cwtang
asked on
Cisco ASA 8.3 NAT
Hi,
I have an ASA firewall and I am trying to understand the concept when ASA performs NAT from inside to outside. For example, if a host on the inside of the firewall were to access networks outside of the firewall multiple hops away, the ip address would be nated based on the configuration. However, if the host would like to access the network outside of the ASA (same subnet of the outside interface of the ASA), based on packet capture I dont seems to see any nat being performed. Instead it makes use of the internal ip address of the host. I was wondering if there may be additional configuration which may be used to ensure that the ASA performs the NAT even though hosts inside the ASA are access clients outside of the ASA but on the same subnet of the ASA outside interface. I have illustrate the diagram below :
10.0.0.0/24 (outside)---Layer 3 switch(155.69.239.254/22)- -(155.69.2 39.249/22, Outside interface of ASA)--ASA--172.16.1.1/16(I nside interface of ASA)----PCs/hosts
The following confgiurations has been applied:
object network obj-155.69.239.245
host 155.69.239.245
object network obj-172.16.30.245
host 172.16.30.245
object network obj-172.16.30.245
nat (Inside,Outside) static obj-155.69.239.245
When the clients tries to access 10.0.0.0/24, I could see it being nated to 155.69.239.245. However, when the clients tries to access other devices on 155.69.236.0/22, I dont see any nating being performed. I am seeing the actual host ip address(172.16.30.245) accessing the 155.69.236.0/22 subnet. I was wondering if there may any configuration required to perform the nating even though the client is accessing 155.69.236.0/22?
Thanks.
I have an ASA firewall and I am trying to understand the concept when ASA performs NAT from inside to outside. For example, if a host on the inside of the firewall were to access networks outside of the firewall multiple hops away, the ip address would be nated based on the configuration. However, if the host would like to access the network outside of the ASA (same subnet of the outside interface of the ASA), based on packet capture I dont seems to see any nat being performed. Instead it makes use of the internal ip address of the host. I was wondering if there may be additional configuration which may be used to ensure that the ASA performs the NAT even though hosts inside the ASA are access clients outside of the ASA but on the same subnet of the ASA outside interface. I have illustrate the diagram below :
10.0.0.0/24 (outside)---Layer 3 switch(155.69.239.254/22)-
The following confgiurations has been applied:
object network obj-155.69.239.245
host 155.69.239.245
object network obj-172.16.30.245
host 172.16.30.245
object network obj-172.16.30.245
nat (Inside,Outside) static obj-155.69.239.245
When the clients tries to access 10.0.0.0/24, I could see it being nated to 155.69.239.245. However, when the clients tries to access other devices on 155.69.236.0/22, I dont see any nating being performed. I am seeing the actual host ip address(172.16.30.245) accessing the 155.69.236.0/22 subnet. I was wondering if there may any configuration required to perform the nating even though the client is accessing 155.69.236.0/22?
Thanks.
ASKER
Hi,
Thanks for the information. I have setup a simple test using icmp ping. I performed a ping from a host inside the ASA (172.16.30.245) to 155.69.239.254(layer 3 switch svi ip address) and 155.69.238.100 (PC connected outside).
From the wireshark, I am seeing 172.16.30.245 as the src ip address when it leaves the ASA for 155.69.239.254 and 155.69.238.100. However If i perform a ping to 10.0.0.0/24 or any other layer 3 that is not on the same subnet as 155.69.236.0/22; I am seeing 155.69.239.245 as the nated src ip address.
I am confused if this is by design of ASA or incomplete configuration or bug in ASA code.
Thanks.
Thanks for the information. I have setup a simple test using icmp ping. I performed a ping from a host inside the ASA (172.16.30.245) to 155.69.239.254(layer 3 switch svi ip address) and 155.69.238.100 (PC connected outside).
From the wireshark, I am seeing 172.16.30.245 as the src ip address when it leaves the ASA for 155.69.239.254 and 155.69.238.100. However If i perform a ping to 10.0.0.0/24 or any other layer 3 that is not on the same subnet as 155.69.236.0/22; I am seeing 155.69.239.245 as the nated src ip address.
I am confused if this is by design of ASA or incomplete configuration or bug in ASA code.
Thanks.
can you post a sanitized config so we can take a look
Yea lets see the whole sanitized config. That would not be normal.
ASKER
Hi,
I have attached the configuration of the ASA as follows:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 155.69.239.249 255.255.252.0 standby 155.69.239.250
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 155.69.251.141 255.255.255.0 standby 155.69.251.142
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.0.0
object network obj-155.69.236.0
subnet 155.69.236.0 255.255.252.0
object network is0
host 172.16.20.60
description is0
object network is1
host 172.16.20.61
description is1
object network Isadmin
host 172.16.20.69
description Isadmin
object network erpprd
host 172.16.1.11
description erpprd
object network erpdev
host 172.16.1.12
description erpdev
object network erpwpq
host 172.16.20.52
description erpwpq
object network Advpn
host 172.16.20.88
description Advpn
object network admin
host 172.16.20.70
description admin
object network topcall
host 172.16.20.55
description topcall
object network gebiz
host 172.16.20.56
description gebiz
object network prdgebiz
host 172.16.20.57
description prdgebiz
object network erpwps
host 172.16.20.58
description erpwps
object network Aventail-1
host 172.16.30.246
description Aventail-l
object network Aventail-2
host 172.16.30.247
description Aventail-2
object network Aventail-VIP
host 172.16.30.245
description Aventail-VIP
object network erpdev1
host 172.16.20.18
description erpdev1
object network erpwps1
host 172.16.20.20
description erpwps1
object network erpwps2
host 172.16.20.21
description erpwps2
object network erpprd1
host 172.16.20.22
description erpprd1
object network erpprd2
host 172.16.20.23
description erpprd2
object network sapprd
host 172.16.20.16
description sapprd
object network sqlprd
host 172.16.20.17
description sqlprd
object network taurusdb01
host 172.16.20.31
description taurusdb01
object network taurusdb02
host 172.16.20.32
description taurusdb02
object network admds20
host 155.69.236.10
description admds20
object network N4AP0059C
host 172.16.20.25
description N4AP0059C
object network PAT
host 155.69.239.248
description PAT
object network Alpha
host 155.69.5.67
description Alpha
object network hsmonsrv
host 155.69.24.79
description hsmonsrv
object network CED-MarkEntry
host 155.69.240.171
description CED-MarkEntry
object network GBIZUAT
host 10.244.1.180
description GBIZUAT
object network gebiz1
host 10.244.126.253
description gebiz1
object network gebiz2
host 10.244.126.254
description gebiz2
object network GBIZPRD
host 10.244.1.156
description GBIZPRD
object network GebizProxy
host 10.247.1.10
description GebizProxy
object network CIT_Subnet
subnet 155.69.251.0 255.255.255.0
description CIT_Subnet
object network NET
subnet 155.69.0.0 255.255.0.0
description NET
object network ISS_Scanner
host 155.69.251.125
description ISS_Scanner
object network MasterBK
host 155.69.5.96
description MasterBK
object network SNMP_Monitor
host 155.69.251.155
description SNMP_Monitor
object network SAPSvr
subnet 172.16.1.0 255.255.255.0
description SAPSvr
object network Staff4
host 172.16.20.161
description Staff4
object network gebiz3
host 10.244.126.249
description gebiz3
object network TanSiewEim_PC
host 155.69.251.151
description TanSiewEim_PC
object network staff11
host 155.69.5.152
description staff11
object network staff10
host 155.69.5.150
description staff10
object network staff6
host 155.69.160.252
description staff6
object network NTU_Hall_Network
subnet 172.20.0.0 255.255.0.0
description NTU_Hall_Network
object network NTU_Wireless_Network
subnet 172.22.0.0 255.255.0.0
description NTU_Wireless_Network
object-group network AdminBldgNW_GRP
description AdminBldgNW_GRP
network-object 155.69.236.128 255.255.255.128
network-object 155.69.237.0 255.255.255.0
network-object 155.69.238.0 255.255.255.0
network-object 155.69.239.0 255.255.255.0
object-group network SQL_Svrs_Grp
description SQL Servers
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
network-object 172.16.20.69 255.255.255.255
object-group network TCP_Svc_3200-3399
description TCP Service 3200-3399
network-object 172.16.1.11 255.255.255.255
network-object 172.16.20.52 255.255.255.255
network-object 172.16.1.12 255.255.255.255
network-object 172.16.20.58 255.255.255.255
object-group network CITS_GeBIZ
network-object 172.16.20.56 255.255.255.255
network-object 172.16.20.57 255.255.255.255
object-group network External_GeBIZ
network-object 10.244.126.249 255.255.255.255
network-object 10.244.126.253 255.255.255.255
network-object 10.244.126.254 255.255.255.255
object-group network CITS_GeBIZ_ref
network-object host 155.69.236.21
network-object host 155.69.236.22
object-group network AdminSvr_Administrator
network-object 155.69.251.151 255.255.255.255
object-group network ISS_Scan_SVR
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
network-object 172.16.20.70 255.255.255.255
object-group network ISS_Scan_SVR_ref
network-object host 155.69.236.15
network-object host 155.69.236.16
network-object host 155.69.236.17
object-group network NetBackup_Client
network-object 172.16.20.18 255.255.255.255
network-object 172.16.20.20 255.255.255.255
network-object 172.16.20.21 255.255.255.255
network-object 172.16.20.22 255.255.255.255
network-object 172.16.20.23 255.255.255.255
network-object 172.16.20.31 255.255.255.255
network-object 172.16.20.32 255.255.255.255
object-group network NetBackup_Client_ref
network-object host 155.69.236.10
network-object host 155.69.236.26
network-object host 155.69.236.27
network-object host 155.69.236.28
network-object host 155.69.236.29
network-object host 155.69.236.9
network-object host 155.69.236.30
object-group network NetBackup_RemoteExeClient
network-object 172.16.20.16 255.255.255.255
network-object 172.16.20.17 255.255.255.255
network-object 172.16.20.31 255.255.255.255
network-object 172.16.20.32 255.255.255.255
object-group service NetBackup_RemoteExe tcp
port-object eq 135
port-object eq 1056
object-group network NetBackup_RemoteExeClient_ ref
network-object host 155.69.236.10
network-object host 155.69.236.13
network-object host 155.69.236.14
network-object host 155.69.236.9
object-group network CITS_Svr
network-object 155.69.5.150 255.255.255.255
network-object 155.69.5.152 255.255.255.255
network-object 155.69.160.252 255.255.255.255
object-group network Direct_Access_Private_IP
description Private IP access directly from Outside
network-object 172.16.20.70 255.255.255.255
network-object 172.16.1.12 255.255.255.255
network-object 172.16.20.58 255.255.255.255
network-object 172.16.1.11 255.255.255.255
network-object 172.16.20.52 255.255.255.255
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
network-object 172.16.20.69 255.255.255.255
object-group network SQL_Svrs_Grp_ref
network-object 155.69.236.16 255.255.255.255
network-object 155.69.236.17 255.255.255.255
network-object 155.69.236.18 255.255.255.255
object-group network Svr_4_Backup
description Server access by backup
network-object 172.16.20.20 255.255.255.255
network-object 172.16.20.21 255.255.255.255
object-group network Svr_4_Backup_ref
network-object host 155.69.236.27
network-object host 155.69.236.28
object-group network Block_non_User
network-object object NTU_Hall_Network
network-object object NTU_Wireless_Network
object-group network ISx_servers
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
object-group network ISx_servers_ref
network-object host 155.69.236.17
network-object host 155.69.236.16
access-list IN extended permit udp any any
access-list IN extended permit tcp any any
access-list IN extended permit ip 172.16.0.0 255.255.0.0 any
access-list Inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group CITS_Svr
access-list Inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 155.69.236.0 255.255.252.0
access-list Inside_pnat_outbound extended permit ip 172.16.0.0 255.255.0.0 any
access-list OUT extended deny ip object-group Block_non_User any log disable
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object-group SQL_Svrs_Grp eq sqlnet
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object-group TCP_Svc_3200-3399 range 3200 3399
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object admin eq ftp
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object admin eq telnet
access-list OUT extended permit tcp object Alpha object is0
access-list OUT extended permit tcp object admds20 object admin
access-list OUT extended permit tcp object hsmonsrv object-group SQL_Svrs_Grp_ref eq sqlnet
access-list OUT extended permit tcp object CED-MarkEntry object-group ISx_servers_ref eq sqlnet
access-list OUT extended permit tcp object GBIZUAT object gebiz eq 1523
access-list OUT extended permit tcp object gebiz1 object gebiz eq 1523
access-list OUT extended permit tcp object gebiz2 object gebiz eq 1523
access-list OUT extended permit tcp object GBIZPRD object prdgebiz eq 1523
access-list OUT extended permit tcp object-group External_GeBIZ object prdgebiz eq 1523
access-list OUT extended permit tcp object GebizProxy object-group CITS_GeBIZ_ref eq 1523
access-list OUT extended permit tcp object CIT_Subnet object-group CITS_GeBIZ_ref eq 1523
access-list OUT extended permit tcp object NET object Aventail-VIP eq https
access-list OUT extended permit tcp object NET object Aventail-VIP eq www
access-list OUT extended permit tcp object-group AdminSvr_Administrator object Aventail-1
access-list OUT extended permit tcp object ISS_Scanner object-group ISS_Scan_SVR_ref eq www
access-list OUT remark Net Backup
access-list OUT extended permit tcp object MasterBK object-group NetBackup_Client_ref eq 13724
access-list OUT remark Net Backup Remote Execution Client
access-list OUT extended permit tcp object MasterBK object-group NetBackup_RemoteExeClient_ ref object-group NetBackup_RemoteExe
access-list OUT extended permit tcp object MasterBK object-group Svr_4_Backup_ref eq 13724
access-list OUT extended permit ip object CIT_Subnet object NET
access-list OUT extended permit tcp object SNMP_Monitor object erpprd2 eq 161
access-list OUT extended permit icmp any object NET information-reply
access-list OUT extended permit icmp any 172.21.125.0 255.255.255.0 information-reply
access-list OUT extended permit tcp 10.244.0.0 255.255.0.0 object N4AP0059C eq ssh
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered informational
logging trap informational
logging asdm informational
logging facility 16
logging host Outside 155.69.5.97
mtu Outside 1500
mtu Inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover replication http
failover link Failover GigabitEthernet0/3
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit 155.69.251.0 255.255.255.0 Outside
icmp permit 172.16.0.0 255.255.0.0 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static CITS_Svr CITS_Svr unidirectional
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-155.69.236.0 obj-155.69.236.0 unidirectional
!
object network obj-172.16.0.0
nat (Inside,Outside) dynamic PAT
object network is0
nat (Inside,Outside) static 155.69.236.16
object network is1
nat (Inside,Outside) static 155.69.236.17
object network Isadmin
nat (Inside,Outside) static 155.69.236.18
object network erpprd
nat (Inside,Outside) static 155.69.236.11
object network erpdev
nat (Inside,Outside) static 155.69.236.12
object network erpwpq
nat (Inside,Outside) static 155.69.236.19
object network Advpn
nat (Inside,Outside) static 155.69.236.25
object network admin
nat (Inside,Outside) static 155.69.236.15
object network topcall
nat (Inside,Outside) static 155.69.236.20
object network gebiz
nat (Inside,Outside) static 155.69.236.21
object network prdgebiz
nat (Inside,Outside) static 155.69.236.22
object network erpwps
nat (Inside,Outside) static 155.69.236.23
object network Aventail-1
nat (Inside,Outside) static 155.69.239.246
object network Aventail-2
nat (Inside,Outside) static 155.69.239.247
object network Aventail-VIP
nat (Inside,Outside) static 155.69.239.245
object network erpdev1
nat (Inside,Outside) static 155.69.236.26
object network erpwps1
nat (Inside,Outside) static 155.69.236.27
object network erpwps2
nat (Inside,Outside) static 155.69.236.28
object network erpprd1
nat (Inside,Outside) static 155.69.236.29
object network erpprd2
nat (Inside,Outside) static 155.69.236.30
object network sapprd
nat (Inside,Outside) static 155.69.236.13
object network sqlprd
nat (Inside,Outside) static 155.69.236.14
object network taurusdb01
nat (Inside,Outside) static 155.69.236.9
object network taurusdb02
nat (Inside,Outside) static admds20
object network N4AP0059C
nat (Inside,Outside) static 155.69.236.24
access-group OUT in interface Outside
access-group IN in interface Inside
route Outside 0.0.0.0 0.0.0.0 155.69.239.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 155.69.251.0 255.255.255.0 Outside
http 155.69.251.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1500
no sysopt connection permit-vpn
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 155.69.251.0 255.255.255.0 Outside
telnet timeout 30
ssh 155.69.251.0 255.255.255.0 Outside
ssh 172.16.0.0 255.255.0.0 Inside
ssh timeout 30
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 155.69.5.7 source Outside
webvpn
username ncs password 9zqpneaSYTaL64Pv encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Not too sure if there is any configuration statement causing the nat not to work correctly.
Thanks.
I have attached the configuration of the ASA as follows:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 155.69.239.249 255.255.252.0 standby 155.69.239.250
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 155.69.251.141 255.255.255.0 standby 155.69.251.142
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.0.0
object network obj-155.69.236.0
subnet 155.69.236.0 255.255.252.0
object network is0
host 172.16.20.60
description is0
object network is1
host 172.16.20.61
description is1
object network Isadmin
host 172.16.20.69
description Isadmin
object network erpprd
host 172.16.1.11
description erpprd
object network erpdev
host 172.16.1.12
description erpdev
object network erpwpq
host 172.16.20.52
description erpwpq
object network Advpn
host 172.16.20.88
description Advpn
object network admin
host 172.16.20.70
description admin
object network topcall
host 172.16.20.55
description topcall
object network gebiz
host 172.16.20.56
description gebiz
object network prdgebiz
host 172.16.20.57
description prdgebiz
object network erpwps
host 172.16.20.58
description erpwps
object network Aventail-1
host 172.16.30.246
description Aventail-l
object network Aventail-2
host 172.16.30.247
description Aventail-2
object network Aventail-VIP
host 172.16.30.245
description Aventail-VIP
object network erpdev1
host 172.16.20.18
description erpdev1
object network erpwps1
host 172.16.20.20
description erpwps1
object network erpwps2
host 172.16.20.21
description erpwps2
object network erpprd1
host 172.16.20.22
description erpprd1
object network erpprd2
host 172.16.20.23
description erpprd2
object network sapprd
host 172.16.20.16
description sapprd
object network sqlprd
host 172.16.20.17
description sqlprd
object network taurusdb01
host 172.16.20.31
description taurusdb01
object network taurusdb02
host 172.16.20.32
description taurusdb02
object network admds20
host 155.69.236.10
description admds20
object network N4AP0059C
host 172.16.20.25
description N4AP0059C
object network PAT
host 155.69.239.248
description PAT
object network Alpha
host 155.69.5.67
description Alpha
object network hsmonsrv
host 155.69.24.79
description hsmonsrv
object network CED-MarkEntry
host 155.69.240.171
description CED-MarkEntry
object network GBIZUAT
host 10.244.1.180
description GBIZUAT
object network gebiz1
host 10.244.126.253
description gebiz1
object network gebiz2
host 10.244.126.254
description gebiz2
object network GBIZPRD
host 10.244.1.156
description GBIZPRD
object network GebizProxy
host 10.247.1.10
description GebizProxy
object network CIT_Subnet
subnet 155.69.251.0 255.255.255.0
description CIT_Subnet
object network NET
subnet 155.69.0.0 255.255.0.0
description NET
object network ISS_Scanner
host 155.69.251.125
description ISS_Scanner
object network MasterBK
host 155.69.5.96
description MasterBK
object network SNMP_Monitor
host 155.69.251.155
description SNMP_Monitor
object network SAPSvr
subnet 172.16.1.0 255.255.255.0
description SAPSvr
object network Staff4
host 172.16.20.161
description Staff4
object network gebiz3
host 10.244.126.249
description gebiz3
object network TanSiewEim_PC
host 155.69.251.151
description TanSiewEim_PC
object network staff11
host 155.69.5.152
description staff11
object network staff10
host 155.69.5.150
description staff10
object network staff6
host 155.69.160.252
description staff6
object network NTU_Hall_Network
subnet 172.20.0.0 255.255.0.0
description NTU_Hall_Network
object network NTU_Wireless_Network
subnet 172.22.0.0 255.255.0.0
description NTU_Wireless_Network
object-group network AdminBldgNW_GRP
description AdminBldgNW_GRP
network-object 155.69.236.128 255.255.255.128
network-object 155.69.237.0 255.255.255.0
network-object 155.69.238.0 255.255.255.0
network-object 155.69.239.0 255.255.255.0
object-group network SQL_Svrs_Grp
description SQL Servers
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
network-object 172.16.20.69 255.255.255.255
object-group network TCP_Svc_3200-3399
description TCP Service 3200-3399
network-object 172.16.1.11 255.255.255.255
network-object 172.16.20.52 255.255.255.255
network-object 172.16.1.12 255.255.255.255
network-object 172.16.20.58 255.255.255.255
object-group network CITS_GeBIZ
network-object 172.16.20.56 255.255.255.255
network-object 172.16.20.57 255.255.255.255
object-group network External_GeBIZ
network-object 10.244.126.249 255.255.255.255
network-object 10.244.126.253 255.255.255.255
network-object 10.244.126.254 255.255.255.255
object-group network CITS_GeBIZ_ref
network-object host 155.69.236.21
network-object host 155.69.236.22
object-group network AdminSvr_Administrator
network-object 155.69.251.151 255.255.255.255
object-group network ISS_Scan_SVR
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
network-object 172.16.20.70 255.255.255.255
object-group network ISS_Scan_SVR_ref
network-object host 155.69.236.15
network-object host 155.69.236.16
network-object host 155.69.236.17
object-group network NetBackup_Client
network-object 172.16.20.18 255.255.255.255
network-object 172.16.20.20 255.255.255.255
network-object 172.16.20.21 255.255.255.255
network-object 172.16.20.22 255.255.255.255
network-object 172.16.20.23 255.255.255.255
network-object 172.16.20.31 255.255.255.255
network-object 172.16.20.32 255.255.255.255
object-group network NetBackup_Client_ref
network-object host 155.69.236.10
network-object host 155.69.236.26
network-object host 155.69.236.27
network-object host 155.69.236.28
network-object host 155.69.236.29
network-object host 155.69.236.9
network-object host 155.69.236.30
object-group network NetBackup_RemoteExeClient
network-object 172.16.20.16 255.255.255.255
network-object 172.16.20.17 255.255.255.255
network-object 172.16.20.31 255.255.255.255
network-object 172.16.20.32 255.255.255.255
object-group service NetBackup_RemoteExe tcp
port-object eq 135
port-object eq 1056
object-group network NetBackup_RemoteExeClient_
network-object host 155.69.236.10
network-object host 155.69.236.13
network-object host 155.69.236.14
network-object host 155.69.236.9
object-group network CITS_Svr
network-object 155.69.5.150 255.255.255.255
network-object 155.69.5.152 255.255.255.255
network-object 155.69.160.252 255.255.255.255
object-group network Direct_Access_Private_IP
description Private IP access directly from Outside
network-object 172.16.20.70 255.255.255.255
network-object 172.16.1.12 255.255.255.255
network-object 172.16.20.58 255.255.255.255
network-object 172.16.1.11 255.255.255.255
network-object 172.16.20.52 255.255.255.255
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
network-object 172.16.20.69 255.255.255.255
object-group network SQL_Svrs_Grp_ref
network-object 155.69.236.16 255.255.255.255
network-object 155.69.236.17 255.255.255.255
network-object 155.69.236.18 255.255.255.255
object-group network Svr_4_Backup
description Server access by backup
network-object 172.16.20.20 255.255.255.255
network-object 172.16.20.21 255.255.255.255
object-group network Svr_4_Backup_ref
network-object host 155.69.236.27
network-object host 155.69.236.28
object-group network Block_non_User
network-object object NTU_Hall_Network
network-object object NTU_Wireless_Network
object-group network ISx_servers
network-object 172.16.20.60 255.255.255.255
network-object 172.16.20.61 255.255.255.255
object-group network ISx_servers_ref
network-object host 155.69.236.17
network-object host 155.69.236.16
access-list IN extended permit udp any any
access-list IN extended permit tcp any any
access-list IN extended permit ip 172.16.0.0 255.255.0.0 any
access-list Inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group CITS_Svr
access-list Inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 155.69.236.0 255.255.252.0
access-list Inside_pnat_outbound extended permit ip 172.16.0.0 255.255.0.0 any
access-list OUT extended deny ip object-group Block_non_User any log disable
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object-group SQL_Svrs_Grp eq sqlnet
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object-group TCP_Svc_3200-3399 range 3200 3399
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object admin eq ftp
access-list OUT extended permit tcp object-group AdminBldgNW_GRP object admin eq telnet
access-list OUT extended permit tcp object Alpha object is0
access-list OUT extended permit tcp object admds20 object admin
access-list OUT extended permit tcp object hsmonsrv object-group SQL_Svrs_Grp_ref eq sqlnet
access-list OUT extended permit tcp object CED-MarkEntry object-group ISx_servers_ref eq sqlnet
access-list OUT extended permit tcp object GBIZUAT object gebiz eq 1523
access-list OUT extended permit tcp object gebiz1 object gebiz eq 1523
access-list OUT extended permit tcp object gebiz2 object gebiz eq 1523
access-list OUT extended permit tcp object GBIZPRD object prdgebiz eq 1523
access-list OUT extended permit tcp object-group External_GeBIZ object prdgebiz eq 1523
access-list OUT extended permit tcp object GebizProxy object-group CITS_GeBIZ_ref eq 1523
access-list OUT extended permit tcp object CIT_Subnet object-group CITS_GeBIZ_ref eq 1523
access-list OUT extended permit tcp object NET object Aventail-VIP eq https
access-list OUT extended permit tcp object NET object Aventail-VIP eq www
access-list OUT extended permit tcp object-group AdminSvr_Administrator object Aventail-1
access-list OUT extended permit tcp object ISS_Scanner object-group ISS_Scan_SVR_ref eq www
access-list OUT remark Net Backup
access-list OUT extended permit tcp object MasterBK object-group NetBackup_Client_ref eq 13724
access-list OUT remark Net Backup Remote Execution Client
access-list OUT extended permit tcp object MasterBK object-group NetBackup_RemoteExeClient_
access-list OUT extended permit tcp object MasterBK object-group Svr_4_Backup_ref eq 13724
access-list OUT extended permit ip object CIT_Subnet object NET
access-list OUT extended permit tcp object SNMP_Monitor object erpprd2 eq 161
access-list OUT extended permit icmp any object NET information-reply
access-list OUT extended permit icmp any 172.21.125.0 255.255.255.0 information-reply
access-list OUT extended permit tcp 10.244.0.0 255.255.0.0 object N4AP0059C eq ssh
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered informational
logging trap informational
logging asdm informational
logging facility 16
logging host Outside 155.69.5.97
mtu Outside 1500
mtu Inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover replication http
failover link Failover GigabitEthernet0/3
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit 155.69.251.0 255.255.255.0 Outside
icmp permit 172.16.0.0 255.255.0.0 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static CITS_Svr CITS_Svr unidirectional
nat (Inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-155.69.236.0 obj-155.69.236.0 unidirectional
!
object network obj-172.16.0.0
nat (Inside,Outside) dynamic PAT
object network is0
nat (Inside,Outside) static 155.69.236.16
object network is1
nat (Inside,Outside) static 155.69.236.17
object network Isadmin
nat (Inside,Outside) static 155.69.236.18
object network erpprd
nat (Inside,Outside) static 155.69.236.11
object network erpdev
nat (Inside,Outside) static 155.69.236.12
object network erpwpq
nat (Inside,Outside) static 155.69.236.19
object network Advpn
nat (Inside,Outside) static 155.69.236.25
object network admin
nat (Inside,Outside) static 155.69.236.15
object network topcall
nat (Inside,Outside) static 155.69.236.20
object network gebiz
nat (Inside,Outside) static 155.69.236.21
object network prdgebiz
nat (Inside,Outside) static 155.69.236.22
object network erpwps
nat (Inside,Outside) static 155.69.236.23
object network Aventail-1
nat (Inside,Outside) static 155.69.239.246
object network Aventail-2
nat (Inside,Outside) static 155.69.239.247
object network Aventail-VIP
nat (Inside,Outside) static 155.69.239.245
object network erpdev1
nat (Inside,Outside) static 155.69.236.26
object network erpwps1
nat (Inside,Outside) static 155.69.236.27
object network erpwps2
nat (Inside,Outside) static 155.69.236.28
object network erpprd1
nat (Inside,Outside) static 155.69.236.29
object network erpprd2
nat (Inside,Outside) static 155.69.236.30
object network sapprd
nat (Inside,Outside) static 155.69.236.13
object network sqlprd
nat (Inside,Outside) static 155.69.236.14
object network taurusdb01
nat (Inside,Outside) static 155.69.236.9
object network taurusdb02
nat (Inside,Outside) static admds20
object network N4AP0059C
nat (Inside,Outside) static 155.69.236.24
access-group OUT in interface Outside
access-group IN in interface Inside
route Outside 0.0.0.0 0.0.0.0 155.69.239.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 155.69.251.0 255.255.255.0 Outside
http 155.69.251.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1500
no sysopt connection permit-vpn
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 155.69.251.0 255.255.255.0 Outside
telnet timeout 30
ssh 155.69.251.0 255.255.255.0 Outside
ssh 172.16.0.0 255.255.0.0 Inside
ssh timeout 30
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 155.69.5.7 source Outside
webvpn
username ncs password 9zqpneaSYTaL64Pv encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Not too sure if there is any configuration statement causing the nat not to work correctly.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi kenboonejr,
Really appreciate for pointing out the cause of it. Didnt realize the above configuration was for no nat as it was migrated using cisco migration tool from 7.x to 8.3.
Thanks alot for the assistance.
Really appreciate for pointing out the cause of it. Didnt realize the above configuration was for no nat as it was migrated using cisco migration tool from 7.x to 8.3.
Thanks alot for the assistance.
ASKER
Really appreciate the help.
Here are 3 ways you can test your theory
1) set up a span port on the external switch and use wireshark to capture the data when you attempt to make a connection from the 172 address to the layer 3 switch. See what shows as your src ip address.
2) telnet or ssh to the external layer 3 switch form the 172 device and then from the layer 3 switch use what ever commands are necessary to view who has the open connections to it. This should again show you the src ip address as it would be known to the switch.
3) Set up a PC on the outside with a 155.x address and attempt to make a connection to that PC. Have wireshark running on that PC to capture the traffic.