Solved

CISCO ASA 5505 (NAT)

Posted on 2009-03-31
12
749 Views
Last Modified: 2013-11-16
I am trying to use an ASA 5505 on the inside of our network.  I have an inside interface IP of 192.168.224.3 and an outside of someone i am trying to translate to of 192.16.1.3.  from the ASA I can ping both networks, all I am trying to do is do a NAT of one of his IP addreses to mine.  for instance I would like to NAT 192.168.224.34 to 192.16.3.34, the error I get is "NO Translation group for ICMP src inside.) Now on my PIX it was much easier, just use the translation rules and away we went.  any help would be greatly appreciated.
0
Comment
Question by:dwaynem2345
  • 6
  • 6
12 Comments
 
LVL 4

Expert Comment

by:Multipath
Comment Utility
What version of the ASA software do you have?
0
 

Author Comment

by:dwaynem2345
Comment Utility
ASA Version is 7.2(3)
0
 
LVL 4

Expert Comment

by:Multipath
Comment Utility
Static NAT rule

    pix(config)#static (inside,outside) 192.16.1.X 192.168.224.X netmask 255.255.255.255

The 192.16.1.x being an address on the outside interface of your asa that is not in use as your traffic will become that IP outside the asa.  The 192.168.224.x will be your ip on the inside of the asa.

Ping inside

    pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
    pix(config)#access-group 101 in interface outside

The "in interface outside" needs the outside interface name in place of outside. (See bottom)

Pings Outbound

    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any source-quench
    access-list 101 permit icmp any any unreachable  
    access-list 101 permit icmp any any time-exceeded
    access-group 101 in interface outside

The "in interface outside" needs the interface name in place of outside.  

For example if your outside interface is named outside (this is default) then the commands are as is, if the outside interface is named "internet" then the command would be as follows.

     access-group 101 in interface internet


0
 

Author Comment

by:dwaynem2345
Comment Utility
2 questions, would i have to build a static NAT rule for each and every device on his side, there are about 10 of them.  Also what is the 192.16.1. 5 echo for?
0
 
LVL 4

Expert Comment

by:Multipath
Comment Utility
The echo is to let the ping out, this is a requirement new to the ASA to allow the echo for the request to pass through..  If you would like you can set it up via routing instead of nat, this is both an easier setup for internal use.  So older militant people will say that is not as Secure but in all honesty NAT is not really a security technology anymore.  To do a routing setup all you would have to do is place a route in your core that points his network to the outside interface of the firewall then simply apply access rules to the firewall for traffic both in and out.
0
 

Author Comment

by:dwaynem2345
Comment Utility
well they would like me to use NAT.  when i go to ping from an 192.168.224.X address to 192.168.224.34 which i set up a static NAT rule to 192.16.3.34, i get denied inbound ICMP src as my error.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 4

Expert Comment

by:Multipath
Comment Utility
Have you placed the following in?

Pings Outbound

    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any source-quench
    access-list 101 permit icmp any any unreachable  
    access-list 101 permit icmp any any time-exceeded
    access-group 101 in interface outside
0
 

Author Comment

by:dwaynem2345
Comment Utility
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.224.3 255.255.255.0
!
interface Vlan12
 nameif outside
 security-level 0
 ip address 192.16.1.3 255.255.252.0
!
interface Ethernet0/0
 switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd F7k5Gq1Qw1qGAE9V encrypted
banner login Welcome to Centrex Clinical Labs
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name centrexlabs.com
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any eq echo any eq echo
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
static (inside,outside) 192.16.3.34 192.168.224.34 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group 101 in interface outside
route inside 192.168.249.0 255.255.255.0 192.168.224.1 1
route inside 192.168.253.0 255.255.255.0 192.168.224.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.224.0 255.255.255.0 inside
http 192.168.249.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.224.0 255.255.255.0 inside
telnet 192.168.249.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.224.4-192.168.224.131 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username dwaynem password zSvnKNR38Nm9Ccz6 encrypted privilege 15
username stevew password ruMPhreKceARbvCZ encrypted privilege 15
prompt hostname context
Cryptochecksum:8ca207033a3375d72d6539fb296f99b5
: end


here is my CLI
0
 
LVL 4

Expert Comment

by:Multipath
Comment Utility
Can you do a show access-list and see which acl's for ICMP have been hit?
0
 

Author Comment

by:dwaynem2345
Comment Utility
Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list inside_access_out; 4 elements
access-list inside_access_out line 1 extended permit tcp any any (hitcnt=0) 0x5e231c28
access-list inside_access_out line 2 extended permit udp any any (hitcnt=6) 0x9c2207a6
access-list inside_access_out line 3 extended permit icmp any any (hitcnt=0) 0x4416cbd7
access-list inside_access_out line 4 extended permit icmp any any echo-reply (hitcnt=0) 0xcfc3bf0f
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x71af81e1
access-list outside_access_in line 2 extended permit udp any any (hitcnt=1196) 0x7833b6a0
access-list outside_access_in line 3 extended permit ip any any (hitcnt=0) 0x7e78c5c4
access-list outside_access_in line 4 extended permit icmp any any echo-reply (hitcnt=0) 0x54b872f3
access-list inside_access_in; 6 elements
access-list inside_access_in line 1 extended permit icmp any any (hitcnt=24) 0xd6183fb5
access-list inside_access_in line 2 extended permit udp any any (hitcnt=0) 0xbe4631fd
access-list inside_access_in line 3 extended permit tcp any any (hitcnt=3) 0x60587b1a
access-list inside_access_in line 4 extended permit tcp any eq echo any eq echo (hitcnt=0) 0x58ebfc68
access-list inside_access_in line 5 extended permit ip any any (hitcnt=0) 0xa925365e
access-list inside_access_in line 6 extended permit icmp any any echo-reply (hitcnt=0) 0xb2f4960f
access-list 101; 4 elements
access-list 101 line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x030901cd
access-list 101 line 2 extended permit icmp any any source-quench (hitcnt=0) 0x8bddfde8
access-list 101 line 3 extended permit icmp any any unreachable (hitcnt=0) 0x89d18f69
access-list 101 line 4 extended permit icmp any any time-exceeded (hitcnt=0) 0x12127ce7
0
 
LVL 4

Accepted Solution

by:
Multipath earned 500 total points
Comment Utility
For conformity let change all

access-list 101
to
access-list outside_access_in


and change

access-group 101 in interface outside
to
access-group outside_access_in in interface outside

then replay the config output.
0
 

Author Comment

by:dwaynem2345
Comment Utility
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.224.3 255.255.255.0
!
interface Vlan12
 nameif outside
 security-level 0
 ip address 192.16.1.3 255.255.252.0
!
interface Ethernet0/0
 switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd F7k5Gq1Qw1qGAE9V encrypted
banner login Welcome to Centrex Clinical Labs
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name centrexlabs.com
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any eq echo any eq echo
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
static (inside,outside) 192.16.3.34 192.168.224.34 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route inside 192.168.249.0 255.255.255.0 192.168.224.1 1
route inside 192.168.253.0 255.255.255.0 192.168.224.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.224.0 255.255.255.0 inside
http 192.168.249.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.224.0 255.255.255.0 inside
telnet 192.168.249.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.224.4-192.168.224.131 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username dwaynem password zSvnKNR38Nm9Ccz6 encrypted privilege 15
username stevew password ruMPhreKceARbvCZ encrypted privilege 15
prompt hostname context
Cryptochecksum:c46b000d4849d45c05fcfaa57ef5df51
: end
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now