Solved

Internet Access Through ASA5510 using PAT having Issues

Posted on 2009-07-03
5
154 Views
Last Modified: 2012-05-07
Hi Team,
Could any one please assist urgently with the Internet Access Issue using ASA5510. It is pretty simple setup but i sem to have been struck with it forever.
Below is the running config, Can you please pick up any mistake and corrective command to get Inetrnet Access working.
Urgent reponse wll be highly appriciated. At the moment i do not have access to the device, so any corrective command would do.
i have picked up Security level is wrong on outside and inside ( should be otehr way around) but getting PAT wrong
===============================

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(3)
!
hostname ASA
domain-name default.domain.invalid

names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 100
 ip address 203.x.x.x 255.255.255.252
!
interface Ethernet0/1
 description Inside Network
 nameif inside
 security-level 0
 ip address 10.30.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.50 255.255.255.0
 management-only
!
passwd .2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
access-list out extended permit object-group DM_INLINE_PROTOCOL_1 any 10.30.0.0 255.255.255.0
access-list inside extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.30.0.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control

global (outside) 1 interface
nat (inside) 1 10.30.0.0 255.255.255.0 dns outside


access-group out in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.27.207.101 1
route inside 10.80.0.0 255.255.0.0 10.30.0.1 1
route inside 10.90.0.0 255.255.0.0 10.30.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ba0d6dba6f69b2ad38c2f5eb63f32d03
: end

=================================
0
Comment
Question by:tariqmansoor
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24772403
Right here:

Change
nat (inside) 1 10.30.0.0 255.255.255.0 dns outside

to
nat (inside) 1 10.30.0.0 255.255.255.0
0
 

Author Comment

by:tariqmansoor
ID: 24772435
Thanks for that, I saw few examples on the net, those suggests
nat (inside) 0.0.0.0 0.0.0.0
Is this correct ? also the command "nat-control" confuses me should it still stay there ?
Thanks,
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24772551
Nat (inside) 0.0.0.0 0.0.0.0 will allow any IP using the inside interface to get NAt'ed outbound.    

This one   "nat (inside) 1 10.30.0.0 255.255.255.0"  will only nat that 1 subnet.  


Nat-Control  requires that packets traversing from an inside interface to an outside interface match a NAT rule.  
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753422


Hope that helps.


0
 

Author Comment

by:tariqmansoor
ID: 24772585
Excellent, thanks for, I will try this and will let you know after i test, as i dont have access to the ASA at the moment, Will have in the morning.
0
 

Author Closing Comment

by:tariqmansoor
ID: 31599557
Great Help...All Worked Good....
Thank You.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now