Mystical_Ice
asked on
What am i doing wrong in this ASA config? Static NAT not working?
Hi
Got a new firewall and trying to configure it, but running into some issues since i'm not too familiar with the changes in syntax with the release of 8.3...
The IPs are as follows (some have been changed) :
1.2.3.4 - DVR public IP
1.2.3.5 - PBX public IP
1.2.3.3 - Cisco ASA public IP (both the DVR and PBX are behind the ASA)
1.1.1.1 - Cisco ASA public gateway
The DVR internal IP is 192.168.15.252
The PBX internal IP is 192.168.16.20.
There are three internal subnets: 192.168.15.0, 16.0, and 17.0.
15 is for clients and computers. 16 for phones, and 17 for VPN users (VPN pool on ASA)
The router is a layer 3 switch with IP address on the .15 network of 192.168.15.1
The ASA is 192.168.15.254. It has a route in it for the switch to get to the .16 network, and the ASA can ping any device on any subnet.
The problem we're having, is when we put in the NAT rule for the PBX (mapping it to 1.2.3.5) we experience one-way audio on the phones. When we remove the rule (so the PBX is just using the 1.2.3.3 IP of the ASA's NAT pool), then everything works fine, BUT we need it to have a static 1 to 1 NAT so we can configure phones outside the company to connect too. Right now, if we remove that NAT rule for the PBX, the phones inside the company work fine - they're establishing the connection to the SIP provider, and everything works.
What am I doing wrong?
:
ASA Version 8.4(2)
!
hostname DCC-ASA
enable password asdfasdf encrypted
passwd asdfasdf encrypted
names
name 1.2.3.4 DVROUTSIDE
name 1.2.3.5 PBXOUTSIDE
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.3 255.255.255.242
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.15.252
host 192.168.15.252
object network obj-192.168.16.20
host 192.168.16.20
object network EntireInternal
subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.17.0_2
subnet 192.168.17.0 255.255.255.240
object-group service DVRGROUP tcp
port-object eq 9000
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PBXGROUP tcp
port-object eq sip
port-object eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip host (an outsidehost) host 1.2.3.5
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any object obj-192.168.15.252 object-group DVRGROUP
access-list outside_access_in extended permit tcp any object obj-192.168.16.20 object-group PBXGROUP
access-list inside_access_in extended permit ip any any
access-list DCCVPN_SplitTunnel standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL2 192.168.17.1-192.168.17.10
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static EntireInternal EntireInternal destination static NETWORK_OBJ_192.168.17.0_2
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.15.252
nat (inside,outside) static 1.2.3.4
object network obj-192.168.16.20
nat (inside,outside) static 1.2.3.5
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router rip
network 192.168.0.0
passive-interface inside
version 2
no auto-summary
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.16.0 255.255.255.0 192.168.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DCCVPN internal
group-policy DCCVPN attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DCCVPN_SplitTunnel
default-domain value doorcc.com
tunnel-group DCCVPN type remote-access
tunnel-group DCCVPN general-attributes
address-pool VPNPOOL2
default-group-policy DCCVPN
tunnel-group DCCVPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns preqwqer
parameters
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:519389989ea
: end
DCC-ASA#
Got a new firewall and trying to configure it, but running into some issues since i'm not too familiar with the changes in syntax with the release of 8.3...
The IPs are as follows (some have been changed) :
1.2.3.4 - DVR public IP
1.2.3.5 - PBX public IP
1.2.3.3 - Cisco ASA public IP (both the DVR and PBX are behind the ASA)
1.1.1.1 - Cisco ASA public gateway
The DVR internal IP is 192.168.15.252
The PBX internal IP is 192.168.16.20.
There are three internal subnets: 192.168.15.0, 16.0, and 17.0.
15 is for clients and computers. 16 for phones, and 17 for VPN users (VPN pool on ASA)
The router is a layer 3 switch with IP address on the .15 network of 192.168.15.1
The ASA is 192.168.15.254. It has a route in it for the switch to get to the .16 network, and the ASA can ping any device on any subnet.
The problem we're having, is when we put in the NAT rule for the PBX (mapping it to 1.2.3.5) we experience one-way audio on the phones. When we remove the rule (so the PBX is just using the 1.2.3.3 IP of the ASA's NAT pool), then everything works fine, BUT we need it to have a static 1 to 1 NAT so we can configure phones outside the company to connect too. Right now, if we remove that NAT rule for the PBX, the phones inside the company work fine - they're establishing the connection to the SIP provider, and everything works.
What am I doing wrong?
:
ASA Version 8.4(2)
!
hostname DCC-ASA
enable password asdfasdf encrypted
passwd asdfasdf encrypted
names
name 1.2.3.4 DVROUTSIDE
name 1.2.3.5 PBXOUTSIDE
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.3 255.255.255.242
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.15.252
host 192.168.15.252
object network obj-192.168.16.20
host 192.168.16.20
object network EntireInternal
subnet 192.168.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.17.0_2
subnet 192.168.17.0 255.255.255.240
object-group service DVRGROUP tcp
port-object eq 9000
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PBXGROUP tcp
port-object eq sip
port-object eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip host (an outsidehost) host 1.2.3.5
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any object obj-192.168.15.252 object-group DVRGROUP
access-list outside_access_in extended permit tcp any object obj-192.168.16.20 object-group PBXGROUP
access-list inside_access_in extended permit ip any any
access-list DCCVPN_SplitTunnel standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL2 192.168.17.1-192.168.17.10
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static EntireInternal EntireInternal destination static NETWORK_OBJ_192.168.17.0_2
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.15.252
nat (inside,outside) static 1.2.3.4
object network obj-192.168.16.20
nat (inside,outside) static 1.2.3.5
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router rip
network 192.168.0.0
passive-interface inside
version 2
no auto-summary
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.16.0 255.255.255.0 192.168.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DCCVPN internal
group-policy DCCVPN attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DCCVPN_SplitTunnel
default-domain value doorcc.com
tunnel-group DCCVPN type remote-access
tunnel-group DCCVPN general-attributes
address-pool VPNPOOL2
default-group-policy DCCVPN
tunnel-group DCCVPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns preqwqer
parameters
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:519389989ea
: end
DCC-ASA#
ASKER
No go. Didn't work - gave an error about the object group existing.
Question - how do i test if traffic is even making it to the ASA on that IP? I've gone through the 'packet tracer' utility on the ASA to make sure the packets are going THROUGH it right, but is there a log i can turn on to see when I try to connect if it's even seeing the traffic?
Question - how do i test if traffic is even making it to the ASA on that IP? I've gone through the 'packet tracer' utility on the ASA to make sure the packets are going THROUGH it right, but is there a log i can turn on to see when I try to connect if it's even seeing the traffic?
The easiest would be the ASDM logging:
Monitoring->logging->real time log viewer
And see what it's telling.
Monitoring->logging->real time log viewer
And see what it's telling.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nat (inside,outside) source static 192.168.16.20 1.2.3.5