config"
    
    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname MIS-ASA5505
    domain-name midwest-ins.local
    names
    name 192.168.1.20 CitrixServer
    name 192.168.1.100 Exchange
    name 192.168.1.102 MECC_Remote description MECC Remote
    name 192.168.1.52 CR_Server description FTP
    name 71.41.121.136 FTP_NAT description FTP
    name 192.168.1.110 CRServer_Web description Database
    name 192.168.1.169 Development description Web Development Box
    name 192.168.1.0 Internal_Network description Internal
    name 192.168.1.111 Docuserver description App Server
    !
    interface Vlan1
     description Internal LAN interface
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
     description Outside interface to Brighthouse
     nameif outside
     security-level 0
     ip address 71.41.121.234 255.255.255.248
    !
    interface Vlan3
     nameif dmz
     security-level 50
     ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
     switchport access vlan 3
    !
     ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
     domain-name midwest-ins.local
    same-security-traffic permit intra-interface
    object-group network Mecc-Remote
     network-object 10.168.222.0 255.255.254.0
    object-group network IMHS
     description IMHS Servers
     network-object 216.104.4.0 255.255.255.0
     network-object 216.99.131.0 255.255.255.0
    access-list outside_access_in extended permit tcp any interface outside eq www
    access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
    access-list outside_access_in extended permit tcp any host 71.41.121.235 eq smtp
    access-list outside_access_in extended permit tcp any host 71.41.121.235 eq www
    access-list outside_access_in extended permit tcp any host 71.41.121.235 eq https
    access-list outside_access_in extended permit icmp any interface outside
    access-list outside_access_in extended permit tcp any eq 1022 host MECC_Remote eq 1022
    access-list outside_access_in extended permit tcp host 69.77.132.160 host 71.41.121.236 eq ftp
    access-list outside_access_in extended permit tcp host 69.77.132.160 host 71.41.121.236 eq ftp-data
    access-list outside_access_in extended permit tcp host 67.151.114.114 host 71.41.121.236 eq ftp
    access-list outside_access_in extended permit tcp host 67.151.114.114 host 71.41.121.236 eq ftp-data
    access-list outside_access_in extended permit tcp host 70.119.15.56 host 71.41.121.236 eq ftp
    access-list outside_access_in extended permit tcp host 70.119.15.56 host 71.41.121.236 eq ftp-data
    access-list outside_access_in extended permit tcp any host 71.41.121.236
    access-list outside_access_in extended permit ip any 10.1.1.0 255.255.255.0
    access-list citrix extended permit tcp any any eq citrix-ica
    access-list MISVPN_splitTunnelAcl standard permit Internal_Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.224
    access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any Internal_Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0
    access-list outside_20_cryptomap_1 extended permit ip host 10.168.1.102 10.168.222.0 255.255.254.0
    access-list outside_cryptomap_20 extended permit ip host 10.168.1.102 object-group Mecc-Remote
    access-list VpnNat extended permit ip host MECC_Remote 10.168.222.0 255.255.254.0
    access-list VpnNat extended permit ip host MECC_Remote 10.168.222.0 255.255.255.0
    access-list VpnNat extended permit ip host MECC_Remote 10.168.223.0 255.255.255.0
    access-list MECCVPNNat extended permit ip host MECC_Remote 10.168.222.0 255.255.255.0
    access-list MECCVPNNat extended permit ip host MECC_Remote 10.168.223.0 255.255.255.0
    access-list dmz_access_out extended permit ip interface dmz host Exchange
    access-list dmz_access_out extended permit ip interface dmz host 192.168.1.53
    access-list dmz_access_out extended permit ip interface dmz host Docuserver
    access-list dmz_access_out extended permit ip interface dmz host CR_Server
    access-list dmz_access_out extended permit ip any any
    access-list dmz_access_out extended permit ip any Internal_Network 255.255.255.0 inactive
    access-list dmz_access_out extended permit ip any host Internal_Network inactive
    access-list acl_DMZ2Inside extended permit tcp Internal_Network 255.255.255.0 host 10.1.1.10
    access-list acl_DMZ2Inside extended permit tcp any any
    access-list dmz_access_in extended permit ip any Internal_Network 255.255.255.0
    access-list dmz_access_in extended permit ip any any

    Comment


    • #3
      Re: Cisco ASA 5505 NAT Problem

      Config File Part 2
      Code:
      pager lines 24
      logging enable
      logging list Sys_Notifications level notifications class auth
      logging asdm debugging
      logging debug-trace
      logging ftp-bufferwrap
      logging ftp-server 67.76.121.34 ftp:\\[email protected] mdickerson ****
      logging class vpn asdm debugging
      logging class vpnfo asdm debugging
      mtu inside 1500
      mtu outside 1500
      mtu dmz 1500
      ip local pool MISVPN 192.168.1.125-192.168.1.150 mask 255.255.255.0
      ip verify reverse-path interface inside
      no failover
      monitor-interface inside
      monitor-interface outside
      monitor-interface dmz
      icmp unreachable rate-limit 1 burst-size 1
      asdm image disk0:/asdm-522.bin
      no asdm history enable
      arp timeout 14400
      global (inside) 1 MECC_Remote netmask 255.255.255.0
      global (outside) 1 interface
      global (outside) 2 10.168.1.102 netmask 255.255.255.255
      global (dmz) 1 10.1.1.10 netmask 255.255.255.255
      nat (inside) 0 access-list inside_nat0_outbound
      nat (inside) 2 10.0.0.0 255.0.0.0
      nat (inside) 1 0.0.0.0 0.0.0.0
      nat (dmz) 1 10.1.1.10 255.255.255.255
      static (inside,outside) tcp interface www CitrixServer www netmask 255.255.255.255
      static (inside,outside) tcp interface citrix-ica CitrixServer citrix-ica netmask 255.255.255.255
      static (inside,outside) 71.41.121.235 Exchange netmask 255.255.255.255
      static (inside,outside) 10.168.1.102 MECC_Remote netmask 255.255.255.255
      static (inside,dmz) Development Development netmask 255.255.255.255
      static (inside,dmz) Exchange Exchange netmask 255.255.255.255
      access-group outside_access_in in interface outside
      access-group dmz_access_in in interface dmz
      access-group dmz_access_out out interface dmz
      route outside 0.0.0.0 0.0.0.0 71.41.121.233 1
      route outside 10.168.222.0 255.255.255.0 12.110.198.5 255
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout uauth 0:05:00 absolute
      aaa-server IASVPN protocol radius
      aaa-server IASVPN host Exchange
       key VPNAuth2007&&
       radius-common-pw VPNAuth2007&&
      group-policy MISVPN internal
      group-policy MISVPN attributes
       wins-server value 192.168.1.100
       dns-server value 192.168.1.100
       vpn-tunnel-protocol IPSec
       ipsec-udp enable
       ipsec-udp-port 10000
       split-tunnel-policy tunnelspecified
       split-tunnel-network-list value MISVPN_splitTunnelAcl
      group-policy MeccVNpnPolicy internal
      group-policy MeccVNpnPolicy attributes
       wins-server none
       dns-server none
       dhcp-network-scope none
       vpn-tunnel-protocol IPSec l2tp-ipsec
       pfs enable
       ipsec-udp enable
       ipsec-udp-port 10000
      username maxis password v3XYxWfWka/4TOdz encrypted privilege 15
      username mssql password hqylhkKi6z739M/f encrypted privilege 0
      aaa authentication enable console LOCAL
      aaa authentication http console LOCAL
      aaa authentication serial console LOCAL
      aaa authentication ssh console LOCAL
      aaa authentication telnet console LOCAL
      http server enable
      http 67.76.121.34 255.255.255.255 outside
      http 67.78.176.213 255.255.255.255 outside
      http 63.139.255.2 255.255.255.255 outside
      http Internal_Network 255.255.255.0 inside
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto dynamic-map outside_dyn_map 20 set pfs
      crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
      crypto map outside_map 20 match address outside_cryptomap_20
      crypto map outside_map 20 set pfs
      crypto map outside_map 20 set peer 12.110.198.5
      crypto map outside_map 20 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
      crypto map outside_map interface outside
      crypto isakmp enable outside
      crypto isakmp policy 10
       authentication pre-share
       encryption 3des
       hash sha
       group 2
       lifetime 86400
      crypto isakmp policy 20
       authentication pre-share
       encryption 3des
       hash sha
       group 2
       lifetime 28800
      tunnel-group MISVPN type ipsec-ra
      tunnel-group MISVPN general-attributes
       address-pool MISVPN
       authentication-server-group IASVPN LOCAL
       default-group-policy MISVPN
      tunnel-group MISVPN ipsec-attributes
       pre-shared-key *
      tunnel-group 12.110.198.5 type ipsec-l2l
      tunnel-group 12.110.198.5 general-attributes
       default-group-policy MeccVNpnPolicy
      tunnel-group 12.110.198.5 ipsec-attributes
       pre-shared-key *
      no vpn-addr-assign aaa
      no vpn-addr-assign dhcp
      telnet Internal_Network 255.255.255.0 inside
      telnet timeout 5
      ssh 192.168.1.1 255.255.255.255 inside
      ssh 67.78.176.213 255.255.255.255 outside
      ssh 63.139.255.2 255.255.255.255 outside
      ssh 67.76.121.34 255.255.255.255 outside
      ssh timeout 5
      console timeout 0
      dhcpd auto_config outside
      !
      dhcpd address 192.168.1.2-192.168.1.254 inside
      !
      
      priority-queue inside
      priority-queue outside
      priority-queue dmz
      !
      class-map citrix
       match access-list citrix
      class-map inspection_default
       match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
       parameters
        message-length maximum 512
      policy-map global_policy
       class inspection_default
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect rtsp
        inspect esmtp
        inspect sqlnet
        inspect skinny
        inspect sunrpc
        inspect xdmcp
        inspect sip
        inspect netbios
        inspect tftp
        inspect pptp
      policy-map citrixpolicy
       class citrix
        priority
      !
      service-policy global_policy global
      service-policy citrixpolicy interface outside
      tftp-server inside Exchange C:\TFTP_Root
      prompt hostname context
      : end

      Comment


      • #4
        Re: Cisco ASA 5505 NAT Problem

        Ok, give this a try:

        Code:
        static (dmz,outside) 71.*.*.236 10.1.1.10 netmask 255.255.255.255
        
        access-list outside_access_in permit tcp any host 71.*.*.236 eq www
        CCNA, Network+

        Comment

        Working...
        X