Solved

Problem with NAT  When Adding New Network to Firewall

Posted on 2014-04-15
2
579 Views
Last Modified: 2014-11-17
I just set up a new interface on our ASA 5505 firewall (with security plus) to join another new network.  I gave the firewall interface an IP address on the new network and am using a NAT to translate a workstation from the existing network to the new network.

I have set up the NAT, routing, etc. and I can ping devices on the new network fine.  On the new network, I can ping up to the firewall interface.  However, I cannot ping the workstation.

10.45.0.248 = Workstation (existing network)
10.8.47.20 = Firewall Interface (new network)
10.8.47.21 = Workstation NAT (new network)    10.8.47.21 -> 10.45.0.248


If I run a traceroute to 10.8.47.20, I can follow all the routers up to the firewall interface.  When I traceroute 10.8.47.21, the route stops at the router (new network) just prior to the firewall interface.


From my inside server (on existing network), I can ping the new workstation (on new network) fine.  

From the workstation, I cannot ping the inside server.  I can ping up to the firewall interface. When I try to ping the outside address NAT address on the workstation, I dont see any traffic hitting the firewall at all.  I see it right away when I ping the firewall interface.

Is it possible that somehow the new network cannot find the NAT address 10.8.47.21?
0
Comment
Question by:AllDaySentry
2 Comments
 
LVL 10

Accepted Solution

by:
Rafael earned 250 total points
ID: 40003057
yes it is possible. Are you using CLI or the ASDM? Have you used the Packet tracer from within ASDM or Debug from CLI ?

Turn up logging and then try to telnet from one device to the other and look for the port in the logs. This will help isolate where the issue is and you may find that you might have to add a policy for the NAT or add in routes.
0
 

Author Comment

by:AllDaySentry
ID: 40003171
I use ASDM.  

From the existing network, I can ping the workstation fine.

If I'm at the workstation on the new network, I can ping up to the firewall and see the traffic in the log.  If I try to ping the NAT address, I dont see anything in the firewall.

I ran the packet tracer from the ASDM and it does come back with an error on the NAT when I try icmp from the workstation on the new network to the workstation on the existing network.

I wasnt sure what interface to use for the packet tracer so I tried the inside interface and the new interface.

Source: 10.14.251.220 (IP of new workstation)
Destination: 10.45.0.248 (IP of existing workstation after NAT)

New Interface:

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 2 access-list inside_nat_outbound match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.8 255.255.255.192 dynamic translation to pool 2 (10.6.47.66 [Interface PAT]) translate_hits = 72495, untranslate_hits = 25


Inside Interface:

Type - NAT
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any newnetwork any dynamic translation to pool 1 (No matching global) translate_hits = 43209, untranslate_hits = 0



When I do a show nat, this is what I get:

Result of the command: "sh nat"

NAT policies on Interface inside:
  match ip inside 10.45.0.0 255.255.0.0 inside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 72649, untranslate_hits = 25
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 47, untranslate_hits = 17
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (65.200.50.230 [Interface PAT])
    translate_hits = 54521, untranslate_hits = 826
  match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Redundant any
    dynamic translation to pool 1 (192.168.1.18 [Interface PAT])
    translate_hits = 1470, untranslate_hits = 19
  match ip inside any newnetwork any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 43212, untranslate_hits = 0
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface newnetwork:
  match ip newnetwork host newnetworkServerNet inside any
    static translation to ExistingWorkstation
    translate_hits = 0, untranslate_hits = 20314




I also attached what it looks like on the CLI
NAT.png
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now