Solved

NAT Config with Multiple Public IP thorugh ASA

Posted on 2010-09-22
16
1,210 Views
Last Modified: 2012-05-10
Hi TEam,

I have confiured Cisco ASA with the Bellow configuration. Can some one please have a look inot this if i have misconfgiured NAT by any chance ? This will go into production and just wanted to maek sure every thing is configured Properly.

I want to make Sure that

- INSIDE LAN  goes out to the internet on x.x.x.196
- DMZ LAN goes out to inetrnet with x.x.x.197
- CLIENT-A-Pilot to be accessed form outside on IP address of  x.x.x.198 on ports 80,443 and 3389
with below config is it possible ?

=========================================


:
ASA Version 8.2(1)
!


names
name 192.168.0.151 ABC-App description ABC-App Server
name 192.168.0.77 ABC-Webserver description ABC Web Server Ip Address
name 192.168.0.76 ABC-esx description ABC-ESX Server Ip Address
name 10.10.10.10 CLIENT-A-Pilot description CLIENT-A-Pilot Server
name 10.10.10.11 CLIENT-A-NAS description CLIENT-ACisco NAS Device
name 192.168.0.0 dmz description DMZ LAN
name 10.10.10.0 inside description Inside LAN
name x.x.x.192 internet description Outside Network
name 10.100.100.0 managment description Managenet LAN
!
interface GigabitEthernet0/0
 description Connection to the Internet
 nameif outside
 security-level 100
 ip address x.x.x.196 255.255.255.240
!
interface GigabitEthernet0/1
 description Inside Interface
 nameif inside
 security-level 0
 ip address 10.10.10.254 255.255.255.0
!
interface GigabitEthernet0/2
 description DMZ Interface
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/3
 description Not In Use Interface
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Managemen Interface
 nameif management
 security-level 100
 ip address 10.100.100.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq ssh
 port-object eq telnet
access-list inside_access_in remark Access to Internet
access-list inside_access_in extended permit ip any any
access-list dmz_access_in remark Access to Internet
access-list dmz_access_in extended permit ip any any
access-list outside_access_in remark Access from Outside to CLIENT-A Pilot Server
access-list outside_access_in extended permit tcp any host CLIENT-A-Pilot object-group DM_INLINE_TCP_1
access-list outside_access_in remark Management Access from Outside
access-list outside_access_in extended permit tcp any managment 255.255.255.0 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip any dmz 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.197 netmask 255.255.255.240
nat (inside) 0 inside 255.255.255.0
nat (dmz) 1 dmz 255.255.255.0 outside
static (inside,outside) tcp x.x.x.198 3389 CLIENT-A-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https CLIENT-A-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www CLIENT-A-Pilot www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
end

================================================================


0
Comment
Question by:aspiremsp
  • 6
  • 6
  • 3
  • +1
16 Comments
 
LVL 5

Expert Comment

by:piwowarc
ID: 33741442
Looks ok for me apart from

nat (inside) 0 inside 255.255.255.0

This command should not work (it is not recognized by my ASA 5505). You should put access list or IP range which should not be natted. Besides I don't see a statement which nats your LAN to WAN (xx.197)

nat (inside) ................

HTH

Chris

0
 
LVL 5

Expert Comment

by:piwowarc
ID: 33741449
I meant

nat (inside) 1 [ACCESS-list or IP range]

HTH

Chris
0
 

Author Comment

by:aspiremsp
ID: 33741513
I think what you mention is possible as well but i  wan to control the ACLs and that i think is possible that you do the nat with having to mention the ACL
NAT now looks like below
===============================

global (outside) 1 x.x.x.197 netmask 255.255.255.240
global (outside) 2 interface
nat (inside) 2 inside 255.255.255.0 outside
static (inside,outside) tcp x.x.x.198 3389 ABC-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https ABC-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www ABC-Pilot www netmask 255.255.255.255
====================================

and ACLS

access-list inside_access_in remark Access to Internet
access-list inside_access_in extended permit ip inside 255.255.255.0 any
0
 
LVL 5

Expert Comment

by:piwowarc
ID: 33741609
So now I see your full config. And now you are natting (nat 2), in your previous config you didn't (nat 0). Still you access list is named "inside_access_in" and in nat statement you have only "inside"

IMHO for ASA inside is the name of interface, not name of the access list with IP statements.

Here is an example from cisco

access-list WEB permit tcp 10.0.0.0 255.0.0.0
172.30.1.11  255.255.255.255 eq 80
access-list TELNET permit tcp 10.0.0.0 255.0.0.0 172.30.1.11  
255.255.255.255 eq 23

nat (inside) 1 access-list WEB
nat (inside) 2 access-list TELNET
global (outside) 1 209.165.201.3  255.255.255.224
global (outside) 2 209.165.201.4  255.255.255.224

from webpage

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

HTH

Chris
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33742214
You don't need to do identity or policy nat to go out on the internet - you can just use nat and global statements as you have done.

e.g.
global (outside) 1 x.x.x.197 netmask 255.255.255.240
global (outside) 2 interface
nat (inside) 2 inside 255.255.255.0 outside
nat (dmz) 1 dmz 255.255.255.0 outside

As regards the public translation:

You currently have the static correct but you have the outside access-list referencing the DMZ address of the CLIENT-A-Pilot machine.  You need to specify the external address.
e.g
you have:
access-list outside_access_in extended permit tcp any host CLIENT-A-Pilot object-group DM_INLINE_TCP_1
what you should have"
access-list outside_access_in extended permit tcp any host x.x.x.198 object-group DM_INLINE_TCP_1

Also - this line is doing nothing either as its relating to a dmz range but is specified on the outside:
access-list outside_access_in extended permit ip any dmz 255.255.255.0

you can remove this.



hth


0
 
LVL 19

Expert Comment

by:nodisco
ID: 33742232
Also  - to clarify

nat (inside) 0 inside 255.255.255.0

the reason this wouldn't work on another ASA was that the word "inside" is named in this config to relate to the inside network

i.e.
name 10.10.10.0 inside description Inside LAN
0
 
LVL 1

Expert Comment

by:anand_mj
ID: 33742786
The command nat-inside on internal and DMZ interface and nat-outside on External (Internet facing) interface is required.
0
 

Author Comment

by:aspiremsp
ID: 33766882
HI All,

I have connected this ASA in Production and Al Hosts from inside can go out fne with aboev config.
I just can not access the hosts form Out side on specified ports
I have updated the static Nat but deos not seem to work
Can you please assist ?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 19

Expert Comment

by:nodisco
ID: 33766888
Can you type
clear xlate

and then try again.  If it doesn't work, pls post the config

cheers
0
 

Author Comment

by:aspiremsp
ID: 33766893


Thanks, Please find the config and NATS

name 10.10.10.10 ABA-Pilot description ABA-Pilot Server
name 10.10.10.11 ABA-NAS description ABACisco NAS Device
name 192.168.0.0 dmz description DMZ LAN
name 10.10.10.0 inside description Inside LAN
name x.x.x.192 internet description Outside Network
name 10.100.100.0 managment description Managenet LAN
!
interface GigabitEthernet0/0
 description Connection to the Internet
 nameif outside
 security-level 100
 ip address x.x.x.196 255.255.255.240
!
interface GigabitEthernet0/1
 description Inside Interface
 nameif inside
 security-level 0
 ip address 10.10.10.254 255.255.255.0
!
access-list inside_access_in remark Access to Internet
access-list inside_access_in extended permit ip inside 255.255.255.0 any
access-list dmz_access_in remark Access to Internet
access-list dmz_access_in extended permit ip dmz 255.255.255.0 any
access-list outside_access_in extended permit icmp any host ABA-Pilot
access-list outside_access_in extended permit tcp any host ABA-NAS object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host ABA-Pilot object-group ABA-pilot
access-list outside_access_in remark Management Access from Outside
access-list outside_access_in extended permit tcp any interface outside object-group Management-Access
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400


global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 outside
nat (dmz) 2 dmz 255.255.255.0 outside
static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33766911
Your translations are the wrong way around
they should be

static (inside,outside)

not

static (outside,inside)

When you remove them and re-enter, you need to clear the xlate again

clear xlate

hth
0
 
LVL 19

Accepted Solution

by:
nodisco earned 300 total points
ID: 33766912
Like your first config:

static (inside,outside) tcp x.x.x.198 3389 CLIENT-A-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https CLIENT-A-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www CLIENT-A-Pilot www netmask 255.255.255.255
0
 

Author Comment

by:aspiremsp
ID: 33766930
Hi I have made the nAT look like below now and have done the clear xlate, but still no luck.

Access list is the same as above.
One hting i was wonderign, Do i need to give the x.x.x.198 as sub interface IP to the interface or give it as a second ip to the interface ?
in the past i seem to have used the nat the way i used above and it has worked, but seem to be the issue this time. Thanks for your help.

static (inside,outside) tcp x.x.x.198 3389 TLTC-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x..198 https TLTC-Pilot https netmask 255.255.255.255

Regards,
0
 

Author Comment

by:aspiremsp
ID: 33766985
When i run Packet Tracer i get the Following Error Message, I have tried both NATS

static (inside,outside) tcp x.x.x.198 3389 CLIENT-A-Pilot 3389 netmask 255.255.255.255
and

static (outside, inside) tcp x.x.x.198 3389 CLIENT-A-Pilot 3389 netmask 255.255.255.255
and get the below error in Packet Tracer

================================================================================
Type -
NAT
Subtype -
rpf-check
Action -
DROP
Show rule in NAT Rules table.
Config
nat (inside) 2 0.0.0.0 0.0.0.0 outside match ip inside any outside any dynamic translation to pool 2 (x.x.x..196 [Interface PAT]) translate_hits = 7, untranslate_hits = 0
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33767241
The packet tracer is showing internal nat to outside translation pool xlate - which is fine.  But regarding your outside to inside traffic, can you post your full config  (remove passwords etc) but i want to see where this is going wrong.

I take it your outside access-list is still applied to the outside interface:

access-group outside_access_in in interface outside


1 more q.  Are you trying to access the  x.x.x.198 etc hosts from the inside of your ASA or from outside?
0
 

Assisted Solution

by:aspiremsp
aspiremsp earned 0 total points
ID: 33774665
HI,
i was accessing from outside to inside and access-list is definitely applied to outside interface.

The problem was resolved, by correcting the access list. Instead of using ABA-Pilot's IP address as internal IP as per below, i had to use its public IP and issue was resolved. Your NAT suggestion was correct and combining it with correct acl resolved the issue.
but i really thank you for your consistant help in resolving the issue.
========================================================

name 10.10.10.10 ABA-Pilot description ABA-Pilot Server
access-list outside_access_in extended permit tcp any host ABA-Pilot object-group ABA-pilot

ABA-Pilot was changed to x.x.x.198.
========================================================
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now