Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 758
  • Last Modified:

Problem with NAT When Adding New Network to Firewall

I just set up a new interface on our ASA 5505 firewall (with security plus) to join another new network.  I gave the firewall interface an IP address on the new network and am using a NAT to translate a workstation from the existing network to the new network.

I have set up the NAT, routing, etc. and I can ping devices on the new network fine.  On the new network, I can ping up to the firewall interface.  However, I cannot ping the workstation.

10.45.0.248 = Workstation (existing network)
10.8.47.20 = Firewall Interface (new network)
10.8.47.21 = Workstation NAT (new network)    10.8.47.21 -> 10.45.0.248


If I run a traceroute to 10.8.47.20, I can follow all the routers up to the firewall interface.  When I traceroute 10.8.47.21, the route stops at the router (new network) just prior to the firewall interface.


From my inside server (on existing network), I can ping the new workstation (on new network) fine.  

From the workstation, I cannot ping the inside server.  I can ping up to the firewall interface. When I try to ping the outside address NAT address on the workstation, I dont see any traffic hitting the firewall at all.  I see it right away when I ping the firewall interface.

Is it possible that somehow the new network cannot find the NAT address 10.8.47.21?
0
AllDaySentry
Asked:
AllDaySentry
1 Solution
 
RafaelCommented:
yes it is possible. Are you using CLI or the ASDM? Have you used the Packet tracer from within ASDM or Debug from CLI ?

Turn up logging and then try to telnet from one device to the other and look for the port in the logs. This will help isolate where the issue is and you may find that you might have to add a policy for the NAT or add in routes.
0
 
AllDaySentryAuthor Commented:
I use ASDM.  

From the existing network, I can ping the workstation fine.

If I'm at the workstation on the new network, I can ping up to the firewall and see the traffic in the log.  If I try to ping the NAT address, I dont see anything in the firewall.

I ran the packet tracer from the ASDM and it does come back with an error on the NAT when I try icmp from the workstation on the new network to the workstation on the existing network.

I wasnt sure what interface to use for the packet tracer so I tried the inside interface and the new interface.

Source: 10.14.251.220 (IP of new workstation)
Destination: 10.45.0.248 (IP of existing workstation after NAT)

New Interface:

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 2 access-list inside_nat_outbound match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.8 255.255.255.192 dynamic translation to pool 2 (10.6.47.66 [Interface PAT]) translate_hits = 72495, untranslate_hits = 25


Inside Interface:

Type - NAT
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any newnetwork any dynamic translation to pool 1 (No matching global) translate_hits = 43209, untranslate_hits = 0



When I do a show nat, this is what I get:

Result of the command: "sh nat"

NAT policies on Interface inside:
  match ip inside 10.45.0.0 255.255.0.0 inside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 72649, untranslate_hits = 25
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 47, untranslate_hits = 17
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (65.200.50.230 [Interface PAT])
    translate_hits = 54521, untranslate_hits = 826
  match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Redundant any
    dynamic translation to pool 1 (192.168.1.18 [Interface PAT])
    translate_hits = 1470, untranslate_hits = 19
  match ip inside any newnetwork any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 43212, untranslate_hits = 0
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface newnetwork:
  match ip newnetwork host newnetworkServerNet inside any
    static translation to ExistingWorkstation
    translate_hits = 0, untranslate_hits = 20314




I also attached what it looks like on the CLI
NAT.png
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now