Solved

ASA5505 Routing - NAT issue

Posted on 2008-06-17
8
987 Views
Last Modified: 2010-04-21
I have a ASA5505 running 7.2.3 that is sitting infront of a web/mail/name server that I am having trouble understanding the NAT & routing in ASA parlance. New here at EE so if I goof something apologies!

The topology is:


COLO SWITCH ----------------------------------
                        226.16.255.97 / 255.255.255.252
                        -------|--------------------------
                                 |
                                 |
                      --------|-------------------------
ASA OUTSIDE  226.16.255.98 / 255.255.255.252  + 226.16.255.105/29 [Webserver service IP's]
                                 |
ASA INSIDE   172.16.7.1 / 255.255.255.0
                     ---------|-------------------------
                                 |
                                 |
                     ---------|--------------------------
WEB SERVER  172.16.7.2-172.16.7.10 / 24
                     ------------------------------------

What is happening is everything works, EXCEPT that I cannot ping my /29 block of IP's when I could in the lab/staging before installing at ISP. The main change being that the ASA outside IP was incorrectly thought to be the gateway, with the first IP in the /29 block being set as the outside IP. (Learned of the
descrepency  on site which is always fun!)

I changed the addressing so that the ASA can get out, and I into it. I can RDP to the server, and from the server can get out to the Internet except pings but that is an ACL issue I believe.

[4  Jun 18 2008      00:00:52 106023      72.14.207.99 EXT-FW-COLO Deny icmp src outside:72.14.207.99 dst inside:EXT-FW-COLO (type 0, code 0) by access-group "incoming-colo-prod" [0x0, 0x0]

The bigger and more disturbing issue is that when I ping one of the outside /29 block [226.16.255.105-110] IP's I see in ASDM these errors in orange:

[3 Jun 18 2008      00:03:39 305005      EXT-IP1-COLO  No translation group found for icmp src outside:66.69.x.x dst inside:EXT-IP1-COLO (type 8, code 0)]

The 66.69.x.x being the remote office connection. If I ping the outside IP that is bound to the interface [226.16.255.98], I get builds and teardowns and all is well. I can hit web pages served on the server using the appropriate outside IP, etc. But something does not seem right though.

Having to add the 226.16.255.98 IP with a different mask than the 226.16.255.105-110 block was not expected and this is where I am having issues with the ASA.

Here is the config. If anyone sees what the deal is I would sure appreciate it!

Points will be promptly awarded!

ASA Version 7.2(3)
!
hostname ASA5505-COLO1
enable password Q/LhPHlq124pF3nkrq8 encrypted
names
name 172.16.7.1 INT-FW description OT-ASA5505  <-- this still needs to be changed as it was what I thought was supposed to be the ASA inside IP
name 172.16.7.2 INT-IP2-SVR1 description OT-WEB1-DL160G5-DNS 1
name 172.16.7.3 INT-IP3-SVR1 description OT-WEB1-DL160G5-Web Server 1
name 172.16.7.4 INT-IP4-SVR1 description OT-WEB1-DL160G5-Mail Server 1
name 172.16.7.5 INT-IP5-SVR1 description OT-WEB1-DL160G5-Web Server 2
name 172.16.7.6 INT-IP6-SVR1 description OT-WEB1-DL160G5-DNS 2
name 172.16.7.254 INT-iLO description DL160G5 iLO Port
name 226.16.255.105 EXT-IP1-COLO description Firewall-SSH
name 226.16.255.106 EXT-IP2-COLO description NAMESVR1-DOMAIN-STATS-SSL
name 226.16.255.107 EXT-IP3-COLO description WEBSVR1_PRIVATE-HTTP-SSL
name 226.16.255.108 EXT-IP4-COLO description MAILSVR1-SMTP-POP3-SSL-HTTP
name 226.16.255.109 EXT-IP5-COLO description WEBSVR1_PUBLIC-HTTP-SSL
name 226.16.255.110 EXT-IP6-COLO description NAMESVR2-DOMAIN-HTTP-SSL-RDP
name 226.16.255.98 EXT-FW-COLO description ASA Firewall-SSH
!
interface Vlan1
 nameif inside
 security-level 100
 ip address INT-FW 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address EXT-FW-COLO 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif inside-protected
 security-level 50
 ip address 172.16.107.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!            
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnb3456IdI.22KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list incoming-colo-prod extended permit tcp any host EXT-IP1-COLO eq ssh
access-list incoming-colo-prod extended permit tcp any host EXT-IP1-COLO eq https
access-list incoming-colo-prod extended permit tcp any host EXT-IP1-COLO eq 3389
access-list incoming-colo-prod extended permit icmp any host EXT-IP1-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP1-COLO echo-reply
access-list incoming-colo-prod extended permit tcp any host EXT-IP2-COLO eq www
access-list incoming-colo-prod extended permit udp any host EXT-IP2-COLO eq domain
access-list incoming-colo-prod extended permit tcp any host EXT-IP2-COLO eq ftp
access-list incoming-colo-prod extended permit tcp any host EXT-IP2-COLO eq 3389
access-list incoming-colo-prod extended permit icmp any host EXT-IP2-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP2-COLO echo-reply
access-list incoming-colo-prod extended permit tcp any host EXT-IP3-COLO eq www
access-list incoming-colo-prod extended permit tcp any host EXT-IP3-COLO eq https
access-list incoming-colo-prod extended permit icmp any host EXT-IP3-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP3-COLO echo-reply
access-list incoming-colo-prod extended permit tcp any host EXT-IP4-COLO eq smtp
access-list incoming-colo-prod extended permit tcp any host EXT-IP4-COLO eq pop3
access-list incoming-colo-prod extended permit tcp any host EXT-IP4-COLO eq www
access-list incoming-colo-prod extended permit tcp any host EXT-IP4-COLO eq https
access-list incoming-colo-prod extended permit icmp any host EXT-IP4-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP4-COLO echo-reply
access-list incoming-colo-prod extended permit tcp any host EXT-IP5-COLO eq www
access-list incoming-colo-prod extended permit tcp any host EXT-IP5-COLO eq https
access-list incoming-colo-prod extended permit icmp any host EXT-IP5-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP5-COLO echo-reply
access-list incoming-colo-prod extended permit udp any host EXT-IP6-COLO eq domain
access-list incoming-colo-prod extended permit tcp any host EXT-IP6-COLO eq www
access-list incoming-colo-prod extended permit tcp any host EXT-IP6-COLO eq https
access-list incoming-colo-prod extended permit icmp any host EXT-IP6-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP6-COLO echo-reply
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside-protected 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp EXT-IP1-COLO ssh INT-FW ssh netmask 255.255.255.255
static (inside,outside) tcp EXT-IP1-COLO https INT-FW https netmask 255.255.255.255
static (inside,outside) tcp EXT-IP2-COLO www INT-IP2-SVR1 www netmask 255.255.255.255
static (inside,outside) tcp EXT-IP2-COLO ftp INT-IP2-SVR1 ftp netmask 255.255.255.255
static (inside,outside) tcp EXT-IP2-COLO 3389 INT-IP2-SVR1 3389 netmask 255.255.255.255
static (inside,outside) tcp EXT-IP3-COLO www INT-IP3-SVR1 www netmask 255.255.255.255
static (inside,outside) tcp EXT-IP3-COLO https INT-IP3-SVR1 https netmask 255.255.255.255
static (inside,outside) tcp EXT-IP4-COLO smtp INT-IP4-SVR1 smtp netmask 255.255.255.255
static (inside,outside) tcp EXT-IP4-COLO pop3 INT-IP4-SVR1 pop3 netmask 255.255.255.255
static (inside,outside) tcp EXT-IP4-COLO www INT-IP4-SVR1 www netmask 255.255.255.255
static (inside,outside) tcp EXT-IP4-COLO https INT-IP4-SVR1 https netmask 255.255.255.255
static (inside,outside) tcp EXT-IP5-COLO www INT-IP5-SVR1 www netmask 255.255.255.255
static (inside,outside) tcp EXT-IP5-COLO https INT-IP5-SVR1 https netmask 255.255.255.255
static (inside,outside) udp EXT-IP6-COLO domain INT-IP6-SVR1 domain netmask 255.255.255.255
static (inside,outside) tcp EXT-IP6-COLO www INT-IP6-SVR1 www netmask 255.255.255.255
static (inside,outside) tcp EXT-IP6-COLO https INT-iLO https netmask 255.255.255.255
static (inside,outside) udp EXT-IP2-COLO domain INT-IP2-SVR1 domain netmask 255.255.255.255  dns
access-group incoming-colo-prod in interface outside
route inside 226.16.255.104 255.255.255.248 EXT-FW-COLO 1
route outside 0.0.0.0 0.0.0.0 226.16.255.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 226.16.255.0 255.255.255.0 outside
http 172.16.107.0 255.255.255.0 inside-protected
http 172.16.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.16.7.0 255.255.255.0 inside
ssh 226.16.255.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.107.0 255.255.255.0 inside-protected
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.107.2-172.16.107.4 inside-protected
dhcpd enable inside-protected
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 198.247.173.220
ntp server 216.27.185.42
ntp server 68.227.90.101
username rward password 4gs7ydei3s8FGTiuuCWbFIJ encrypted privilege 15
smtp-server 172.16.7.4
prompt hostname context
Cryptochecksum:0c73945b3b12431c8062a59b9789f79a09d229
: end

------

ASA5505-COLO1# sh route

Gateway of last resort is 226.16.255.97 to network 0.0.0.0

C    226.16.255.96 255.255.255.252 is directly connected, outside
S    226.16.255.104 255.255.255.248 [1/0] via EXT-FW-COLO, inside
C    172.16.7.0 255.255.255.0 is directly connected, inside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
S*   0.0.0.0 0.0.0.0 [1/0] via 226.16.255.97, outside

--------

TIA!
Ron

                           
0
Comment
Question by:RonOrb
  • 5
  • 2
8 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 21810448
you have the inside access lists: ie:
access-list incoming-colo-prod extended permit icmp any host EXT-IP1-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP1-COLO echo-reply
access-group incoming-colo-prod in interface outside

But no access lists nor access groups for the inside...
as in
access-group outgoing-colo-prod in interface inside

Were they not pasted in? as I cant see how its working as you described without it.
Please post the rest.
0
 

Author Comment

by:RonOrb
ID: 21810538
Nope that is the whole config minus the domain name info and banner.

The EXT-IP1-COLO is from the colo allocated /29 block that sits on the outside interface in addition to EXT-FW-COLO /30 ip address. I am used to routers so I might have some of the concepts wrong with the ASA, but I have my exterally routable IP's on the outside interface which is where I block/allow with the ACL. Once traffic is allowed the static nat statements sends to the appropriate internal IP.

You do bring up a good point, whcih is I have no ACL for the EXT-FW-COLO IP so I am assuming that everything is hitting this IP, which is why the pings are successful when sent. I wasn't planning for the EXT-FW-COLO IP actually being on the ASA (as mentioned in the above post) and thus not written. Does that make sense?

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21811871
This is actually normal behavior as you are only "Natting" the TCP ports you want forwarded to the server (not ICMP) which is why you are unable to ping the server.  If you were to setup a 1 to 1 static for a server like below, you would be able to ping them from the Internet (if allowed by the ACL).

static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255

If you want to allow your servers to ping hosts on the outside, add this to your ACL:

access-list incoming-colo-prod extended permit icmp any any echo-reply
0
 

Author Comment

by:RonOrb
ID: 21817344
I thought since the ACL already had for each IP:
access-list incoming-colo-prod extended permit icmp any host EXT-IP2-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-IP2-COLO echo-reply

that it would allow the ICMP. What I did not have and you clued me in here is this:
access-list incoming-colo-prod extended permit icmp any host EXT-FW-COLO echo
access-list incoming-colo-prod extended permit icmp any host EXT-FW-COLO echo-reply

which is the outside IP of the ASA. (You can't do 'secondary' in the ASA so I can't really say primary or first IP, just the outside IP. )

So this is starting to make sense, the /29 block of addresses then really aren't on the outside interface then, but behind the .98 / EXT-FW-COLO address. Or should I change my route for the /29 block to go straight to the colo gateway - 226.16.255.97/30 ? And could this be the reason when I ping from beyond the colo it fails to any external IP other than EXT-FW-COLO and it's gateway? ASDM displays:

3      Jun 18 2008      16:15:29      305005      EXT-IP1-COLO             No translation group found for icmp src outside:66.69.xx.xx dst inside:EXT-IP1-COLO (type 8, code 0)

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21818331
No, like I mentioned before, it's because you are only translating per port.

For example:
static (inside,outside) tcp EXT-IP1-COLO https INT-FW https netmask 255.255.255.255  <--only 443 is translated (not ICMP)

When an external host connects to EXT-IP1-COLO on 443 (HTTPS), traffic is forwarded to INT-FW, likewise, when INT-FW sends return traffic on 443, it is translated to EXT-IP1-COLO when traversing the ASA.  When INT-FW pings something external, there is no static translation since you are only doing translation on specific ports and therefore it falls under the global PAT rule and is translated to the outside interface IP address.

If you were to map one of your public IP's to INT-FW in a 1 to 1 fashion (see below), all traffic is translated and therefore when you ping'd something external it would be translated to the public IP mapped to it.

static (inside,outside) 1.1.1.1 192.168.10.10 netmask 255.255.255.255  <--all traffic is translated

You are receiving the "no translation group" message since you are allowing ICMP echo (pings from the outside) but do not have a static translation for ICMP (just https, ssh, etc..)

Let me know if it still doesn't make sense and I'll try to clarify further.
0
 

Author Comment

by:RonOrb
ID: 21818423
No that makes sense. I am apparently fuzzy on NPAT and how it actually works. I will try it out using just NAT and not NPAT and report back. Your explanation is great, I was under the impression that I was adding extra inspection on the static statements by specifying ports, but still getting the NAT functionality. This doesn't seem to be the case after all.

Maybe that is why my dns rewrites aren't working either.


 
0
 

Author Comment

by:RonOrb
ID: 21819004
Yeah that worked, my dns rewrite is still not working but that is another possible thread as I was just focused on the NAT trans issue. Thanks this was very helpful in understanding my new ASA better!
0
 

Author Closing Comment

by:RonOrb
ID: 31468233
Thanks again, first time using EE so I hope I did everything right regarding this point system and assigning of same.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now