Announcement

Collapse
No announcement yet.

ASA5510 NAT problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5510 NAT problems

    Welcome,

    replaces the old Cisco Router in Cisco ASA5510. Any way can not solve the NAT problem. Internet can only be achieved by two LAN IP the address (172.30.16.230 domain controller, proxy 172.30.16.253). From sh xlate can be seen that the ASA NATing only two LAN addresses into two real IP address. Maybe someone has ideas why this is?

    Network diagram:



    Configuration:

    ================================
    !
    hostname ciscoasa
    domain-name xxxx.xxx
    names
    !
    interface Ethernet0/0
    nameif WAN
    security-level 0
    ip address xx.xx.66.18 255.255.255.248
    !
    interface Ethernet0/1
    nameif LAN
    security-level 99
    ip address 192.168.200.254 255.255.255.0
    !
    interface Ethernet0/2
    nameif WWW
    security-level 50
    ip address 192.168.1.254 255.255.255.0
    !
    interface Ethernet0/3
    description DMZ-MAIL
    nameif MAIL
    security-level 49
    ip address 192.168.4.254 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone EET 2
    dns server-group DefaultDNS
    domain-name xxxx.xxx
    object-group service DM_INLINE_SERVICE_1
    service-object tcp eq domain
    service-object udp eq domain
    service-object tcp eq www
    service-object tcp eq https
    service-object tcp eq smtp
    service-object icmp
    service-object icmp echo
    service-object icmp echo-reply
    object-group service DM_INLINE_SERVICE_2
    service-object tcp eq domain
    service-object udp eq domain
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_1
    network-object host xx.xx.81.19
    network-object host xx.xx.81.20
    access-list LAN_nat0_out extended permit ip 172.30.16.0 255.255.255.0 192.168.4.0 255.255.255.0
    access-list LAN_nat0_out extended permit ip 172.30.16.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list MAIL_nat0_out extended permit ip 192.168.4.0 255.255.255.0 172.30.16.0 255.255.255.0
    access-list MAIL_nat0_out extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
    access-list WAN_access_in extended permit tcp any host xx.xx.66.19 eq www
    access-list WAN_access_in extended permit tcp any host xx.xx.66.20 object-group DM_INLINE_TCP_1
    access-list WAN_access_in extended permit tcp any host xx.xx.66.20 gt 10000
    access-list MAIL_access_in extended permit ip 192.168.4.0 255.255.255.0 172.30.16.0 255.255.255.0
    access-list MAIL_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.4.0 255.255.255.0 any inactive
    access-list MAIL_access_in extended permit ip any any
    access-list WWW_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.30.16.0 255.255.255.0
    access-list WWW_access_in extended permit ip host 192.168.1.1 host 172.30.16.207
    access-list WWW_access_in extended permit object-group DM_INLINE_SERVICE_2 host 192.168.1.1 host 172.30.16.230
    access-list WWW_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
    pager lines 24
    logging enable
    logging trap debugging
    logging asdm informational
    mtu WAN 1500
    mtu LAN 1500
    mtu WWW 1500
    mtu MAIL 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any WAN
    icmp permit any LAN
    icmp permit any WWW
    icmp permit any MAIL
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (WAN) 101 xx.xx.66.21-xx.xx.66.22 netmask 255.255.255.248
    global (WWW) 101 xx.xx.66.19 netmask 255.255.255.248
    global (MAIL) 101 xx.xx.66.20 netmask 255.255.255.248
    nat (LAN) 0 access-list LAN_nat0_out
    nat (LAN) 101 0.0.0.0 0.0.0.0
    nat (WWW) 0 access-list WWW_nat0_outbound_1
    nat (WWW) 0 access-list WWW_nat0_outbound outside
    nat (MAIL) 0 access-list MAIL_nat0_out
    nat (MAIL) 101 192.168.4.3 255.255.255.255
    static (LAN,WAN) tcp interface www 172.30.16.231 www netmask 255.255.255.255
    static (LAN,WAN) tcp interface ftp 172.30.16.231 ftp netmask 255.255.255.255
    static (LAN,WAN) tcp interface 8080 172.30.16.217 8080 netmask 255.255.255.255
    static (MAIL,WAN) tcp xx.xx.66.20 smtp 192.168.4.3 smtp netmask 255.255.255.255
    static (WWW,WAN) xx.xx.66.19 192.168.1.1 netmask 255.255.255.255
    static (MAIL,WAN) xx.xx.66.20 192.168.4.1 netmask 255.255.255.255
    access-group WAN_access_in in interface WAN
    access-group WWW_access_in in interface WWW
    access-group MAIL_access_in in interface MAIL
    route WAN 0.0.0.0 0.0.0.0 xx.xx.66.17 1
    route LAN 172.30.16.0 255.255.255.0 192.168.200.254 1
    route LAN 192.168.101.0 255.255.255.0 192.168.200.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 15
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect icmp error
    !
    service-policy global_policy global
    prompt hostname context
    : end
    ================================

    ciscoasa# sh xlate
    8 in use, 9 most used
    PAT Global xx.xx.66.20(25) Local 192.168.4.3(25)
    Global xx.xx.66.19 Local 192.168.1.1
    Global xx.xx.66.20 Local 192.168.4.1
    PAT Global xx.xx.66.18(80) Local 172.30.16.231(80)
    PAT Global xx.xx.66.18(21) Local 172.30.16.231(21)
    PAT Global xx.xx.66.18(8080) Local 172.30.16.217(8080)
    Global xx.xx.66.21 Local 172.30.16.253
    Global xx.xx.66.22 Local 172.30.16.230

  • #2
    Re: ASA5510 NAT problems

    problem solved:

    global (WAN) 101 xx.xx.66.21 netmask 255.255.255.248
    global (WAN) 102 xx.xx.66.22 netmask 255.255.255.248
    global (WAN) 103 xx.xx.66.19 netmask 255.255.255.248
    global (WAN) 104 xx.xx.66.20 netmask 255.255.255.248
    nat (LAN) 0 access-list LAN_nat0_out
    nat (LAN) 101 172.30.16.0 255.255.255.0
    nat (LAN) 102 192.168.101.0 255.255.255.0
    nat (WWW) 0 access-list WWW_nat0_outbound_1
    nat (WWW) 0 access-list WWW_nat0_outbound outside
    nat (WWW) 103 192.168.1.1 255.255.255.255
    nat (MAIL) 0 access-list MAIL_nat0_out
    nat (MAIL) 104 192.168.4.3 255.255.255.255

    Comment

    Working...
    X