sefika
asked on
Why is my NAT not working?
I have configured NAT on a CISCO ASA 5540 firewall and it does not work for one public address. In the code below, the '77' and the '78' public addresses are working fine, but '75' does not work. The intention is to direct all traffic for the '75' address and to the '6' address in the DMZ.
static (DMZ,External01) AAA.XX.YYY.77 X.X.X.2 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.78 X.X.X.4 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.75 X.X.X.6 netmask 255.255.255.255
I have opened the ports on the firewall for the https / http/ etc. traffic, but such or any other traffic does not seem to reach the firewall. The firewall is the problem because when I connect machine '75' directly behind a router, traffic to this public address thus reach the machine. Again, the '77' address works perfectly by '75' doesn't, although the configuration is exactly the same. I cannot even see any logs to '75' or '6' in the SYSLOG logs (informational mode).
How do I tell the Firewall about the '75' address beyond the Nat'ing that I have done? Why does it not see any traffic to this address?
Please assist.
MY FIREWALL CONFIGURATION STANDS THUS (addresses scribbled):
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fXBaKv0kM.YTrfs encrypted
names
name BB.CCC.0.0 ServerFarm
dns-guard
!
interface GigabitEthernet0/0
nameif External01
security-level 0
ip address AAA.XX.YYY.74 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address X.X.X.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif FW-FW
security-level 100
ip address 5.5.5.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup External01
dns domain-lookup DMZ
dns domain-lookup FW-FW
dns name-server AAA.XX.YYY.69
dns name-server AAA.PPP.QQQ.10
dns name-server AAA.PPP.QQQ.20
dns name-server BB.CCC.0.31
dns name-server X.X.X.6
object-group service DMZCommon tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq domain
object-group service Common tcp
description Common
group-object DMZCommon
port-object eq ldap
port-object eq netbios-ssn
port-object eq pop3
port-object eq aol
port-object eq gopher
port-object eq https
port-object eq nntp
port-object eq telnet
port-object eq uucp
port-object eq hostname
port-object eq ident
port-object eq ftp
port-object eq smtp
port-object eq login
port-object eq ssh
port-object eq imap4
port-object eq sqlnet
port-object eq rsh
port-object eq www
port-object eq kerberos
port-object eq echo
port-object eq ldaps
port-object eq daytime
port-object eq domain
object-group service CommonTCPUDP tcp-udp
port-object eq echo
port-object eq kerberos
port-object eq www
port-object eq discard
port-object eq domain
port-object eq cifs
object-group service Exchsrvr tcp-udp
port-object range 443 443
port-object eq www
object-group service wwws tcp
port-object eq www
port-object eq https
access-list Test_access_in extended permit tcp any any
access-list FW-FW_nat0_outbound extended permit ip any any
access-list FW-FW_access_in extended permit ip any any
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list FW-FW_access_in extended permit udp host BB.CCC.0.34 any
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.31 host X.X.X.6
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 eq smtp
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 eq smtp
access-list External01_access_out extended permit udp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host BB.CCC.0.34 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit ip host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.78 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.78 any
access-list DMZ_access_in extended permit udp host X.X.X.2 any
access-list DMZ_access_in extended permit ip host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit udp any any
access-list DMZ_access_in extended permit tcp host X.X.X.4 any
access-list DMZ_access_in extended permit udp host X.X.X.4 any
access-list DMZ_access_in extended permit tcp host X.X.X.2 any
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_in extended permit tcp host X.X.X.6 any
access-list DMZ_access_in extended permit udp host X.X.X.6 any
access-list FW-FW_access_out extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list FW-FW_access_out extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list FW-FW_access_out extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list DMZ_access_out extended permit tcp host BB.CCC.0.31 host X.X.X.6
pager lines 24
logging enable
logging asdm informational
logging facility 23
mtu External01 1500
mtu DMZ 1500
mtu FW-FW 1500
mtu management 1500
no failover
monitor-interface External01
monitor-interface DMZ
monitor-interface FW-FW
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (External01) 246 interface
nat (FW-FW) 0 access-list FW-FW_nat0_outbound
nat (FW-FW) 246 BB.CCC.0.31 255.255.255.255
nat (FW-FW) 246 BB.CCC.0.34 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.77 X.X.X.2 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.78 X.X.X.4 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.75 X.X.X.6 netmask 255.255.255.255
access-group External01_access_in in interface External01
access-group External01_access_out out interface External01
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group FW-FW_access_in in interface FW-FW
access-group FW-FW_access_out out interface FW-FW
route External01 0.0.0.0 0.0.0.0 AAA.XX.YYY.73 1
route FW-FW 10.1.0.0 255.255.248.0 5.5.5.2 1
route FW-FW ServerFarm 255.255.255.0 5.5.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
ssl encryption des-sha1 rc4-md5
Cryptochecksum:a735be911e9 01ef4ba563 3f3e9fa7f2 9
: end
static (DMZ,External01) AAA.XX.YYY.77 X.X.X.2 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.78 X.X.X.4 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.75 X.X.X.6 netmask 255.255.255.255
I have opened the ports on the firewall for the https / http/ etc. traffic, but such or any other traffic does not seem to reach the firewall. The firewall is the problem because when I connect machine '75' directly behind a router, traffic to this public address thus reach the machine. Again, the '77' address works perfectly by '75' doesn't, although the configuration is exactly the same. I cannot even see any logs to '75' or '6' in the SYSLOG logs (informational mode).
How do I tell the Firewall about the '75' address beyond the Nat'ing that I have done? Why does it not see any traffic to this address?
Please assist.
MY FIREWALL CONFIGURATION STANDS THUS (addresses scribbled):
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fXBaKv0kM.YTrfs encrypted
names
name BB.CCC.0.0 ServerFarm
dns-guard
!
interface GigabitEthernet0/0
nameif External01
security-level 0
ip address AAA.XX.YYY.74 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address X.X.X.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif FW-FW
security-level 100
ip address 5.5.5.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup External01
dns domain-lookup DMZ
dns domain-lookup FW-FW
dns name-server AAA.XX.YYY.69
dns name-server AAA.PPP.QQQ.10
dns name-server AAA.PPP.QQQ.20
dns name-server BB.CCC.0.31
dns name-server X.X.X.6
object-group service DMZCommon tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq domain
object-group service Common tcp
description Common
group-object DMZCommon
port-object eq ldap
port-object eq netbios-ssn
port-object eq pop3
port-object eq aol
port-object eq gopher
port-object eq https
port-object eq nntp
port-object eq telnet
port-object eq uucp
port-object eq hostname
port-object eq ident
port-object eq ftp
port-object eq smtp
port-object eq login
port-object eq ssh
port-object eq imap4
port-object eq sqlnet
port-object eq rsh
port-object eq www
port-object eq kerberos
port-object eq echo
port-object eq ldaps
port-object eq daytime
port-object eq domain
object-group service CommonTCPUDP tcp-udp
port-object eq echo
port-object eq kerberos
port-object eq www
port-object eq discard
port-object eq domain
port-object eq cifs
object-group service Exchsrvr tcp-udp
port-object range 443 443
port-object eq www
object-group service wwws tcp
port-object eq www
port-object eq https
access-list Test_access_in extended permit tcp any any
access-list FW-FW_nat0_outbound extended permit ip any any
access-list FW-FW_access_in extended permit ip any any
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list FW-FW_access_in extended permit udp host BB.CCC.0.34 any
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list FW-FW_access_in extended permit tcp host BB.CCC.0.31 host X.X.X.6
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 eq smtp
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.77 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 object-group wwws
access-list External01_access_in extended permit tcp any host AAA.XX.YYY.75 eq smtp
access-list External01_access_out extended permit udp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host BB.CCC.0.34 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.77 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit ip host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.75 any
access-list External01_access_out extended permit tcp host AAA.XX.YYY.78 any
access-list External01_access_out extended permit udp host AAA.XX.YYY.78 any
access-list DMZ_access_in extended permit udp host X.X.X.2 any
access-list DMZ_access_in extended permit ip host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list DMZ_access_in extended permit udp any any
access-list DMZ_access_in extended permit tcp host X.X.X.4 any
access-list DMZ_access_in extended permit udp host X.X.X.4 any
access-list DMZ_access_in extended permit tcp host X.X.X.2 any
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list DMZ_access_in extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_in extended permit tcp host X.X.X.6 any
access-list DMZ_access_in extended permit udp host X.X.X.6 any
access-list FW-FW_access_out extended permit tcp host X.X.X.2 host BB.CCC.0.34
access-list FW-FW_access_out extended permit tcp host X.X.X.6 host BB.CCC.0.34
access-list FW-FW_access_out extended permit tcp host X.X.X.6 host BB.CCC.0.31
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.2
access-list DMZ_access_out extended permit tcp host BB.CCC.0.34 host X.X.X.6
access-list DMZ_access_out extended permit tcp host BB.CCC.0.31 host X.X.X.6
pager lines 24
logging enable
logging asdm informational
logging facility 23
mtu External01 1500
mtu DMZ 1500
mtu FW-FW 1500
mtu management 1500
no failover
monitor-interface External01
monitor-interface DMZ
monitor-interface FW-FW
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (External01) 246 interface
nat (FW-FW) 0 access-list FW-FW_nat0_outbound
nat (FW-FW) 246 BB.CCC.0.31 255.255.255.255
nat (FW-FW) 246 BB.CCC.0.34 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.77 X.X.X.2 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.78 X.X.X.4 netmask 255.255.255.255
static (DMZ,External01) AAA.XX.YYY.75 X.X.X.6 netmask 255.255.255.255
access-group External01_access_in in interface External01
access-group External01_access_out out interface External01
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group FW-FW_access_in in interface FW-FW
access-group FW-FW_access_out out interface FW-FW
route External01 0.0.0.0 0.0.0.0 AAA.XX.YYY.73 1
route FW-FW 10.1.0.0 255.255.248.0 5.5.5.2 1
route FW-FW ServerFarm 255.255.255.0 5.5.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
ssl encryption des-sha1 rc4-md5
Cryptochecksum:a735be911e9
: end
ASKER
Dear Batry boy,
Can you please indicate what you mean by "access lists applied in both in and out directions"? I thought for each interface I have to specify what's allowed to go in and what allowed to go out, for all interfaces. Please illustrate which traffic flow rule is unnecessary from my rule set. We are certainly not an ISP and require the simplest config that is secure and will work.
In the meantime, I will run the "show xlate" command and let you know the result.
Thanks
Can you please indicate what you mean by "access lists applied in both in and out directions"? I thought for each interface I have to specify what's allowed to go in and what allowed to go out, for all interfaces. Please illustrate which traffic flow rule is unnecessary from my rule set. We are certainly not an ISP and require the simplest config that is secure and will work.
In the meantime, I will run the "show xlate" command and let you know the result.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, there is a correct translation rule for '75'.
ASKER
Dear Batry_boy,
Please allow me time to analyze your solution proposal, test it, and give you feedback. This is really useful information.
Thanks for going out all the way to try and assist me.
Please allow me time to analyze your solution proposal, test it, and give you feedback. This is really useful information.
Thanks for going out all the way to try and assist me.
ASKER
Dear Batry_boy,
I am happy to inform you that I followed your troubleshooting tips (outbound traffic rules, real time log viewer & packet tracer) and my problem is completely solved. I was able to narrow down issues until I came on top.
Thanks ever so much!
I am happy to inform you that I followed your troubleshooting tips (outbound traffic rules, real time log viewer & packet tracer) and my problem is completely solved. I was able to narrow down issues until I came on top.
Thanks ever so much!
Glad to assist...
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
I'm betting that the translation is there, but your access rules are blocking the traffic that you are really wanting to allow. If I may ask, why do you have access lists applied in both in and out directions on all interfaces? This over complicates your traffic flow rules and is unnecessary in most environments. On a firewall, the only time I can think of when it's been necessary to have both in and out rules on an interface is in an ISP environment and those are typically complicated.