AllDaySentry
asked on
Problem with NAT When Adding New Network to Firewall
I just set up a new interface on our ASA 5505 firewall (with security plus) to join another new network. I gave the firewall interface an IP address on the new network and am using a NAT to translate a workstation from the existing network to the new network.
I have set up the NAT, routing, etc. and I can ping devices on the new network fine. On the new network, I can ping up to the firewall interface. However, I cannot ping the workstation.
10.45.0.248 = Workstation (existing network)
10.8.47.20 = Firewall Interface (new network)
10.8.47.21 = Workstation NAT (new network) 10.8.47.21 -> 10.45.0.248
If I run a traceroute to 10.8.47.20, I can follow all the routers up to the firewall interface. When I traceroute 10.8.47.21, the route stops at the router (new network) just prior to the firewall interface.
From my inside server (on existing network), I can ping the new workstation (on new network) fine.
From the workstation, I cannot ping the inside server. I can ping up to the firewall interface. When I try to ping the outside address NAT address on the workstation, I dont see any traffic hitting the firewall at all. I see it right away when I ping the firewall interface.
Is it possible that somehow the new network cannot find the NAT address 10.8.47.21?
I have set up the NAT, routing, etc. and I can ping devices on the new network fine. On the new network, I can ping up to the firewall interface. However, I cannot ping the workstation.
10.45.0.248 = Workstation (existing network)
10.8.47.20 = Firewall Interface (new network)
10.8.47.21 = Workstation NAT (new network) 10.8.47.21 -> 10.45.0.248
If I run a traceroute to 10.8.47.20, I can follow all the routers up to the firewall interface. When I traceroute 10.8.47.21, the route stops at the router (new network) just prior to the firewall interface.
From my inside server (on existing network), I can ping the new workstation (on new network) fine.
From the workstation, I cannot ping the inside server. I can ping up to the firewall interface. When I try to ping the outside address NAT address on the workstation, I dont see any traffic hitting the firewall at all. I see it right away when I ping the firewall interface.
Is it possible that somehow the new network cannot find the NAT address 10.8.47.21?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
From the existing network, I can ping the workstation fine.
If I'm at the workstation on the new network, I can ping up to the firewall and see the traffic in the log. If I try to ping the NAT address, I dont see anything in the firewall.
I ran the packet tracer from the ASDM and it does come back with an error on the NAT when I try icmp from the workstation on the new network to the workstation on the existing network.
I wasnt sure what interface to use for the packet tracer so I tried the inside interface and the new interface.
Source: 10.14.251.220 (IP of new workstation)
Destination: 10.45.0.248 (IP of existing workstation after NAT)
New Interface:
Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 2 access-list inside_nat_outbound match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.8 255.255.255.192 dynamic translation to pool 2 (10.6.47.66 [Interface PAT]) translate_hits = 72495, untranslate_hits = 25
Inside Interface:
Type - NAT
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any newnetwork any dynamic translation to pool 1 (No matching global) translate_hits = 43209, untranslate_hits = 0
When I do a show nat, this is what I get:
Result of the command: "sh nat"
NAT policies on Interface inside:
match ip inside 10.45.0.0 255.255.0.0 inside 10.45.5.0 255.255.255.192
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 outside 10.45.5.0 255.255.255.192
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 dmz 10.45.5.0 255.255.255.192
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 Redundant 10.45.5.0 255.255.255.192
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.45.5.0 255.255.255.192
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.45.5.0 255.255.255.192
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 inside newnetwork-10.14 255.255.255.192
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 inside 10.8.47.61 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 outside newnetwork-10.14 255.255.255.192
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 outside 10.8.47.61 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 dmz newnetwork-10.14 255.255.255.192
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 dmz 10.8.47.61 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 Redundant newnetwork-10.14 255.255.255.192
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 Redundant 10.8.47.61 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.14 255.255.255.192
dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
translate_hits = 72649, untranslate_hits = 25
match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.8.47.61 255.255.255.248
dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
translate_hits = 47, untranslate_hits = 17
match ip inside 10.45.0.0 255.255.0.0 _internal_loopback newnetwork-10.14 255.255.255.192
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.8.47.61 255.255.255.248
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (65.200.50.230 [Interface PAT])
translate_hits = 54521, untranslate_hits = 826
match ip inside any dmz any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any Redundant any
dynamic translation to pool 1 (192.168.1.18 [Interface PAT])
translate_hits = 1470, untranslate_hits = 19
match ip inside any newnetwork any
dynamic translation to pool 1 (No matching global)
translate_hits = 43212, untranslate_hits = 0
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
NAT policies on Interface newnetwork:
match ip newnetwork host newnetworkServerNet inside any
static translation to ExistingWorkstation
translate_hits = 0, untranslate_hits = 20314
I also attached what it looks like on the CLI
NAT.png