polaris101
asked on
Help!!! NAT Issue on ASA
Cisco newbie here.... I cannot figure out why the 172.15.15.0 network cannot access the internet (outside) interface. Any ideas? What am I missing? Any help is appreciated.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password UMrZyv1DTPLXGFch encrypted
passwd UMrZyv1DTPLXGFch encrypted
names
name XX.YY.163.39 EDI_XX.YY.163.39
name XX.YY.163.38 EDI2_XX.YY.163.38
name 10.66.91.135 Comp_10.66.91.135 description Comp VPN
name 172.16.16.236 EDI2_172.16.16.236 description Comp EDI2
name 172.16.16.235 EDI_172.16.16.235 description Comp EDI
name 192.168.25.17 ImagingInst_192.168.25.17 description ImagingInstitute
name 192.168.25.21 ImagingInst_192.168.25.21 description ImagingInstitute
name 192.168.25.22 ImagingInst_192.168.25.22 description ImagingInstitute
name 192.168.25.8 ImagingInst_192.168.25.8 description ImagingInstitute
name 10.88.0.4 Comp_10.88.0.4 description Comp VPN
name 10.88.8.80 Comp_10.88.8.80 description Comp VPN
name 172.16.16.231 Utility_172.16.16.231
name XX.YY.163.40 Utility_XX.YY.163.40 description Used for practices to download Medvantx extracts
name 172.16.16.232 EpiChartGateway_172.16.16.232
name XX.YY.163.41 EpiChartGateway_XX.YY.163.41
name 172.15.15.0 MCTraffic
name XX.YY.229.60 CHA_XX.YY.229.60
name XX.YY.32.243 PUER_XX.YY.32.243
name XX.YY.18.80 UMGP_XX.YY.18.80
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.16.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.YY.163.36 255.255.255.240
!
interface Vlan5
shutdown
nameif dmz
security-level 50
no ip address
!
interface Vlan25
nameif MCTraffic
security-level 100
ip address 172.15.15.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 25
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ImagingInstGroup
network-object host ImagingInst_192.168.25.17
network-object host ImagingInst_192.168.25.21
network-object host ImagingInst_192.168.25.22
network-object host ImagingInst_192.168.25.8
object-group service EDI2_Ports tcp
port-object eq https
port-object eq ssh
object-group service EDI_Ports tcp
port-object eq ftp
port-object eq ftp-data
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host Comp_10.66.91.135
network-object host Comp_10.88.0.4
network-object host Comp_10.88.8.80
object-group service ColoSpaceMonitor_Ports
service-object tcp-udp range 48000 48020
service-object tcp eq ssh
service-object udp eq snmp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network MedvantxPractices
network-object host CHA_XX.YY.229.60
network-object host PUER_XX.YY.32.243
network-object host UMGP_XX.YY.18.80
object-group service Medvantx_Ports tcp
port-object eq 990
port-object range 60000 60050
object-group service Medvantx tcp
group-object Medvantx_Ports
access-list outside_1_cryptomap extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 host Comp_10.66.91.135
access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 object-group ImagingInstGroup
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip any 172.16.16.96 255.255.255.240
access-list outside_access_in extended permit tcp any host EDI2_XX.YY.163.38 object-group EDI2_Ports
access-list outside_access_in extended permit tcp any host EDI_XX.YY.163.39 object-group EDI_Ports
access-list outside_access_in extended permit tcp any host EpiChartGateway_XX.YY.163.41 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp object-group MedvantxPractices host Utility_XX.YY.163.40 object-group Medvantx_Ports
access-list outside_2_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_3_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group ImagingInstGroup
access-list throttle_edi_servers extended permit ip host EDI2_XX.YY.163.38 any
access-list throttle_edi_servers extended permit ip any host EDI2_XX.YY.163.38
access-list throttle_edi_servers extended permit ip host EDI_XX.YY.163.39 any
access-list throttle_edi_servers extended permit ip any host EDI_XX.YY.163.39
access-list RemoteAccessVPN_splitTunnelAcl standard permit 172.16.16.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging mail errors
logging from-address noreply@utility.epichart.com
logging recipient-address level errors
logging host inside Utility_172.16.16.231
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu MCTraffic 1500
ip local pool VPNPool 172.16.16.101-172.16.16.111 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (MCTraffic) 1 0.0.0.0 0.0.0.0
static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0
static (inside,outside) Utility_XX.YY.163.40 Utility_172.16.16.231 netmask 255.255.255.255
static (inside,outside) EDI_XX.YY.163.39 EDI_172.16.16.235 netmask 255.255.255.255
static (inside,outside) EDI2_XX.YY.163.38 EDI2_172.16.16.236 netmask 255.255.255.255
static (inside,outside) EpiChartGateway_XX.YY.163.41 EpiChartGateway_172.16.16.232 netmask 255.255.255.255
static (inside,MCTraffic) 172.16.16.0 172.16.16.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.YY.163.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.16.0 255.255.255.0 inside
http 10.242.55.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer XX.YY.125.146
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer XX.YY.139.26
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer XX.YY.56.227
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.16.0 255.255.255.0 inside
telnet 10.242.55.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns XX.YY.136.155 XX.YY.136.100
dhcpd auto_config outside
!
dhcpd address 172.16.16.5-172.16.16.100 inside
dhcpd dns XX.YY.136.155 XX.YY.136.100 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy RemoteAccessVPN internal
group-policy RemoteAccessVPN attributes
dns-server value 172.16.16.230
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccessVPN_splitTunnelAcl
default-domain value epichart.com
username remote password HP6P1nlQDIJY7Y8G encrypted privilege 0
username remote attributes
vpn-group-policy RemoteAccessVPN
tunnel-group XX.YY.125.146 type ipsec-l2l
tunnel-group XX.YY.125.146 ipsec-attributes
pre-shared-key *
tunnel-group XX.YY.139.26 type ipsec-l2l
tunnel-group XX.YY.139.26 ipsec-attributes
pre-shared-key *
tunnel-group XX.YY.56.227 type ipsec-l2l
tunnel-group XX.YY.56.227 ipsec-attributes
pre-shared-key *
tunnel-group RemoteAccessVPN type remote-access
tunnel-group RemoteAccessVPN general-attributes
address-pool VPNPool
default-group-policy RemoteAccessVPN
tunnel-group RemoteAccessVPN ipsec-attributes
pre-shared-key *
!
class-map throttle-me
match access-list throttle_edi_servers
!
!
policy-map throttle-policy
class throttle-me
police output 524000 4000
police input 524000 4000
!
service-policy throttle-policy interface outside
smtp-server 172.16.16.231
prompt hostname context
Cryptochecksum:c7205feeb2093835df72245f9b0671f9
: end
John Meggers
Just responded on the other thread. I don't see anything wrong in the config. Are there any logs that can help identify what's happening? Did you change anything that may require clearing some information, such as clearing NAT translations?
ASKER
No changes recently.... see attached screen shot of packet tracer. 
Line 150 states: static (inside,MCTraffic) 172.16.16.0 172.16.16.0 netmask 255.255.255.0
ASKER
Thx Warlock...what should that be?
I advise to remove this:
static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0
and configure nonat on MCTraffic and inside interface
static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0
and configure nonat on MCTraffic and inside interface
ASKER
ikalmar - I'd be really hesitant on modifying the inside interface at all. Anything else I can do to make this work?
you need 4 lines for nonat:
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.254 255.255.255.0
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.254 255.255.255.0 172.16.16.0 255.255.255.0
nat (MCTraffic) 0 access-list MCTraffic _nat0_outbound
same-security-traffic intra-interface
clear xlate
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.254 255.255.255.0
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.254 255.255.255.0 172.16.16.0 255.255.255.0
nat (MCTraffic) 0 access-list MCTraffic _nat0_outbound
same-security-traffic intra-interface
clear xlate
ASKER
I'll try this tonight. I'll still have to remove this line though right?: no static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0
Correct me if I'm wrong here.
This is allowing the inside int access to the MCTraffic
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.254 255.255.255.0
This is allowing the MCTraffic network to the inside
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.254 255.255.255.0 172.16.16.0 255.255.255.0
Correct me if I'm wrong here.
This is allowing the inside int access to the MCTraffic
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.254 255.255.255.0
This is allowing the MCTraffic network to the inside
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.254 255.255.255.0 172.16.16.0 255.255.255.0
You absolutely right...
ASKER
I'm getting this message:
ERROR: IP address,mask <172.15.15.254,255.255.255
ERROR: IP address,mask <172.15.15.254,255.255.255
ASKER
ERROR: Access-list "MCTraffic_nat0_outbound" does not exist
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.