Announcement

Collapse
No announcement yet.

Cisco ASA 5520 NAT Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5520 NAT Problem

    Hi All,

    This is my first post here and hope you can help me on my issue here with NAT.

    Basically this is what I'm trying to achieve.

    Internet ISP (202.6.78.x) <---> ASA 5520 <---> Web Servers (192.168.30.x)

    Example IP Range: 202.6.78.109-120
    Gateway: 202.6.78.65

    NAT
    202.6.78.109 --> 192.168.30.9
    202.6.78.117 --> 192.168.30.17
    202.6.78.120 --> 192.168.30.20
    ...
    ...


    I have been setting up ASA NAT for few sites and following the configurations should work but somehow it's not working this time. Another weird thing is that the inside client 192.168.30.20 is working find but it's not working for my other clients which is configure under 192.168.30.9 and 192.168.30.17.

    On 192.168.30.20, I can access to the internet without problem but not in the other two.

    Below are my configuration, please help to check if something that I miss out.

    ASA Version 8.0(2)
    !
    hostname myciscoasa
    enable password AggPsRgYt7YGhPbN encrypted
    names
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 202.6.78.113 255.255.255.192
    !
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 192.168.30.13 255.255.255.0
    !
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list OutsideAccessIn extended permit icmp any any
    access-list OutsideAccessIn extended permit tcp any any eq domain
    access-list OutsideAccessIn extended permit udp any any eq domain
    access-list OutsideAccessIn extended permit tcp any any eq www
    access-list OutsideAccessIn extended permit tcp any any eq https
    access-list InsideAccessOut extended permit icmp any any
    access-list InsideAccessOut extended permit tcp any any eq domain
    access-list InsideAccessOut extended permit udp any any eq domain
    access-list InsideAccessOut extended permit tcp any any eq www
    access-list InsideAccessOut extended permit tcp any any eq https
    pager lines 24
    logging enable
    logging buffer-size 1048576
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    static (inside,outside) 202.6.78.120 192.168.30.20 netmask 255.255.255.255
    static (inside,outside) 202.6.78.109 192.168.30.9 netmask 255.255.255.255
    static (inside,outside) 202.6.78.117 192.168.30.17 netmask 255.255.255.255
    access-group OutsideAccessIn in interface outside
    access-group InsideAccessOut in interface inside
    route outside 0.0.0.0 0.0.0.0 202.6.78.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7c9459abf9536cbae7bf520391cec97d
    On my inside client I have setup as below:
    IP Address: 192.168.30.20
    Subnet Mask: 255.255.255.0
    Gateway: 192.168.30.13

    This works properly for my x.20 web server but not for my x.17 and x.9...

    Could someone help to enlighten me? Thank You.

  • #2
    Re: Cisco ASA 5520 NAT Problem

    Post these outputs:

    sh xlate
    sh xlate detail

    On older pix models sometimes when you added a static nat statement you had to clear the translation table before the new statement would work.

    clear xlate

    Also are all of those boxes web servers? If so you may want to add port numbers to your static translations for each static nat statement.

    static (inside,outside) tcp 202.6.78.120 www 192.168.30.20 www netmask 255.255.255.255
    Last edited by auglan; 25th April 2010, 21:40.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco ASA 5520 NAT Problem

      Hi auglan, thanks for your reply. below the xlate details

      NAT from inside:192.168.30.20 to outside:202.9.78.120 flags s
      NAT from inside:192.168.30.9 to outside:202.9.78.109 flags s
      NAT from inside:192.168.30.17 to outside:202.9.78.117 flags s

      all seems to be in correct order, but still x.20 cannot access to the internet...

      i have tried the clear xlate command but still not working...

      Comment


      • #4
        Re: Cisco ASA 5520 NAT Problem

        Hmm the static nat statements in the config show 202.6.78 but the ones you just posted show 202.9.78.X. Is this a typo?
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco ASA 5520 NAT Problem

          Originally posted by auglan View Post
          Hmm the static nat statements in the config show 202.6.78 but the ones you just posted show 202.9.78.X. Is this a typo?
          oops, typo error...sorry, using find and replace.. should be 202.9.78.x.
          Last edited by gunblade83; 27th April 2010, 03:24.

          Comment


          • #6
            Re: Cisco ASA 5520 NAT Problem

            Can you ping these (192.168.30.9 and 192.168.30.17) from the ASA?
            CCNA, Network+

            Comment


            • #7
              Re: Cisco ASA 5520 NAT Problem

              Well the next thing I would do is to add the log command to your acls. See what the ouput tells you. Also I would remove that internal acl just to do some testing. Looks like the translation is working so that would be my next step.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: Cisco ASA 5520 NAT Problem

                Hi Daze > yes I can ping each clients from the firewall it self and the clients can ping the firewall inside interface, but not able to access the internet...weird...

                auglan > ya, I will enable the logging and will paste it later on...hopefully we can digg something out..it's driving me crazy~

                Comment

                Working...
                X