Solved

cisco ASA 5505-NAT

Posted on 2007-11-17
27
1,830 Views
Last Modified: 2008-09-01
Hi guys,
I'm using cisco ASA 5505 and I'm trying to configure nating between two hosts. I already configured the NAT and I used pinging to make sure that my NAT configuration between two hosts works but unfortunately, it is still not working "I mean sending traffic from host A to host B and reverse". I posted the configuration below, Could you please help me to solve this problem and make the pinging work between two hosts?

here is my configuration:


ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 10.4.4.0
 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 10.
4.4.50
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any host 10.4.4.10
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.4.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7c2c209e71865b13c87cc4635e8fdb7
: end
0
Comment
Question by:nsamri
  • 9
  • 7
  • 7
  • +1
27 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20307015
Hi,

If you have a static nat as configured above, this means that any traffic from 10.3.3.20 will look like its coming from 10.4.4.10 when it sends traffic to hosts outside the ASA. This configuration will not allow 10.3.3.20 to ping 10.4.4.10. If you would like this to work, remove the static nat. This will then allow 10.3.3.20 to be natted to 10.4.4.1 on the outside and communicate with 10.4.4.10.

Incidentally, there are various odd things about your configuraiton.
Firstly, access list lines permitting 0.0.0.0 255.255.255.0 are not valid.
Secondly, your inside and outside interfaces are set with the same security level. This is not good practice, and partially defies the point of having an ASA.
Thirdly, you don't need access lists for both directions of both interfaces, this just significantly complicates matters. I would recommend one for traffic coming into the inside interface and one for traffic coming into the outside interface. I have noticed that only one of these access lists is applied which is why it is not causing you any problems at the moment.
Fourthly, your route statement is meaningless as its next hop is the ASAs own interface. If you want to route out to the internet or any other networks, the next hop needs to be another router on the 10.4.4.0 network that can then route to other networks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20307244
Good points in the previous post.

>and I'm trying to configure nating between two hosts
What two hosts?
You have natted 10.4.4.10 to 10.3.3.20 which means there is only one host. What is the other host?
You could disable nat-control, allow same security traffic inter-interface and basically turn the asa into a router.
0
 

Author Comment

by:nsamri
ID: 20308026
Thanks guys for your responses. Regarding to nating between two hosts, as the following:

ip address of host A --> 10.3.3.8
default gateway 10.3.3.1
ip address of host B--> 10.4.4.4
default gateway 10.4.4.1

I did ping A 10.3.3.1 and 10.3.3.8 they are working, but from A to B like ping 10.4.4.4 it didn't work.
I did also ping B 10.4.4.1 and 10.4.4.4 both are not working and form B to A it didn't work.

Notice: I didn't change the above suggestions yet.
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20308107
Based on the configuration above and the IP addresses supplied, this should work from A to B but it will not work the other way round because access list outside_access_in is only allowing echo reply traffic, and the dynamic nat would not allow this anyway.

Is host 10.4.4.4 responding to pings from another host in the same subnet? Is there any firewall on this PC that could be blocking ICMP? Windows firewall, if enabled will block icmp by default.

Why are you using an ASA for this, and why are you natting at all? It would make the config much simpler if you just routed between the subnets, and this would allow bidirectional traffic. As it is, without specific one to one nats, hosts on 10.4.4.0 won't be able to send traffic to 10.3.3.0 hosts.

This would also be achieved more simply with a plain old router or layer 3 switch. I would recommend keeping the ASA for an edge firewall role.
0
 

Author Comment

by:nsamri
ID: 20308331
Hi cstosgale,
yes I just pinged from host A to Host B and it is working now, but the other way (from Host B to A) it is not working. I stiil didn't change my configuration above. What would you suggest to me to do now?

0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20308716
It depends entirely on what you are trying to achieve.

If you just want two way communicaiton between the networks on either side of the ASA, and both networks are internal, I would recommend removing the NAT configuraiton altogether. This is the easiest way to allow bidirectional communication.

Having said that, if that is all you need, there isn't really much point in using an ASA, a much simpler router or layer 3 switch would do as good a job. If both subnets are internal to your LAN, I would recommend using a catalyst 3560 or similar. Out of the box this will route between VLANs, and you can control traffic between the two using access lists.

If you already have a switch, and you just need to route between vlans present on s switch, you can pick up an old 2600 series router off ebay that would do this just fine.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20308741
policy-map global_policy
 class inspection_default
  inspect icmp

0
 

Author Comment

by:nsamri
ID: 20308822
Hi guys,
I appreciate your cooperation with me. In fact, I have to use nating with ASA 5505 between two hosts, because this is part of my work I must do it. I can not remove my nating configuration. So, I'll show you my currnt configuration below. what I want you guys if you don't mind, I want you to show me step-by-step how can two hosts A and B are communcated each other. "I mean Host A should ping Host B and Host B should ping Host A". One side is working now which is form host A to host B, but the other side is not working.
as I mentioned above.
IP host of A --> 10.3.3.8 and IP default-gateway --> 10.3.3.1
IP host of B --> 10.4.4.5 and IP default-gateway --> 10.4.4.1
0
 

Author Comment

by:nsamri
ID: 20308828
This is my current configuration:

:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 10.4.4.0
 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 10.
4.4.50
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any host 10.4.4.10
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.10 10.3.3.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.4.4.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3cfb7d6f22965c85755d4455dfff4ccc
: end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 20308899
static (inside,outside) 10.3.3.8 10.3.3.8 netmask 255.255.255.255
access-list outside_access_in extended permit icmp host 10.4.4.5 host 10.3.3.8
0
 

Author Comment

by:nsamri
ID: 20308940
Thank you so much. Now the two hosts are working.
I have two questions: Do I have to keep those following commands in my configuration:
static (inside,outside) 10.4.4.10 10.3.3.10 netmask 255.255.255.255
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10

and what about if I want cofigure host A to the internet?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20309074
Depends on why you have that static and if host 10.4.4.20 needs to communicate with 10.3.3.10
If you want host A to have internet access too, then we have a totally different scenario, but since the outside interface is a private 10.4.4.x ip address, then I assume all nat is taking place at the next hop gateway and that nat gateway should be configured to allow host 10.3.3.8 out and NAT it appropriately.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 10

Expert Comment

by:cstosgale
ID: 20309086
No, you can remove them as they are not related to the communication between the two hosts.
The second line is meaningless, as router will never see traffic from 10.4.4.20 to 10.4.4.10

In order to get host A to the internet, 10.4.4.10 will need to have a route to the internet, as this is the default route on the ASA. There will also need to be a device natting to the to the internet from the 10.4.4.0 range as this is a private ip range.
0
 

Author Comment

by:nsamri
ID: 20309703
Thnak you guys. I have another question regarding to static command. If host A is 10.3.3.8 and host B is 10.4.4.5 and these hosts are communcating to each other in terms of the modification on my configuration as follow:
static (inside,outside) 10.3.3.8 10.3.3.8 netmask 255.255.255.255
access-list outside_access_in extended permit icmp host 10.4.4.5 host 10.3.3.8

My question is how if host A is changed  and becomes 10.3.3.9 instead of 10.3.3.8 or host B is changed and becomes 10.4.4.6  ..  Are these commands with my current configuration above going to work between host A and host B and between host B and host A even host A is chenged under IP 10.3.3.x or host B changed under IP 10.4.4.x ?
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20314410
No, these commands will only fix the problem for these specific addresses. You would need to modify the commands if the addresses changed.

you could add commands for additional addresses in addition to these commands however to get the communication working between more hosts. e.g.

static (inside,outside) 10.3.3.9 10.3.3.9 netmask 255.255.255.255
access-list outside_access_in extended permit icmp host 10.4.4.6 host 10.3.3.9
0
 

Author Comment

by:nsamri
ID: 20314923
How if I don't want to use static NAT to specify each IP address. I want to use some kind of NAT that I don't have to specify each IP address when ip address changes automatically, could you tell me what  the commands I should use to keep my configuration without changing?
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 20315949
You would need to disable NAT in order to provide this functionality! If you want traffic to flow between any addresses in the two subnets, the only real viable solution is to disable NAT. What is the reason you need to keep nat enabled between the 10.4.4.0 and the 10.3.3.0 networks? If you are able to tell me the reason I may be able to advise you a better way of achieving the configuration you want.
0
 

Author Comment

by:nsamri
ID: 20317279
The reason is I'm working on cisco ASA 5505. One of the parts I must do is NAT because my professor needs nating between two hosts and they have to ping each other. I have done with one way which is pinging from Host A to Host B. In fact, I did the two ways, unfortunately my configuration was wrong, because he needs nating from A to B on the same subnet to see the nating. So, I have to figure out the other way from B to A on the same subnet. In addition, I may configure VPN client later. Therefore, this is the reason why I'm using nating. Would you mind helping me to do the other way "B to A" on the subnet of A for example: if A --> 10.3.3.9 and B -->10.4.4.6 If I pinged B by A it will be "ping 10.4.4.6" the original IP address. the remote address will be radomly like 10.4.4.2  . So by this way the prof. will see the nating is working.
0
 

Author Comment

by:nsamri
ID: 20324133
Hi guys ,
I'm still having a problem in my nat configuration especially, when I pinged host B by host A. It was working as I said before but it the gost B it was not responding to ping from host A in the same subnet.
So, my configuration currently is not pinging between two hosts Could you please look at my configuration and guide me to solve my configuration problem? "I appreciate your working with me"

IP host of A --> 10.3.3.3 and IP default-gateway --> 10.3.3.1
IP host of B --> 10.4.4.3 and IP default-gateway --> 10.4.4.1

--------------
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp host 10.4.4.3 host 10.3.3.3
access-list outside_access_in extended permit icmp host 10.3.3.3 host 10.4.4.3
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit ip any any
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
access-list outside_access_out extended permit ip any any
access-list inside extended permit ip any any
access-list outide extended permit ip any any
access-list outside_acess_in extended permit icmp host 10.4.4.4 host 10.3.3.4
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.3 10.3.3.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.4.4.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b5236af9e8fef5093f1a421ff8efbe06
: end
0
 
LVL 10

Assisted Solution

by:cstosgale
cstosgale earned 250 total points
ID: 20331133
hi,

as we have already stated you cannot ping host a from host b in this configuration as you have a static nat between the two devices:-

static (inside,outside) 10.4.4.3 10.3.3.3 netmask 255.255.255.255

NAT replaces one ip with another as the packets go through the ASA. Therefore as far as the ASA is concerned, 10.4.4.3 and 10.3.3.3 are the same host.

Is you proffessor trying to teach you about networking / cisco configuration? If so he is he is not making a very good job of it. Either that or you have completely misunderstood what he is asking you to do.

the purpose of NAT is to allow multiple private IPs to talk to the internet via a single public ip. In this configuration, the private IPs are not accessible e.g. pingable from the outside world. A static NAT like the one above is used to give a server a public address on the internet using a one to one mapping.

On your ASA above, the 10.4.4.0 subnet are effectively your public addresses and the 10.3.3.0 subnet the internal range. 10.3.3.3 would be your server which you are giving the public ip 10.4.4.3
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22360217
Suggest the outcome be to award points to lrmoore, as this is from early in the thread:
The context of the original post was that two hosts could not talk.

>Thank you so much. Now the two hosts are working.

Then the question morphed into something totally different.
>and what about if I want cofigure host A to the internet

Original question asked and answered. Case closed.

>I must do is NAT because my professor needs nating
Given that this was schoolwork anyway . . .
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 22360317
Starting the auto-close procedure on behalf of the question asker.

Vee_Mod
Experts Exchange Moderator
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22360650
Accept lrmoore http:#20308899
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22360799
Let's not leave ctogale out. Split with
http:#20331133
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now