Help with NATing issue on a Cisco ASA
Hello Experts,
I have inherited administration duties of our Cisco ASAs (we have two of them). The ASAs are both running version 8.2.1. Just a heads up, I’m not much of a firewall guy. I’m terribly bad at the ASA command line and do everything through the Cisco ASDM.
The ASAs are configured as follows:
ASA1
interface GigabitEthernet0/0.2
nameif MyCompanyLAN
security-level 100
ip address 10.1.4.1 255.255.255.248
!
interface GigabitEthernet0/0.4
nameif MyCompanyDMZ
security-level 1
ip address 10.1.4.30 255.255.255.248
!
interface GigabitEthernet0/1
nameif MyCompanyQMOE
security-level 0
ip address 169.32.134.1 255.255.255.0
ASA2
interface GigabitEthernet0/0.3
nameif ISPLAN
security-level 100
ip address 10.1.4.9 255.255.255.248
!
interface GigabitEthernet0/2.1
nameif ISPT1
security-level 0
ip address 109.233.190.196 255.255.255.248
!
interface GigabitEthernet0/2.2
nameif ISPDMZ
security-level 90
ip address 10.1.6.254 255.255.255.0
I’m trying to get traffic that hits ASA1 coming in from MyCompanyQMOE to a server in the ISPDMZ. The server’s name is DMZ-Mail and it’s IP address is 10.1.6.2.
I was told you need three things to get traffic to pass through an ASA:
1. A route
2. A NAT
3. An access rule allowing the traffic to pass
Based on these three things, here is what I have configured on ASA1:
The route (this is the route I think traffic will use):
route MyCompanyLAN 10.0.0.0 255.0.0.0 10.1.4.6 1
Note: In the route statement above, 10.1.6.1 is an address on our core switch
The NAT
static (MyCompanyLAN,MyCompanyQMO
The access rule
access-list from-out extended permit tcp host MAIL-SOURCE host DMZ-MAIL object-group DM_INLINE_TCP_13
I have this setup and when I run Packet Tracer to test everything, the packet is dropped. The info from Packet Tracer is as follows:
Type - NAT Subtype – rpf-check Action – Drop
Config
Static(MyCompanyLAN,MyComp
Match ip MyCompanyLAN host DMZ-MAIL MyCompanyQMOE any
Static translation to 169.32.134.120
Translate_hits = 0, untranslated_hits = 181
Some of the names and IPs in the configurations above have been modified so that our security guys would let me post this question.
My questions are these:
1. What am I missing with regards to the NAT?
2. Can I create a NAT to the 10.1.6.2 address in ASA1 even though that device is in the DMZ of ASA2?
3. If the answer to question 2 is yes, will the summary route I posted above on ASA 1 route traffic to the internal switch? I believe it will.
Thanks in advance for all of your help. I’m sorry I’m not more knowledgeable with regards to the ASA stuff.
Nick
I have inherited administration duties of our Cisco ASAs (we have two of them). The ASAs are both running version 8.2.1. Just a heads up, I’m not much of a firewall guy. I’m terribly bad at the ASA command line and do everything through the Cisco ASDM.
The ASAs are configured as follows:
ASA1
interface GigabitEthernet0/0.2
nameif MyCompanyLAN
security-level 100
ip address 10.1.4.1 255.255.255.248
!
interface GigabitEthernet0/0.4
nameif MyCompanyDMZ
security-level 1
ip address 10.1.4.30 255.255.255.248
!
interface GigabitEthernet0/1
nameif MyCompanyQMOE
security-level 0
ip address 169.32.134.1 255.255.255.0
ASA2
interface GigabitEthernet0/0.3
nameif ISPLAN
security-level 100
ip address 10.1.4.9 255.255.255.248
!
interface GigabitEthernet0/2.1
nameif ISPT1
security-level 0
ip address 109.233.190.196 255.255.255.248
!
interface GigabitEthernet0/2.2
nameif ISPDMZ
security-level 90
ip address 10.1.6.254 255.255.255.0
I’m trying to get traffic that hits ASA1 coming in from MyCompanyQMOE to a server in the ISPDMZ. The server’s name is DMZ-Mail and it’s IP address is 10.1.6.2.
I was told you need three things to get traffic to pass through an ASA:
1. A route
2. A NAT
3. An access rule allowing the traffic to pass
Based on these three things, here is what I have configured on ASA1:
The route (this is the route I think traffic will use):
route MyCompanyLAN 10.0.0.0 255.0.0.0 10.1.4.6 1
Note: In the route statement above, 10.1.6.1 is an address on our core switch
The NAT
static (MyCompanyLAN,MyCompanyQMO
The access rule
access-list from-out extended permit tcp host MAIL-SOURCE host DMZ-MAIL object-group DM_INLINE_TCP_13
I have this setup and when I run Packet Tracer to test everything, the packet is dropped. The info from Packet Tracer is as follows:
Type - NAT Subtype – rpf-check Action – Drop
Config
Static(MyCompanyLAN,MyComp
Match ip MyCompanyLAN host DMZ-MAIL MyCompanyQMOE any
Static translation to 169.32.134.120
Translate_hits = 0, untranslated_hits = 181
Some of the names and IPs in the configurations above have been modified so that our security guys would let me post this question.
My questions are these:
1. What am I missing with regards to the NAT?
2. Can I create a NAT to the 10.1.6.2 address in ASA1 even though that device is in the DMZ of ASA2?
3. If the answer to question 2 is yes, will the summary route I posted above on ASA 1 route traffic to the internal switch? I believe it will.
Thanks in advance for all of your help. I’m sorry I’m not more knowledgeable with regards to the ASA stuff.
Nick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.