Solved

Nat not working asa 7.2

Posted on 2013-11-04
12
690 Views
Last Modified: 2013-11-08
I am not able to get to these two over http from outside, what am I doing wrong?


access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
0
Comment
Question by:j_crow1
  • 6
  • 4
  • 2
12 Comments
 
LVL 21

Expert Comment

by:mcsween
ID: 39622618
Should be (assuming your WAN interface uses DHCP and the internal system is 192.168.0.10)  If you have a static IP on the WAN side use that instead of the word interface.

static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255
0
 

Author Comment

by:j_crow1
ID: 39622622
WAN interface is static.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 39622632
Sorry, I read your answer too quick.  You don't need the ACL inside_access_in and you shouldn't apply an ACL to the inside interface unless you want to restrict traffic going out.

Static PAT commands look like this (assuming 24.24.24.24 as public IP, 192.168.0.10 as private)
static (inside,outside) tcp 24.24.24.24 www 192.168.0.10 www netmask 255.255.255.255

Open in new window


this line is permitting everything in from the outside, this is too open
access-list outside_access_in extended permit ip any any

Open in new window

It should look more like this
access-list ouside_access_in extended permit www any 24.24.24.24 255.255.255.255

Open in new window


ACL should permit traffic to the WAN address, then use STATIC command to map the port translation to the internal address.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:j_crow1
ID: 39622672
Yeah, but assuming that it was TOO open, it should have worked given the config, correct? adding that line did not fix it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39623668
Looking at the config I see you're using two different IP ranges:

access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


Assuming 172.26.13.x is your inside range, you'll need to recreate your statics with the correct IP addresses.....
0
 

Author Comment

by:j_crow1
ID: 39627329
The local IP's are right, the range is wrong. I redid the range to the following:

ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240

Still not working. Is it safe to assume at that point it is the device I am trying to connect to?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 39627344
Just to make sure:
your pool is:
172.26.13.18-172.26.13.22

The statics use:
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255

That's not going to work.
0
 

Author Comment

by:j_crow1
ID: 39627611
DOH!

Alright I fixed the statics, and it's still not working. I am stumped.

static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39627673
Could you post a new sanitized config to see how it looks now?
0
 

Author Comment

by:j_crow1
ID: 39627707
ASA Version 7.2(4)
!
hostname HOSTNAME
domain-name DOMAINNAME
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.26.13.17 255.255.255.240
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address EXTERNALIIP 255.255.255.255 pppoe
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAIN.COM
access-list inside_nat0_outbound extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host INTERFACEIP eq www
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48808
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48806
access-list outside_access_in extended permit tcp any host SECONDPUBLICIP eq www
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48808
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48806
access-list 147 extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp OUTSIDEIP2 www 172.26.13.19 www netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48808 172.26.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48806 172.26.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 172.26.13.16 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map TUNNEL_MAP 47 match address 147
crypto map TUNNEL_MAP 47 set peer TUNNEL1IP
crypto map TUNNEL_MAP 47 set transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname EMAIL
vpdn group ATT ppp authentication pap
vpdn username EMAIL password PASSWORD
dhcpd dns INTERNALDNSIP 8.8.8.8
dhcpd domain DOMAIN.COM
!
dhcpd address 172.26.13.19-172.26.13.22 inside
dhcpd enable inside
!

username BLAHBLAH
tunnel-group TUNNELIP type ipsec-l2l
tunnel-group TUNNELIP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a3586de2007a3fdc1c1338c5f2ed1b9a
: end
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39628055
Mmm, weird indeed.

After a quick look (from my phone, that is ;), can't find it.
Did you have a look at the (ASDM) logs when trying to connect to see if anything shows up there?
Sometimes that helps a lot.
0
 

Author Comment

by:j_crow1
ID: 39634542
I can ping it, so I am closing this. I think it is an issue with the actual device.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA Tunnel 18 42
Cisco IPSec lan to lan tunnel - encryption domain. 3 36
VTP servers with 3650 switches 5 27
Bizarre IP Address / Port Blocking Windows 7 13 20
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question