?
Solved

How to configure static nat on asa 5510 ver 8.2

Posted on 2013-10-27
21
Medium Priority
?
4,118 Views
Last Modified: 2013-10-29
Hi
How can I static Nat RDP traffic from external ip to internal host 10.10.10.50

Interface e0/0
Nameif outside
Security-level 0
Ip address 196.1.1.1 255.255.255.248

Interface e0/1
Nameif inside
Security-level 100
Ip address 10.10.10.1 255.255.255.0
0
Comment
Question by:ciscosupp
  • 10
  • 8
  • 3
21 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39604949
Option #1

static (inside,outside) tcp 196.1.1.1 3389 10.10.10.1 3389 netmask  255.255.255.255

access-list outside_access_in extended permit ip any host 196.1.1.1

access-group outside_access_in in interface outside

Option #2

static (inside,outside) 196.1.1.1 10.10.10.1 netmask  255.255.255.255

access-list outside_access_in extended permit tcp any host 196.1.1.1 eq 3389

access-group outside_access_in in interface outside
0
 

Author Comment

by:ciscosupp
ID: 39606003
i tried option 2 but get error

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

and mustn't it be 10.10.10.50 instead of 10.10.10.1 as my host internal has a ip of 10.10.10.50

please advice
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39606583
Oops, sorry, it should be
Static (inside,outside) interface 10.10.10.50 netmask 255.255.255.255


Access list remains the same
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:ciscosupp
ID: 39606657
thanks
now i get this error


%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.251 dst inside:10.10.10.2 (type 8, code 0) denied due to NAT reverse path failure
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39606674
Can you post your config pls
0
 

Author Comment

by:ciscosupp
ID: 39606699
see attached file
ASA-Config.txt
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39607916
First, I can not see your static NAT for 10.10.10.50

Secondly, what is 10.10.10.2? You will not be able to use both IP addresses to NAT to  the same outside interface

And the main thing is that your default gateway is pointing to 192.168.1.1.

If you want your NAT to be working, you need to have a default route pointing out from outside interface
0
 

Author Comment

by:ciscosupp
ID: 39608228
I changed my servers ip to 10.10.10.2 and the default gateway is a adsl modem.
Its only a test lab.
Please see attached diagram
Diagram.jpg
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39608236
This is where the problem is - Asymmetric routing

Since you have 192.168.1.100 configured on the outside interface your 10.10.10.2 is NATed to 192.168.1.100

You can configure NAT for 10.10.10.2 on ADSL modem or you would need to change your outside IP address to 196.1.1.1
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39608877
A few things:

-Like fgasimzade said, you can't NAT the outside interface to multiple inside addresses. You'll need to do PAT ( fgasimzade's option 1). Or, the way it's set up right now, you could use a second address to nat from the outside to 10.10.10.2 (for example: static (inside,outside) 192.168.1.101 10.10.10.2 netmask  255.255.255.255).
Even better would be to not do a 1:1 NAT on the interface address but also use a different IP for that, like: static (inside,outside) 192.168.1.102 10.10.10.50 netmask  255.255.255.255

-Is that IP 196.1.1.1 a typo or are you using that somewhere else?

-Your server 10.10.10.2 will need a default gateway (like fgasimzade already said), otherwise it won't 'know' how to get to other networks than it's own.
0
 

Author Comment

by:ciscosupp
ID: 39609337
Thanks for info.
I did a small change I plugged my laptop directly into asa interface e0/0 and server directly into asa interface 0/1. My laptops ip is 196.12.10.2/24 and server ip is 10.10.10.2/24
but still not working see my config
LAB# show run
: Saved
:
ASA Version 8.2(2)
!
hostname LAB
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 196.12.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any eq 3389
access-list outside extended permit tcp any host 196.12.10.1 eq 3389
access-list outside extended permit tcp any any
access-list outside extended permit udp any any
access-list inside extended permit icmp any any
access-list inside extended permit tcp any any eq domain
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit tcp any any eq https
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) interface 10.10.10.2 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

LAB# show nat

NAT policies on Interface inside:
  match ip inside host 10.10.10.2 outside any
    static translation to 196.12.10.1
    translate_hits = 0, untranslate_hits = 185
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 400 total points
ID: 39609386
First, get rid of the inside accesslist:
no access-group inside in interface inside

And see what happens.
Also keep an eye on the logging (realtime through ASDM), it might give you some extra clues what is not quite right yet.
0
 

Author Comment

by:ciscosupp
ID: 39609459
i removed acl (no access-group inside in interface inside)
still not working see asa log file attached i dont understand why its not working



LAB#   show nat

NAT policies on Interface inside:
  match ip inside host 10.10.10.2 outside any
    static translation to 196.12.10.1
    translate_hits = 0, untranslate_hits = 632
asa-log.txt
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609580
What exactly is not working?

Make sure you turned off firewall on your laptop
0
 

Author Comment

by:ciscosupp
ID: 39609640
nat is not working as i cannot rdp with ip address 196.12.10.1
firewall is off on both pc and server and if i add default gateway i can rdp on to 10.10.10.2 its working
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609660
Where do you add DG?
0
 

Author Comment

by:ciscosupp
ID: 39609708
on laptop and server so it routed
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 1600 total points
ID: 39609716
You definitely need a DG on both the laptop and server, otherwise it won't work
0
 

Author Closing Comment

by:ciscosupp
ID: 39609741
i am so fucking retarded
:-)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39609942
No you're not :D

You just need some extra pairs of eyes every now and then :)
0
 

Author Comment

by:ciscosupp
ID: 39610763
hahahah that is true especially in IT
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 3 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question