Announcement

Collapse
No announcement yet.

Nat Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nat Issues

    Hi,

    I am new these boards, I am having a difficult time configuring a Cisco ASA 5505 and the device just doesn't seem to NAT properly.

    I am trying to NAT 216.55.177.10 to 192.168.0.2 which is one of the IPs the hosting provider gave us for Remote Desktop for a server that is online, no luck so far. Running Config below. What did I do wrong?

    ASA Version 7.2(4)
    !
    hostname pre-customer
    domain-name dedicated.codero.com
    enable password F/rxnjYRSZ9YMIxP encrypted
    passwd AbnzOIchvQ3Xj3ta encrypted
    names
    !
    interface Vlan1
    nameif outside
    security-level 15
    ip address 216.55.177.108 255.255.255.0
    !
    interface Vlan2
    nameif inside
    security-level 15
    ip address 192.168.0.1 255.255.255.0
    !
    interface Vlan100
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Ethernet0/2
    switchport access vlan 2
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    banner exec +++++++++++++++++++++++++++++++
    banner exec Unauthorized Access Prohibited!
    banner exec Violators will be prosecuted!
    banner exec +++++++++++++++++++++++++++++++
    banner exec +++++++++++++++++++++++++++++++
    banner exec Unauthorized Access Prohibited!
    banner exec Violators will be prosecuted!
    banner exec +++++++++++++++++++++++++++++++
    banner exec All access to this device is monitored and controlled by RealAbility
    banner login +++++++++++++++++++++++++++++++
    banner login Unauthorized Access Prohibited!
    banner login Violators will be prosecuted!
    banner login +++++++++++++++++++++++++++++++
    banner login +++++++++++++++++++++++++++++++
    banner login Unauthorized Access Prohibited!
    banner login Violators will be prosecuted!
    banner login +++++++++++++++++++++++++++++++
    banner login Welcome to RealAbility Secure Firewall
    banner motd You have reached a secure network, all unauthorized access prohibite d!
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 207.154.64.10
    domain-name dedicated.codero.com
    same-security-traffic permit inter-interface
    access-list 100 remark Allow ICMP echo from monitoring server
    access-list 100 extended permit icmp host 216.55.128.20 any echo
    access-list 100 extended permit icmp host 216.55.128.25 any echo
    access-list 100 extended permit icmp host 69.64.66.2 any echo
    access-list 100 extended permit icmp any any echo
    access-list 100 extended permit icmp any any echo-reply
    access-list 100 extended permit icmp any any unreachable
    access-list 100 remark Allow ICMP echo from monitoring server
    access-list inside extended permit icmp any any
    access-list OUTBOUND extended permit icmp any any
    access-list any extended permit ip any any
    pager lines 24
    logging enable
    logging timestamp
    logging buffered critical
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 216.55.177.10 192.168.0.2 netmask 255.255.255.255
    route outside 0.0.0.0 0.0.0.0 216.55.177.1 1
    route outside 216.55.177.8 216.55.177.9 216.55.177.108 1
    route outside 216.55.177.9 255.255.255.255 216.55.177.108 1
    route outside 216.55.177.9 255.255.255.255 216.55.177.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    aaa local authentication attempts max-fail 3
    http server enable 8443
    http 216.55.177.108 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server community notpublic
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto ipsec transform-set RAGlen esp-3des esp-md5-hmac
    crypto map RealCrypto2 1 set peer 192.168.16.55
    crypto map RealCrypto2 1 set transform-set RAGlen
    crypto map RealCrypto2 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    telnet timeout 5
    ssh 205.254.247.228 255.255.255.255 outside
    ssh 69.64.66.2 255.255.255.255 outside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 30
    console timeout 30
    management-access outside

    ntp server 216.55.128.254 source outside
    tftp-server inside 192.168.0.250 /
    username admin1 password BrlDzGOa49QP9ft/ encrypted privilege 15
    tunnel-group 205.254.247.228 type ipsec-l2l
    tunnel-group 205.254.247.228 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:01010056d6896687c6e775c71dc2df19
    : end

  • #2
    Re: Nat Issues

    access-list outside_in extended permit tcp any host 216.55.177.10 eq 3389 (or wheatever port ur using)

    Apply the ACL

    access-group outside_in in interface outside

    Remember there is an implicit deny at the end of every acl

    Traffic is matched against the ACL first then if allowed, it will be natted
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Nat Issues

      Originally posted by auglan View Post
      access-list outside_in extended permit tcp any host 216.55.177.10 eq 3389 (or wheatever port ur using)

      Apply the ACL

      access-group outside_in in interface outside

      Remember there is an implicit deny at the end of every acl

      Traffic is matched against the ACL first then if allowed, it will be natted
      Thanks, however it still doesn't work. Here is my ACL output.

      access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
      alert-interval 300
      access-list 100; 6 elements
      access-list 100 line 1 remark Allow ICMP echo from monitoring server
      access-list 100 line 2 extended permit icmp host 216.55.128.20 any echo (hitcnt= 0) 0x3b3c6be6
      access-list 100 line 3 extended permit icmp host 216.55.128.25 any echo (hitcnt= 0) 0xe7861f46
      access-list 100 line 4 extended permit icmp host 69.64.66.2 any echo (hitcnt=0) 0x13a4f613
      access-list 100 line 5 extended permit icmp any any echo (hitcnt=0) 0x2f74e28f
      access-list 100 line 6 extended permit icmp any any echo-reply (hitcnt=0) 0xbb6d 8b8e
      access-list 100 line 7 extended permit icmp any any unreachable (hitcnt=0) 0x932 2728c
      access-list 100 line 8 remark Allow ICMP echo from monitoring server
      access-list inside; 1 elements
      access-list inside line 1 extended permit icmp any any (hitcnt=0) 0x55873f33
      access-list OUTBOUND; 1 elements
      access-list OUTBOUND line 1 extended permit icmp any any (hitcnt=0) 0x47bcb148
      access-list any; 1 elements
      access-list any line 1 extended permit ip any any (hitcnt=0) 0x3665073d
      access-list outside_in; 1 elements
      access-list outside_in line 1 extended permit tcp any host 216.55.177.10 eq 3389 (hitcnt=0) 0xa7bfafb8

      Nat Output, any suggestions?

      NAT policies on Interface inside:
      match ip inside host 192.168.0.2 outside any
      static translation to 216.55.177.10
      translate_hits = 79, untranslate_hits = 0
      match ip inside 192.168.0.0 255.255.255.0 outside any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 350, untranslate_hits = 0
      match ip inside 192.168.0.0 255.255.255.0 inside any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
      match ip inside any outside any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
      match ip inside any inside any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0

      Comment


      • #4
        Re: Nat Issues

        Are you sure you that ip is assigned to you? Also I see access-list 100 but I dont see where it is being applied.
        Last edited by auglan; 26th June 2010, 21:23.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Nat Issues

          Thanks, as far as I know these IPs are assigned to us. The access-list 100 might have been the default the hosting provider setup.

          Comment


          • #6
            Re: Nat Issues

            I would make sure that it is. Also is there a wan router upstream from the ASA? If so I would check to see if there is a route for that address pointing to your ASA. The static translation is working from 192.168.0.2 going outbound:


            match ip inside host 192.168.0.2 outside any
            static translation to 216.55.177.10
            translate_hits = 79, untranslate_hits = 0
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X