Solved

Nat not working asa 7.2

Posted on 2013-11-04
12
678 Views
Last Modified: 2013-11-08
I am not able to get to these two over http from outside, what am I doing wrong?


access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
0
Comment
Question by:j_crow1
  • 6
  • 4
  • 2
12 Comments
 
LVL 21

Expert Comment

by:mcsween
ID: 39622618
Should be (assuming your WAN interface uses DHCP and the internal system is 192.168.0.10)  If you have a static IP on the WAN side use that instead of the word interface.

static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255
0
 

Author Comment

by:j_crow1
ID: 39622622
WAN interface is static.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 39622632
Sorry, I read your answer too quick.  You don't need the ACL inside_access_in and you shouldn't apply an ACL to the inside interface unless you want to restrict traffic going out.

Static PAT commands look like this (assuming 24.24.24.24 as public IP, 192.168.0.10 as private)
static (inside,outside) tcp 24.24.24.24 www 192.168.0.10 www netmask 255.255.255.255

Open in new window


this line is permitting everything in from the outside, this is too open
access-list outside_access_in extended permit ip any any

Open in new window

It should look more like this
access-list ouside_access_in extended permit www any 24.24.24.24 255.255.255.255

Open in new window


ACL should permit traffic to the WAN address, then use STATIC command to map the port translation to the internal address.
0
 

Author Comment

by:j_crow1
ID: 39622672
Yeah, but assuming that it was TOO open, it should have worked given the config, correct? adding that line did not fix it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39623668
Looking at the config I see you're using two different IP ranges:

access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


Assuming 172.26.13.x is your inside range, you'll need to recreate your statics with the correct IP addresses.....
0
 

Author Comment

by:j_crow1
ID: 39627329
The local IP's are right, the range is wrong. I redid the range to the following:

ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240

Still not working. Is it safe to assume at that point it is the device I am trying to connect to?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 39627344
Just to make sure:
your pool is:
172.26.13.18-172.26.13.22

The statics use:
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255

That's not going to work.
0
 

Author Comment

by:j_crow1
ID: 39627611
DOH!

Alright I fixed the statics, and it's still not working. I am stumped.

static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39627673
Could you post a new sanitized config to see how it looks now?
0
 

Author Comment

by:j_crow1
ID: 39627707
ASA Version 7.2(4)
!
hostname HOSTNAME
domain-name DOMAINNAME
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.26.13.17 255.255.255.240
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address EXTERNALIIP 255.255.255.255 pppoe
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAIN.COM
access-list inside_nat0_outbound extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host INTERFACEIP eq www
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48808
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48806
access-list outside_access_in extended permit tcp any host SECONDPUBLICIP eq www
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48808
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48806
access-list 147 extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp OUTSIDEIP2 www 172.26.13.19 www netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48808 172.26.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48806 172.26.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 172.26.13.16 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map TUNNEL_MAP 47 match address 147
crypto map TUNNEL_MAP 47 set peer TUNNEL1IP
crypto map TUNNEL_MAP 47 set transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname EMAIL
vpdn group ATT ppp authentication pap
vpdn username EMAIL password PASSWORD
dhcpd dns INTERNALDNSIP 8.8.8.8
dhcpd domain DOMAIN.COM
!
dhcpd address 172.26.13.19-172.26.13.22 inside
dhcpd enable inside
!

username BLAHBLAH
tunnel-group TUNNELIP type ipsec-l2l
tunnel-group TUNNELIP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a3586de2007a3fdc1c1338c5f2ed1b9a
: end
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39628055
Mmm, weird indeed.

After a quick look (from my phone, that is ;), can't find it.
Did you have a look at the (ASDM) logs when trying to connect to see if anything shows up there?
Sometimes that helps a lot.
0
 

Author Comment

by:j_crow1
ID: 39634542
I can ping it, so I am closing this. I think it is an issue with the actual device.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now