Solved

Cisco ASA NAT Issue

Posted on 2015-02-02
6
203 Views
Last Modified: 2015-03-17
I am having a NAT issue with a Cisco ASA on 8.0(4).

I have a server that already has a static NAT as follows.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000

I now need to allow access to this server over an IPSec VPN but the remote peer requires me to source NAT to a specific private IP address (172.28.0.201). My configuration now looks like this.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit ip 10.178.32.144 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.32.144 255.255.255.240 host 192.168.31.40
global (outside) 1 interface
global (outside) 12 172.28.0.201
nat (dev-dmz) 0 access-list no-nat-dev-dmz
nat (dev-dmz) 12 access-list NAT-DEV-IIS-01
nat (dev-dmz) 1 0.0.0.0 0.0.0.0


I would expect from this the following.

1. Any traffic between 192.168.31.40 and 10.178.16.224 255.255.255.240 or 10.178.32.144 255.255.255.240 will go out with a source IP of 172.28.0.201.
2. All other traffic from 192.168.31.40 out to the internet will out go out with a source IP of 99.99.99.99.

This isn't happening. When I try to ping a host on the remote side from 192.168.31.40 the NAT to 172.28.0.201 is not happening. My xlates relevant to this are as follows.

# show xlate | inc 172.28
Global 172.28.0.202 Local 192.168.31.41
Global 172.28.0.202 Local 192.168.31.41
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
Global 172.28.0.203 Local 192.168.30.5
Global 172.28.0.203 Local 192.168.30.5
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0


The xlate from 192.168.31.40 to 172.28.0.201 is not listed.

Can anyone tell me what I'm doing wrong ?

TIA
0
Comment
Question by:ccfcfc
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 40585742
Hello,
Try to switch NAT IDs:
global (outside) 1 172.28.0.201
global (outside) 12 interface
nat (dev-dmz) 1 access-list NAT-DEV-IIS-01
nat (dev-dmz) 12 0.0.0.0 0.0.0.0

Regards!
0
 

Author Comment

by:ccfcfc
ID: 40586242
Does it process those global statements in order then ?
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 40586333
Hi,
chances are that you forgot to configure internal access-list, e.g. the one applied to dev-dmz interface.

For example, if you want to do policy nat for the following:
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

you need to allow that rule on the very same interface:
access-list <the one applied on dev-dmz interface> extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

otherwise packets are dropped BEFORE natting them.

hope this helps
max
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:ccfcfc
ID: 40616611
I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL
0
 

Author Comment

by:ccfcfc
ID: 40616647
Sorry - that last comment was posted prematurely. I will repost it in the complete form in this comment.

I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL

access-list 136 extended permit ip host 172.28.0.201 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.201 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.32.144 255.255.255.240

- SNAT ACL

access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240

- SNAT Static

static (dev-dmz,outside) 172.28.0.201  access-list DELTA-NAT-DEV-IIS-01

With these settings the following is the relevant output from show xlate.

Global 172.28.0.201 Local 192.168.31.40
Global 172.28.0.201 Local 192.168.31.40

This would appear to show that the SNAT is working, but if I try to ping 10.178.32.150 from 192.168.31.40 I get no response.

Phase 1 seems to be up and running - this connection shows as MM_ACTIVE if I look at my isakmp SAs - but I have no IPSec SA for this tunnel.

If I use the packet trace tool on ASDM it passes everything up to the VPN. The last entries are as follows.

Type - NAT Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.32.144 255.255.255.240 static translation to 172.28.0.201 translate_hits = 1192, untranslate_hits = 0
Info
Static translate 192.168.31.40/0 to 172.28.0.201/0 using netmask 255.255.255.255

Type - NAT Subtype - host-limits Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.16.224 255.255.255.240 static translation to 172.28.0.201 translate_hits = 0, untranslate_hits = 0

Type - VPN Subtype - encrypt Action - DROP

Do I understand this correctly - does that VPN drop mean that the traffic is failing to pass the Crypto ACL ??
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 40627736
Hi,
since you have natted 192.168.31.40 to  172.28.0.201, you need to have an access-list on the way back for the packets: assuming you have an access-list on outside interface named "acc_list_out", you need to add:

access-list acc_list_out permit ip host 10.178.32.150 host 192.168.31.40

the above will allow communication between 192.168.31.40 and 10.178.32.150.

Should you want to extend to other ip, you need to add / modify the access-list.

hope this helps
max
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 67
Rdp session freeze periodically in FORTIGATE ssl vpn 2 42
VLAN Configuration on Cisco Switch 8 21
Ping in Fortigate 2 11
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question