Solved

Problem with NAT  When Adding New Network to Firewall

Posted on 2014-04-15
2
616 Views
Last Modified: 2014-11-17
I just set up a new interface on our ASA 5505 firewall (with security plus) to join another new network.  I gave the firewall interface an IP address on the new network and am using a NAT to translate a workstation from the existing network to the new network.

I have set up the NAT, routing, etc. and I can ping devices on the new network fine.  On the new network, I can ping up to the firewall interface.  However, I cannot ping the workstation.

10.45.0.248 = Workstation (existing network)
10.8.47.20 = Firewall Interface (new network)
10.8.47.21 = Workstation NAT (new network)    10.8.47.21 -> 10.45.0.248


If I run a traceroute to 10.8.47.20, I can follow all the routers up to the firewall interface.  When I traceroute 10.8.47.21, the route stops at the router (new network) just prior to the firewall interface.


From my inside server (on existing network), I can ping the new workstation (on new network) fine.  

From the workstation, I cannot ping the inside server.  I can ping up to the firewall interface. When I try to ping the outside address NAT address on the workstation, I dont see any traffic hitting the firewall at all.  I see it right away when I ping the firewall interface.

Is it possible that somehow the new network cannot find the NAT address 10.8.47.21?
0
Comment
Question by:AllDaySentry
2 Comments
 
LVL 10

Accepted Solution

by:
Rafael earned 250 total points
ID: 40003057
yes it is possible. Are you using CLI or the ASDM? Have you used the Packet tracer from within ASDM or Debug from CLI ?

Turn up logging and then try to telnet from one device to the other and look for the port in the logs. This will help isolate where the issue is and you may find that you might have to add a policy for the NAT or add in routes.
0
 

Author Comment

by:AllDaySentry
ID: 40003171
I use ASDM.  

From the existing network, I can ping the workstation fine.

If I'm at the workstation on the new network, I can ping up to the firewall and see the traffic in the log.  If I try to ping the NAT address, I dont see anything in the firewall.

I ran the packet tracer from the ASDM and it does come back with an error on the NAT when I try icmp from the workstation on the new network to the workstation on the existing network.

I wasnt sure what interface to use for the packet tracer so I tried the inside interface and the new interface.

Source: 10.14.251.220 (IP of new workstation)
Destination: 10.45.0.248 (IP of existing workstation after NAT)

New Interface:

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 2 access-list inside_nat_outbound match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.8 255.255.255.192 dynamic translation to pool 2 (10.6.47.66 [Interface PAT]) translate_hits = 72495, untranslate_hits = 25


Inside Interface:

Type - NAT
Action - DROP
Show rule in NAT Rules table.
Config
nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any newnetwork any dynamic translation to pool 1 (No matching global) translate_hits = 43209, untranslate_hits = 0



When I do a show nat, this is what I get:

Result of the command: "sh nat"

NAT policies on Interface inside:
  match ip inside 10.45.0.0 255.255.0.0 inside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.45.5.0 255.255.255.192
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 inside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 outside 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 dmz 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 Redundant 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 newnetwork newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 72649, untranslate_hits = 25
  match ip inside 10.45.0.0 255.255.0.0 newnetwork 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (10.8.47.66 [Interface PAT])
    translate_hits = 47, untranslate_hits = 17
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback newnetwork-10.14 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.45.0.0 255.255.0.0 _internal_loopback 10.8.47.61 255.255.255.248
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (65.200.50.230 [Interface PAT])
    translate_hits = 54521, untranslate_hits = 826
  match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Redundant any
    dynamic translation to pool 1 (192.168.1.18 [Interface PAT])
    translate_hits = 1470, untranslate_hits = 19
  match ip inside any newnetwork any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 43212, untranslate_hits = 0
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface newnetwork:
  match ip newnetwork host newnetworkServerNet inside any
    static translation to ExistingWorkstation
    translate_hits = 0, untranslate_hits = 20314




I also attached what it looks like on the CLI
NAT.png
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question