|
sohocisco
Anon
2008-Jan-19 11:47 pm
[Config] NAT in ASA 5505 using ASDMI am new to Cisco and installing an ASA 5505 after some strong recommendations from this board (thanks again). I am struggling a bit to get NAT configured however, and have followed the manual to no avail, although the example in the manual does have some seeming errors.
Basically, I have a couple of servers in a DMZ, with public IPs 204.204.204.1 and 204.204.204.2 (and internal IPs 192.168.2.1 and 192.168.2.2). The ASA is assigned 204.204.204.3.
I created the appropriate security policy rules to allow HTTP traffic to to the DMZ hosts, and created a static NAT rule for each host with the following:
Real Address: Interface: dmz IP Address: 192.168.2.1 Netmask: 255.255.255.255
Static Translation: Interface: outside IP Address: 204.204.204.1
Running the Packet Tracer shows the IP address translating and everything looking good, yet no packets directed to 204.204.204.1 or .2 show up in the ASA logs when trying to hit the web server from another network.
Traffic from this host seems to go out into the internet with IP 204.204.204.1, as evidenced by outbound DNS queries the server makes, but the ASA does not seem to be listening to 204.204.204.1 at all, as there is never anything in the logs for this address and DNS queries never get a response when performed from the server.
Traffic from the DMZ is fine for hosts without a NAT entry, and I have them nat'ing via the outside interface's address.
What am I missing to make NAT work? I feel like there must be some basic setting but I cannot find it anywhere, and each firewall vendor seems to have their own terminology and settings for NAT, so past experience is not helping.
If you can provide the ASDM steps that would be most appreciated as I have yet to delve into the CLI.
Many Thanks! |
|
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
Although a verbal description is good, a config is worth a thousand words. From the SDM, I believe you can view the running-config on the ASA. If you can post this, it would help in troubleshooting.
Its looking like something is just not finding its way. What kind of NAT entry do you have for each of your servers on the ASA? Also, do you have some remote way of testing and verifying the connection? Finally, do you only want to have certain services on each address available and have you implemented any ACL rules for such an end?
q. |
|
|
tubbynet is right. Even if you're not comfortable on the CLI yet, that's the best way for the folks here to troubleshoot it, and maybe you'll learn a thing or two. To get the running-config via ASDM: Tools > Command Line Interface... > Select "show running-config" from the dropdown Copy the response and paste it here. |
|
|
sohocisco to sohocisco
Anon
2008-Jan-20 10:24 am
to sohocisco
All,
Thanks for your help. For the NAT rules I created a static (1:1) rule. I've simplified the config to only include one NAT rule, for the 204.204.204.1/192.168.2.2 webserver.
If you can point me in the right direction in ASDM as well as the CLI command to fix that would greatly help my learning process.
Thanks!
Result of the command: "show running-config"
: Saved : ASA Version 7.2(3) ! hostname border domain-name mydomain.com enable password xxxencrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 ! interface Vlan2 nameif outside security-level 0 ip address 204.204.204.3 255.255.255.248 ospf cost 10 ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.0 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd xxxencrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup dmz dns server-group DefaultDNS name-server 204.116.57.2 name-server 206.74.254.2 domain-name mydomain.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in remark HTTP access-list outside_access_in extended permit tcp any host 204.204.204.1 eq www access-list outside_access_in remark HTTP access-list outside_access_in extended permit tcp any host 204.204.204.2 eq www access-list outside_access_in remark HTTPS access-list outside_access_in extended permit tcp any host 204.204.204.2 eq https pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 nat (dmz) 1 192.168.2.0 255.255.255.0 static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns static (dmz,outside) 204.204.204.2 192.168.2.2 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside !
! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global ntp server 152.2.21.1 source outside smtp-server prompt hostname context Cryptochecksum:xxx : end |
|
elnino join:2006-08-27 Akron, OH |
elnino
Member
2008-Jan-20 10:49 am
said by sohocisco :
Thanks for your help. For the NAT rules I created a static (1:1) rule. I've simplified the config to only include one NAT rule, for the 204.204.204.1/192.168.2.2 webserver. You picked 204.204.204. 2 as your webserver, not 204.204.204.1 and it points to 192.168.2.2 which looks correct. static (dmz,outside) 204.204.204.2 192.168.2.2 netmask 255.255.255.255
You mentioned about the ASA not listening on 204.204.204.1, which is probably true because I don't see it listed in your config anywhere. 204.204.204.3 will be used for your web access for your users (and the webserver will use 204.204.204.2) |
|
|
sohocisco
Anon
2008-Jan-21 5:00 pm
said by elnino:said by sohocisco :
Thanks for your help. For the NAT rules I created a static (1:1) rule. I've simplified the config to only include one NAT rule, for the 204.204.204.1/192.168.2.2 webserver. You picked 204.204.204. 2 as your webserver, not 204.204.204.1 and it points to 192.168.2.2 which looks correct. static (dmz,outside) 204.204.204.2 192.168.2.2 netmask 255.255.255.255
You mentioned about the ASA not listening on 204.204.204.1, which is probably true because I don't see it listed in your config anywhere. 204.204.204.3 will be used for your web access for your users (and the webserver will use 204.204.204.2) I would guess that is more of a function of me goofing up my initial description by trying to be cute and disguise my IP addresses as per the forum rules. Based on the config I would expect the webserver to respond to 204.204.204. 2. Sorry for the confusion. Is the NAT rule insufficient to have the router listen to its outside address (204.204.204.3) AND the webserver at 204.204.204.2? Thanks again! |
|
sohocisco |
sohocisco to sohocisco
Anon
2008-Jan-23 9:27 am
to sohocisco
Any ideas? I am still stuck and clarified my config in the previous post. As mentioned I setup a NAT rule and firewall rule that I would expect should allow http traffic on 204.204.204.2 through (the router is 204.204.204.3).
It still does not appear that the router is even listening to .2 as nothing at all shows up in the logs when I attempt to connect from another network via aircard.
All works fine with my current router, so it does not appear to be an ISP issue.
Thanks! |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
Rather than try and explain this to you (just as much for your benefit as it is mine, as I will unknowingly goof something up and more than likely send you pulling your hair out), I will post some stuff up from this Cisco site. While your config matches this pretty closely, I notice something that you have that doesn't quite mesh (address-wise) static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns
You haven't correctly defined your DMZ, as what you have stated in the rules above global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
The best thing to do at this point is read this article: » www.cisco.com/en/US/prod ··· html#s11and understand it before continuing. I can see that you are close, but you are missing a few steps. When I do stuff like this, I usually like to write the whole thing in notepad (or some variant thereof) and write it in sections...don't write it as the ASA would spit it out. Most of this stuff can be entered in any order as long as you are in the correct "configuration sub-menu". Write it, trace it out, then upload and see if you have something working. q. |
|
|
sohocisco
Anon
2008-Jan-23 1:15 pm
tubbynet, Thanks for the link. I read it several times but am still stuck. The line you quoted: static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns
was added to make sure the ASA does not NAT IP addresses from the inside netword to the DMZ. Without the rule I would get "translation not found" errors when going from inside to the dmz. My inside hosts know the internal addresses of the DMZ since I have an internal DNS, so I don't do any NAT from inside to dmz. My main issue still exists. Based on the link you sent, I added a new line to my config: global (outside) 2 204.204.204.1-204.204.204.3 netmask 255.255.255.0
global (outside) 1 interface
and moved the ASA's outside interface to 204.204.204.4, in the hopes the address pool would cause the ASA to "listen" to my other IP addresses. Unfortunately, I am getting the same symptoms as before. Attempts to his the webserver at 204.204.204.2 result in nary a peep in the logs. When this server does a DNS query, I get a: Built outbound UDP connection 2152 for outside:204.116.57.2/53 (204.116.57.2/53) to dmz:192.168.2.2/37416 (208.104.193.42/37416)
log entry showing the outbound DNS query, but never see anything in the logs for the return, again making it look to me like the ASA is not listening to the NAT'ed addresses. I thought adding the global pool would help but no joy. Can anyone point me in the right direction? I've reread teh "getting started" guide about 50 times, but their example is for a DMZ webserver that uses the IP of the outside interface so it is of limited help. Thanks! |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
said by sohocisco :Thanks for the link. I read it several times but am still stuck. The line you quoted: static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns
was added to make sure the ASA does not NAT IP addresses from the inside netword to the DMZ. Without the rule I would get "translation not found" errors when going from inside to the dmz. My inside hosts know the internal addresses of the DMZ since I have an internal DNS, so I don't do any NAT from inside to dmz. As I understand your config, you have defined two VLANs, one for your internal network, and one for your DMZ. Each of these VLANs is (correctly) on a different subnet. However, you have to make sure that your ASA is "aware" of the difference between the two and how to "translate" between each of them. According to the Cisco URL referenced in my last post, the command structure is as follows: static (real_interface,mapped_interface) mapped_ip real_ip netmask mask
Then, they offer the following example to illustrate this point static (DMZ,inside) 10.0.0.10 192.168.100.10 netmask 255.255.255.255
As I understand your config, you have not done EXACTLY what is given above. Although you have defined an internal and DMZ subnets as shown by nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
as part of your NAT translation, I am assuming that you have assigned your servers an address in the 192.168.2.x/24 and you want to essentially "by-pass" the DMZ by making the server locally accessible on a .1.x/24 address. Looking above, it appears that your outside interface translation to the DMZ looks good. However, I would look at one thing. When you check the logs, are you checking them locally on the ASA, or are you looking at packets passing through the router itself? I am not sure what equipment you have on the outside, but it couldn't hurt to check the security policy of something just beyond your ASA. If you are not getting a "block" you may want to see if those packets are getting passed. Place a hub between your ASA and router and run an Ethereal capture to see what types of commnication are passing. q. |
|
|
sohocisco
Anon
2008-Jan-24 9:50 am
I'll do some more checking. My ASA is functioning as a router/firewall (this is a soho environment so no need/budget for a dedicated router).
I'll give things another go and report back, but if anyone sees anything obvious in my config that would prevent external requests coming into the DMZ webserver I would greatly appreciate hearing about it!
Thanks! |
|
sohocisco |
sohocisco to sohocisco
Anon
2008-Jan-30 9:14 am
to sohocisco
I found my solution, although it was not what I was expecting as it appears to be on the ISP end?
My ASA did not appear to ever get packets back on the NAT'ed addresses; it would send them, but never indicate a response.
On a lark, I changed the outside interface to use one of my NAT addresses, and data started flowing as expected. When I changed it back to the old outside IP, the NAT'ed address started working!
The only thing I can think of, and I am not a routing expert, is that my ISP was caching my old router's MAC address or something like that, and switching the outside interface's IP overrode that setting, as I've never had this issue with another ISP.
Luckily, I only have 5 external IPs, so changing the outside interface to each "activated" that address for use with NAT and all appears to be well.
Hopefully this will help someone else who has an inexplicable NAT problem... |
|