Solved

How to configure static nat on asa 5510 ver 8.2

Posted on 2013-10-27
21
3,606 Views
Last Modified: 2013-10-29
Hi
How can I static Nat RDP traffic from external ip to internal host 10.10.10.50

Interface e0/0
Nameif outside
Security-level 0
Ip address 196.1.1.1 255.255.255.248

Interface e0/1
Nameif inside
Security-level 100
Ip address 10.10.10.1 255.255.255.0
0
Comment
Question by:ciscosupp
  • 10
  • 8
  • 3
21 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39604949
Option #1

static (inside,outside) tcp 196.1.1.1 3389 10.10.10.1 3389 netmask  255.255.255.255

access-list outside_access_in extended permit ip any host 196.1.1.1

access-group outside_access_in in interface outside

Option #2

static (inside,outside) 196.1.1.1 10.10.10.1 netmask  255.255.255.255

access-list outside_access_in extended permit tcp any host 196.1.1.1 eq 3389

access-group outside_access_in in interface outside
0
 

Author Comment

by:ciscosupp
ID: 39606003
i tried option 2 but get error

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

and mustn't it be 10.10.10.50 instead of 10.10.10.1 as my host internal has a ip of 10.10.10.50

please advice
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39606583
Oops, sorry, it should be
Static (inside,outside) interface 10.10.10.50 netmask 255.255.255.255


Access list remains the same
0
 

Author Comment

by:ciscosupp
ID: 39606657
thanks
now i get this error


%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.251 dst inside:10.10.10.2 (type 8, code 0) denied due to NAT reverse path failure
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39606674
Can you post your config pls
0
 

Author Comment

by:ciscosupp
ID: 39606699
see attached file
ASA-Config.txt
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39607916
First, I can not see your static NAT for 10.10.10.50

Secondly, what is 10.10.10.2? You will not be able to use both IP addresses to NAT to  the same outside interface

And the main thing is that your default gateway is pointing to 192.168.1.1.

If you want your NAT to be working, you need to have a default route pointing out from outside interface
0
 

Author Comment

by:ciscosupp
ID: 39608228
I changed my servers ip to 10.10.10.2 and the default gateway is a adsl modem.
Its only a test lab.
Please see attached diagram
Diagram.jpg
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39608236
This is where the problem is - Asymmetric routing

Since you have 192.168.1.100 configured on the outside interface your 10.10.10.2 is NATed to 192.168.1.100

You can configure NAT for 10.10.10.2 on ADSL modem or you would need to change your outside IP address to 196.1.1.1
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39608877
A few things:

-Like fgasimzade said, you can't NAT the outside interface to multiple inside addresses. You'll need to do PAT ( fgasimzade's option 1). Or, the way it's set up right now, you could use a second address to nat from the outside to 10.10.10.2 (for example: static (inside,outside) 192.168.1.101 10.10.10.2 netmask  255.255.255.255).
Even better would be to not do a 1:1 NAT on the interface address but also use a different IP for that, like: static (inside,outside) 192.168.1.102 10.10.10.50 netmask  255.255.255.255

-Is that IP 196.1.1.1 a typo or are you using that somewhere else?

-Your server 10.10.10.2 will need a default gateway (like fgasimzade already said), otherwise it won't 'know' how to get to other networks than it's own.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ciscosupp
ID: 39609337
Thanks for info.
I did a small change I plugged my laptop directly into asa interface e0/0 and server directly into asa interface 0/1. My laptops ip is 196.12.10.2/24 and server ip is 10.10.10.2/24
but still not working see my config
LAB# show run
: Saved
:
ASA Version 8.2(2)
!
hostname LAB
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 196.12.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any eq 3389
access-list outside extended permit tcp any host 196.12.10.1 eq 3389
access-list outside extended permit tcp any any
access-list outside extended permit udp any any
access-list inside extended permit icmp any any
access-list inside extended permit tcp any any eq domain
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit tcp any any eq https
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) interface 10.10.10.2 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

LAB# show nat

NAT policies on Interface inside:
  match ip inside host 10.10.10.2 outside any
    static translation to 196.12.10.1
    translate_hits = 0, untranslate_hits = 185
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 100 total points
ID: 39609386
First, get rid of the inside accesslist:
no access-group inside in interface inside

And see what happens.
Also keep an eye on the logging (realtime through ASDM), it might give you some extra clues what is not quite right yet.
0
 

Author Comment

by:ciscosupp
ID: 39609459
i removed acl (no access-group inside in interface inside)
still not working see asa log file attached i dont understand why its not working



LAB#   show nat

NAT policies on Interface inside:
  match ip inside host 10.10.10.2 outside any
    static translation to 196.12.10.1
    translate_hits = 0, untranslate_hits = 632
asa-log.txt
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609580
What exactly is not working?

Make sure you turned off firewall on your laptop
0
 

Author Comment

by:ciscosupp
ID: 39609640
nat is not working as i cannot rdp with ip address 196.12.10.1
firewall is off on both pc and server and if i add default gateway i can rdp on to 10.10.10.2 its working
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609660
Where do you add DG?
0
 

Author Comment

by:ciscosupp
ID: 39609708
on laptop and server so it routed
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 400 total points
ID: 39609716
You definitely need a DG on both the laptop and server, otherwise it won't work
0
 

Author Closing Comment

by:ciscosupp
ID: 39609741
i am so fucking retarded
:-)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39609942
No you're not :D

You just need some extra pairs of eyes every now and then :)
0
 

Author Comment

by:ciscosupp
ID: 39610763
hahahah that is true especially in IT
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now