Announcement

Collapse
No announcement yet.

Cisco asa nat issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco asa nat issue

    Hi folks, I was hoping sopmeone on these forums might be able to help. I have a bit of an issue with a config for our ASA5510, its running 8.2(1)

    I have setup a VPN tunnel to an offsite vyatta firewall. The tunnel is up.

    ABN-FW3-CISCO-ASA5510# show crypto ipsec sa
    interface: outside
    Crypto map tag: VPN_Zettagrid_Map, seq num: 10, local addr: 116.212.X.X
    access-list VPN_cryptomap permit ip 192.9.0.0 255.255.0.0 192.168.11.0 255.255.255.0
    local ident (addr/mask/prot/port): (192.9.0.0/255.255.0.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
    current_peer: 119.252.X.X
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0
    local crypto endpt.: 116.212.X.X, remote crypto endpt.: 119.252.X.X
    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: 670F3BF5

    Now I can pass information from the vyatta 119.252.X.X to our internal networks (192.9.0.0/16) (yeah I know these are a public range, but this is the environment I have inherited, I am underway with a project to put porivate network addresses in place but its not finished quite yet.)

    The problem seems to be passing info from the ASA to the internal network behind the vyatta - 192.168.11.0/24.

    When I check my syslog I get the following error: (this example was an attempted mstsc connection)
    : Inbound TCP connection denied from 192.9.216.190/60660 to 192.168.11.101/3389 flags SYN on interface inside

    Now Im guessing this SYN message means that the ASA is attempting to NAT my outgoing packets.. which is strange because I have setup a nonat rule:

    But when I do a show nat this is the result:

    ABN-FW3-CISCO-ASA5510# show nat inside
    match ip inside 192.9.0.0 255.255.0.0 outside 192.168.11.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 37 (this value is not changing)

    Here is my config for the NAT
    access-list Inside_nat0_outbound extended permit ip 192.9.0.0 255.255.0.0 192.168.11.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.11.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.10.201.0 255.255.255.0 192.168.11.0 255.255.255.0

    global (outside) 1 interface
    nat (inside) 0 access-list Inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 172.30.3.0 255.255.255.0
    nat (management) 1 192.10.201.0 255.255.255.0
    nat (dmz2) 1 172.30.2.0 255.255.255.0
    static (inside,dmz) 192.9.0.0 192.9.0.0 netmask 255.255.0.0

    Im guessing that one of these rules is conflicting? Does the nat (inside) 0 access-list Inside_nat0_outbound take precedence over nat (inside) 1 0.0.0.0 0.0.0.0 ?

    I can post more config if required, any help at this stage would be much appreciated

  • #2
    Re: Cisco asa nat issue

    Yes nat exemption takes precedence over the static nat.


    Do you have an access-list on the inside interface on the ASA?


    :Inbound TCP connection denied from 192.9.216.190/60660 to 192.168.11.101/3389 flags SYN on interface inside
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco asa nat issue

      No access list on the inside interface.

      interface Ethernet0/0
      speed 10
      duplex full
      nameif outside
      security-level 0
      ip address 116.212.X.X 255.255.255.252
      !
      interface Ethernet0/1
      nameif inside
      security-level 100
      ip address 192.9.201.20 255.255.255.0


      access-group OUT in interface outside
      access-group DMZ in interface dmz
      access-group DMZ2 in interface dmz2

      Comment


      • #4
        Re: Cisco asa nat issue

        Can you post the output of:



        show route


        route outside 192.168.11.0 255.255.255.0 119.52.X.X
        Last edited by auglan; 17th February 2012, 13:45.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco asa nat issue

          Ok it was a config error on the PIX. I had made an error on the static route:


          I had route inside 192.168.11.0 255.255.255.0 119.252.X.X 1


          where I needed


          route outside 192.168.11.0 255.255.255.0 119.252.X.X 1


          I discovered this when I enabled intra-interface traffic and checked the syslog, I could see it was attempting to route the traffic back OUT of the inside interface.


          Thanks for your help guys!

          Comment


          • #6
            Re: Cisco asa nat issue

            Okay good. I had a feeling thats what it was.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X