Advertisement

04.20.2008 at 01:41PM PDT, ID: 23338106
[x]
Attachment Details

Cisco ASA Not passing traffic (possibly static translation problem)

Asked by UptimeSystems in Cisco PIX Firewall, Network Routers, Networking Hardware Firewalls

Tags: Cisco, ASA, 5505, Cisco ASA Not passing traffic (possibly static translation problem)

Background:

Hello.  I'm in the process or replacing our Cisco PIX 501 with a new Cisco ASA 5505.  Behind the firewall are a hanful of servers providing services such as terminal services, exchange, etc.  The old PIX has a handful of static 1-to-1 NAT translations for each server, and an access list opening up ports as necessary to each server.  I've tried to reproduce this config on the ASA.

Problem:

The problem is when I swap our old PIX out with the new ASA (with a matching config as far as I can tell) none of the servers setup with 1-to-1 NAT translations can traverse the ASA to the Internet.  That is--they cannot ping Internet hosts, browse the web--anything.  I CAN however, ping Internet hosts from inside the ASA.  This tells me the problem is with the translation, or possibly the access lists.

I've attached the config as a "code snippet" below.  I've replaced our real public IP addresses with 200.88.88.xxx addresses in the config.  Inside IP addresses have not changed.  As you can see, I've used ip names to make referring to public IP and internal/private IP addresses easier.  For exmple, INT-SERVER1 will be the name I assign to the internal (192.168.111.x) addess of Server1, and EXT-SERVER1 will be the name I assign to its public IP address--the address I do a 1-to-1 translation.

I mostly did this config via commandline, and a few tweaks in the GUI (ASDM).  I'm pretty comfortable with PIX IOS, and have also deployed working ASA's in less complex environments.

Can anyone see an error in my config?  I've scoured it several times looking for an error, but I don't see one.  (Also--while troubleshooting I was sure to clear the ARP cache on the servers, and even restart the network switch that connects the ASA to the servers.  I also CAN ping/telnet into the ASA from the servers--just not pass traffic through them).

Help!  Thanx in advance.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:

:
ASA Version 7.2(3)
!
hostname UPTIME-ASA5505
domain-name uptime.int
enable password TQQLPKyPVHBSFOkK encrypted
names
name 200.88.88.246 EXT-UPTIME1 description Uptime Exchange and Web
name 200.88.88.243 EXT-UPTIME1420 description VWP Classic
name 200.88.88.247 EXT-UPTIMESTORE description UptimeStore - Backup and Storage
name 200.88.88.245 EXT-UVG001 description VWP - Uptime
name 200.88.88.248 EXT-UVG002 description VWP - Wallace
name 200.88.88.250 EXT-UVG003 description VWP - PBI
name 200.88.88.251 EXT-UVG004 description VWP - PinnacleExch
name 200.88.88.244 EXT-UVHOST01
name 192.168.111.5 INT-UPTIME1420
name 192.168.111.10 INT-UVHOST01
name 192.168.111.11 INT-UVG001
name 192.168.111.8 INT-UPTIME1
name 192.168.111.9 INT-UPTIMESTORE
name 192.168.111.12 INT-UVG002
name 192.168.111.13 INT-UVG003
name 192.168.111.14 INT-UVG004
name 192.168.111.15 INT-PINNACLETS
name 200.88.88.252 EXT-PINNACLETS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.17.28.242 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name uptime.int
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmpgrp_1
 icmp-object unreachable
 icmp-object time-exceeded
 icmp-object echo-reply
object-group service svcgrp_vwp tcp
 port-object eq 3389
 port-object eq ftp
object-group service svcgrp_exchange tcp
 port-object eq smtp
 port-object eq www
 port-object eq https
 port-object eq 3389
access-list into_outside extended permit icmp any any object-group icmpgrp_1
access-list into_outside extended permit tcp any host EXT-UPTIME1420 object-group svcgrp_vwp
access-list into_outside extended permit tcp any host EXT-UVHOST01 object-groupsvcgrp_vwp
access-list into_outside extended permit tcp any host EXT-UVG001 object-group svcgrp_vwp
access-list into_outside extended permit tcp any host EXT-UPTIME1 object-group svcgrp_exchange
access-list into_outside extended permit tcp any host EXT-UPTIMESTORE object-group svcgrp_vwp
access-list into_outside extended permit tcp any host EXT-UVG002 object-group svcgrp_vwp
access-list into_outside extended permit tcp any host EXT-UVG003 object-group svcgrp_vwp
access-list into_outside extended permit tcp any host EXT-UVG004 object-group svcgrp_exchange
access-list into_outside extended permit tcp any host EXT-PINNACLETS object-group svcgrp_vwp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) EXT-UPTIME1420 INT-UPTIME1420 netmask 255.255.255.255
static (inside,outside) EXT-UPTIME1 INT-UPTIME1 netmask 255.255.255.255
static (inside,outside) EXT-UPTIMESTORE INT-UPTIMESTORE netmask 255.255.255.255
static (inside,outside) EXT-UVHOST01 INT-UVHOST01 netmask 255.255.255.255
static (inside,outside) EXT-UVG001 INT-UVG001 netmask 255.255.255.255
static (inside,outside) EXT-UVG002 INT-UVG002 netmask 255.255.255.255
static (inside,outside) EXT-UVG003 INT-UVG003 netmask 255.255.255.255
static (inside,outside) EXT-UVG004 INT-UVG004 netmask 255.255.255.255
static (inside,outside) EXT-PINNACLETS INT-PINNACLETS netmask 255.255.255.255
access-group into_outside in interface outside
route outside 0.0.0.0 0.0.0.0 216.17.28.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.111.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.111.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.111.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dc69fd7f1d505ed89f249044509fc463
: end
[+][-]04.20.2008 at 04:43PM PDT, ID: 21398003

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Network Routers, Networking Hardware Firewalls
Tags: Cisco, ASA, 5505, Cisco ASA Not passing traffic (possibly static translation problem)
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: A
 
 
[+][-]04.21.2008 at 04:34PM PDT, ID: 21407045

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.21.2008 at 07:09PM PDT, ID: 21407714

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.22.2008 at 10:20AM PDT, ID: 21413345

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.22.2008 at 10:22AM PDT, ID: 21413364

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.22.2008 at 07:35PM PDT, ID: 21417378

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.22.2008 at 09:19PM PDT, ID: 21417753

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 11:28AM PDT, ID: 21423762

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.23.2008 at 04:39PM PDT, ID: 21426531

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.24.2008 at 10:14AM PDT, ID: 21433066

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.03.2008 at 12:01PM PDT, ID: 21493398

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628