Solved

Nat not working asa 7.2

Posted on 2013-11-04
12
699 Views
Last Modified: 2013-11-08
I am not able to get to these two over http from outside, what am I doing wrong?


access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
0
Comment
Question by:j_crow1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 39622618
Should be (assuming your WAN interface uses DHCP and the internal system is 192.168.0.10)  If you have a static IP on the WAN side use that instead of the word interface.

static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255
0
 

Author Comment

by:j_crow1
ID: 39622622
WAN interface is static.
0
 
LVL 22

Expert Comment

by:mcsween
ID: 39622632
Sorry, I read your answer too quick.  You don't need the ACL inside_access_in and you shouldn't apply an ACL to the inside interface unless you want to restrict traffic going out.

Static PAT commands look like this (assuming 24.24.24.24 as public IP, 192.168.0.10 as private)
static (inside,outside) tcp 24.24.24.24 www 192.168.0.10 www netmask 255.255.255.255

Open in new window


this line is permitting everything in from the outside, this is too open
access-list outside_access_in extended permit ip any any

Open in new window

It should look more like this
access-list ouside_access_in extended permit www any 24.24.24.24 255.255.255.255

Open in new window


ACL should permit traffic to the WAN address, then use STATIC command to map the port translation to the internal address.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:j_crow1
ID: 39622672
Yeah, but assuming that it was TOO open, it should have worked given the config, correct? adding that line did not fix it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39623668
Looking at the config I see you're using two different IP ranges:

access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


Assuming 172.26.13.x is your inside range, you'll need to recreate your statics with the correct IP addresses.....
0
 

Author Comment

by:j_crow1
ID: 39627329
The local IP's are right, the range is wrong. I redid the range to the following:

ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240

Still not working. Is it safe to assume at that point it is the device I am trying to connect to?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 39627344
Just to make sure:
your pool is:
172.26.13.18-172.26.13.22

The statics use:
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255

That's not going to work.
0
 

Author Comment

by:j_crow1
ID: 39627611
DOH!

Alright I fixed the statics, and it's still not working. I am stumped.

static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39627673
Could you post a new sanitized config to see how it looks now?
0
 

Author Comment

by:j_crow1
ID: 39627707
ASA Version 7.2(4)
!
hostname HOSTNAME
domain-name DOMAINNAME
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.26.13.17 255.255.255.240
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address EXTERNALIIP 255.255.255.255 pppoe
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAIN.COM
access-list inside_nat0_outbound extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host INTERFACEIP eq www
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48808
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48806
access-list outside_access_in extended permit tcp any host SECONDPUBLICIP eq www
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48808
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48806
access-list 147 extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp OUTSIDEIP2 www 172.26.13.19 www netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48808 172.26.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48806 172.26.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 172.26.13.16 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map TUNNEL_MAP 47 match address 147
crypto map TUNNEL_MAP 47 set peer TUNNEL1IP
crypto map TUNNEL_MAP 47 set transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname EMAIL
vpdn group ATT ppp authentication pap
vpdn username EMAIL password PASSWORD
dhcpd dns INTERNALDNSIP 8.8.8.8
dhcpd domain DOMAIN.COM
!
dhcpd address 172.26.13.19-172.26.13.22 inside
dhcpd enable inside
!

username BLAHBLAH
tunnel-group TUNNELIP type ipsec-l2l
tunnel-group TUNNELIP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a3586de2007a3fdc1c1338c5f2ed1b9a
: end
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39628055
Mmm, weird indeed.

After a quick look (from my phone, that is ;), can't find it.
Did you have a look at the (ASDM) logs when trying to connect to see if anything shows up there?
Sometimes that helps a lot.
0
 

Author Comment

by:j_crow1
ID: 39634542
I can ping it, so I am closing this. I think it is an issue with the actual device.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question