dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
31146

sohocisco
@comporium.net

sohocisco

Anon

[Config] NAT in ASA 5505 using ASDM

I am new to Cisco and installing an ASA 5505 after some strong recommendations from this board (thanks again). I am struggling a bit to get NAT configured however, and have followed the manual to no avail, although the example in the manual does have some seeming errors.

Basically, I have a couple of servers in a DMZ, with public IPs 204.204.204.1 and 204.204.204.2 (and internal IPs 192.168.2.1 and 192.168.2.2). The ASA is assigned 204.204.204.3.

I created the appropriate security policy rules to allow HTTP traffic to to the DMZ hosts, and created a static NAT rule for each host with the following:

Real Address:
Interface: dmz
IP Address: 192.168.2.1
Netmask: 255.255.255.255

Static Translation:
Interface: outside
IP Address: 204.204.204.1

Running the Packet Tracer shows the IP address translating and everything looking good, yet no packets directed to 204.204.204.1 or .2 show up in the ASA logs when trying to hit the web server from another network.

Traffic from this host seems to go out into the internet with IP 204.204.204.1, as evidenced by outbound DNS queries the server makes, but the ASA does not seem to be listening to 204.204.204.1 at all, as there is never anything in the logs for this address and DNS queries never get a response when performed from the server.

Traffic from the DMZ is fine for hosts without a NAT entry, and I have them nat'ing via the outside interface's address.

What am I missing to make NAT work? I feel like there must be some basic setting but I cannot find it anywhere, and each firewall vendor seems to have their own terminology and settings for NAT, so past experience is not helping.

If you can provide the ASDM steps that would be most appreciated as I have yet to delve into the CLI.

Many Thanks!

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

Although a verbal description is good, a config is worth a thousand words. From the SDM, I believe you can view the running-config on the ASA.
If you can post this, it would help in troubleshooting.

Its looking like something is just not finding its way. What kind of NAT entry do you have for each of your servers on the ASA?
Also, do you have some remote way of testing and verifying the connection?
Finally, do you only want to have certain services on each address available and have you implemented any ACL rules for such an end?

q.
garnetbobcat
join:2007-10-02

garnetbobcat

Member

tubbynet is right. Even if you're not comfortable on the CLI yet, that's the best way for the folks here to troubleshoot it, and maybe you'll learn a thing or two. To get the running-config via ASDM:

Tools > Command Line Interface... > Select "show running-config" from the dropdown

Copy the response and paste it here.

sohocisco
@comporium.net

sohocisco to sohocisco

Anon

to sohocisco
All,

Thanks for your help. For the NAT rules I created a static (1:1) rule. I've simplified the config to only include one NAT rule, for the 204.204.204.1/192.168.2.2 webserver.

If you can point me in the right direction in ASDM as well as the CLI command to fix that would greatly help my learning process.

Thanks!

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(3)
!
hostname border
domain-name mydomain.com
enable password xxxencrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 204.204.204.3 255.255.255.248
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxencrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 204.116.57.2
name-server 206.74.254.2
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in remark HTTP
access-list outside_access_in extended permit tcp any host 204.204.204.1 eq www
access-list outside_access_in remark HTTP
access-list outside_access_in extended permit tcp any host 204.204.204.2 eq www
access-list outside_access_in remark HTTPS
access-list outside_access_in extended permit tcp any host 204.204.204.2 eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns
static (dmz,outside) 204.204.204.2 192.168.2.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 152.2.21.1 source outside
smtp-server
prompt hostname context
Cryptochecksum:xxx
: end
elnino
join:2006-08-27
Akron, OH

elnino

Member

said by sohocisco :

Thanks for your help. For the NAT rules I created a static (1:1) rule. I've simplified the config to only include one NAT rule, for the 204.204.204.1/192.168.2.2 webserver.
You picked 204.204.204.2 as your webserver, not 204.204.204.1 and it points to 192.168.2.2 which looks correct.
static (dmz,outside) 204.204.204.2 192.168.2.2 netmask 255.255.255.255
 
You mentioned about the ASA not listening on 204.204.204.1, which is probably true because I don't see it listed in your config anywhere. 204.204.204.3 will be used for your web access for your users (and the webserver will use 204.204.204.2)

sohocisco
@comporium.net

sohocisco

Anon

said by elnino:

said by sohocisco :

Thanks for your help. For the NAT rules I created a static (1:1) rule. I've simplified the config to only include one NAT rule, for the 204.204.204.1/192.168.2.2 webserver.
You picked 204.204.204.2 as your webserver, not 204.204.204.1 and it points to 192.168.2.2 which looks correct.
static (dmz,outside) 204.204.204.2 192.168.2.2 netmask 255.255.255.255
 
You mentioned about the ASA not listening on 204.204.204.1, which is probably true because I don't see it listed in your config anywhere. 204.204.204.3 will be used for your web access for your users (and the webserver will use 204.204.204.2)
I would guess that is more of a function of me goofing up my initial description by trying to be cute and disguise my IP addresses as per the forum rules. Based on the config I would expect the webserver to respond to 204.204.204.2.

Sorry for the confusion. Is the NAT rule insufficient to have the router listen to its outside address (204.204.204.3) AND the webserver at 204.204.204.2?

Thanks again!
sohocisco

sohocisco to sohocisco

Anon

to sohocisco
Any ideas? I am still stuck and clarified my config in the previous post. As mentioned I setup a NAT rule and firewall rule that I would expect should allow http traffic on 204.204.204.2 through (the router is 204.204.204.3).

It still does not appear that the router is even listening to .2 as nothing at all shows up in the logs when I attempt to connect from another network via aircard.

All works fine with my current router, so it does not appear to be an ISP issue.

Thanks!

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

Rather than try and explain this to you (just as much for your benefit as it is mine, as I will unknowingly goof something up and more than likely send you pulling your hair out), I will post some stuff up from this Cisco site.

While your config matches this pretty closely, I notice something that you have that doesn't quite mesh (address-wise)

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns
 

You haven't correctly defined your DMZ, as what you have stated in the rules above

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
 

The best thing to do at this point is read this article:
»www.cisco.com/en/US/prod ··· html#s11

and understand it before continuing. I can see that you are close, but you are missing a few steps.
When I do stuff like this, I usually like to write the whole thing in notepad (or some variant thereof) and write it in sections...don't write it as the ASA would spit it out. Most of this stuff can be entered in any order as long as you are in the correct "configuration sub-menu". Write it, trace it out, then upload and see if you have something working.

q.

sohocisco
@comporium.net

sohocisco

Anon

tubbynet,

Thanks for the link. I read it several times but am still stuck. The line you quoted:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns  
 

was added to make sure the ASA does not NAT IP addresses from the inside netword to the DMZ. Without the rule I would get "translation not found" errors when going from inside to the dmz. My inside hosts know the internal addresses of the DMZ since I have an internal DNS, so I don't do any NAT from inside to dmz.

My main issue still exists. Based on the link you sent, I added a new line to my config:

global (outside) 2 204.204.204.1-204.204.204.3 netmask 255.255.255.0
global (outside) 1 interface 
 

and moved the ASA's outside interface to 204.204.204.4, in the hopes the address pool would cause the ASA to "listen" to my other IP addresses.

Unfortunately, I am getting the same symptoms as before. Attempts to his the webserver at 204.204.204.2 result in nary a peep in the logs. When this server does a DNS query, I get a:

Built outbound UDP connection 2152 for outside:204.116.57.2/53 (204.116.57.2/53) to dmz:192.168.2.2/37416 (208.104.193.42/37416) 
 

log entry showing the outbound DNS query, but never see anything in the logs for the return, again making it look to me like the ASA is not listening to the NAT'ed addresses. I thought adding the global pool would help but no joy.

Can anyone point me in the right direction? I've reread teh "getting started" guide about 50 times, but their example is for a DMZ webserver that uses the IP of the outside interface so it is of limited help.

Thanks!

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by sohocisco :

Thanks for the link. I read it several times but am still stuck. The line you quoted:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 dns  
 

was added to make sure the ASA does not NAT IP addresses from the inside netword to the DMZ. Without the rule I would get "translation not found" errors when going from inside to the dmz. My inside hosts know the internal addresses of the DMZ since I have an internal DNS, so I don't do any NAT from inside to dmz.
As I understand your config, you have defined two VLANs, one for your internal network, and one for your DMZ. Each of these VLANs is (correctly) on a different subnet. However, you have to make sure that your ASA is "aware" of the difference between the two and how to "translate" between each of them.

According to the Cisco URL referenced in my last post, the command structure is as follows:

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask
 

Then, they offer the following example to illustrate this point

static (DMZ,inside) 10.0.0.10 192.168.100.10 netmask 255.255.255.255
 

As I understand your config, you have not done EXACTLY what is given above. Although you have defined an internal and DMZ subnets as shown by

nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0
 

as part of your NAT translation, I am assuming that you have assigned your servers an address in the 192.168.2.x/24 and you want to essentially "by-pass" the DMZ by making the server locally accessible on a .1.x/24 address.

Looking above, it appears that your outside interface translation to the DMZ looks good. However, I would look at one thing. When you check the logs, are you checking them locally on the ASA, or are you looking at packets passing through the router itself?
I am not sure what equipment you have on the outside, but it couldn't hurt to check the security policy of something just beyond your ASA. If you are not getting a "block" you may want to see if those packets are getting passed. Place a hub between your ASA and router and run an Ethereal capture to see what types of commnication are passing.

q.

sohocisco
@comporium.net

sohocisco

Anon

I'll do some more checking. My ASA is functioning as a router/firewall (this is a soho environment so no need/budget for a dedicated router).

I'll give things another go and report back, but if anyone sees anything obvious in my config that would prevent external requests coming into the DMZ webserver I would greatly appreciate hearing about it!

Thanks!
sohocisco

sohocisco to sohocisco

Anon

to sohocisco
I found my solution, although it was not what I was expecting as it appears to be on the ISP end?

My ASA did not appear to ever get packets back on the NAT'ed addresses; it would send them, but never indicate a response.

On a lark, I changed the outside interface to use one of my NAT addresses, and data started flowing as expected. When I changed it back to the old outside IP, the NAT'ed address started working!

The only thing I can think of, and I am not a routing expert, is that my ISP was caching my old router's MAC address or something like that, and switching the outside interface's IP overrode that setting, as I've never had this issue with another ISP.

Luckily, I only have 5 external IPs, so changing the outside interface to each "activated" that address for use with NAT and all appears to be well.

Hopefully this will help someone else who has an inexplicable NAT problem...