Solved

Problem with NAT  When Adding New Network to Firewall

Posted on 2014-04-15
2
595 Views
Last Modified: 2014-11-17
I just set up a new interface on our ASA 5505 firewall (with security plus) to join another new network.  I gave the firewall interface an IP address on the new network and am using a NAT to translate a workstation from the existing network to the new network.

I have set up the NAT, routing, etc. and I can ping devices on the new network fine.  On the new network, I can ping up to the firewall interface.  However, I cannot ping the workstation.

10.45.0.248 = Workstation (existing network)
10.8.47.20 = Firewall Interface (new network)
10.8.47.21 = Workstation NAT (new network)    10.8.47.21 -> 10.45.0.248


If I run a traceroute to 10.8.47.20, I can follow all the routers up to the firewall interface.  When I traceroute 10.8.47.21, the route stops at the router (new network) just prior to the firewall interface.


From my inside server (on existing network), I can ping the new workstation (on new network) fine.  

From the workstation, I cannot ping the inside server.  I can ping up to the firewall interface. When I try to ping the outside address NAT address on the workstation, I dont see any traffic hitting the firewall at all.  I see it right away when I ping the firewall interface.

Is it possible that somehow the new network cannot find the NAT address 10.8.47.21?
0
Comment
Question by:AllDaySentry
2 Comments
 
LVL 10

Accepted Solution

by:
Rafael earned 250 total points
ID: 40003057
yes it is possible. Are you using CLI or the ASDM? Have you used the Packet tracer from within ASDM or Debug from CLI ?

Turn up logging and then try to telnet from one device to the other and look for the port in the logs. This will help isolate where the issue is and you may find that you might have to add a policy for the NAT or add in routes.
0
 

Author Comment

by:AllDaySentry
ID: 40003171
I use ASDM.  

From the existing network, I can ping the workstation fine.

If I'm at the workstation on the new network, I can ping up to the firewall and see the traffic in the log.  If I try to ping the NAT address, I dont see anything in the firewall.

I ran the packet tracer from the ASDM and it does come back with an error on the NAT when I try icmp from the workstation on the new network to the workstation on the existing network.

I wasnt sure what interface to use for the packet tracer so I tried the inside interface and the new interface.

Source: 10.14.251.220 (IP of new workstation)
Destination: 10.45.0.248 (IP of existing workstation after NAT)

New Interface:

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 2 access-list inside_nat_outbound match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.8 255.255.255.192 dynamic translation to pool 2 (10.6.47.66 [Interface PAT]) translate_hits = 72495, untranslate_hits = 25


Inside Interface:

Type - NAT
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any newnetwork any dynamic translation to pool 1 (No matching global) translate_hits = 43209, untranslate_hits = 0



When I do a show nat, this is what I get:

Result of the command: "sh nat"

NAT policies on Interface inside:
  match ip inside 10.45.0.0 255.255.0.0 inside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 72649, untranslate_hits = 25
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 47, untranslate_hits = 17
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (65.200.50.230 [Interface PAT])
    translate_hits = 54521, untranslate_hits = 826
  match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Redundant any
    dynamic translation to pool 1 (192.168.1.18 [Interface PAT])
    translate_hits = 1470, untranslate_hits = 19
  match ip inside any newnetwork any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 43212, untranslate_hits = 0
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface newnetwork:
  match ip newnetwork host newnetworkServerNet inside any
    static translation to ExistingWorkstation
    translate_hits = 0, untranslate_hits = 20314




I also attached what it looks like on the CLI
NAT.png
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN 101 - how and which protocol? 9 95
Squid Connection Pools 3 44
Windows 7 keeps losing its IP configuration 15 91
Domain join remote sites or not 3 48
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now