Cisco ASA NAT not working???

huffmana
huffmana used Ask the Experts™
on
I can't get my ASA NAT to work.  I'm testing to configure the firewall for our shop by simulating it on our local network.  The ISP router is at 192.168.168.1.  The ASA can ping out to the internet but the PC can't.

The PC picks up DHCP OK and can ping 192.168.171.1 (ASA GigabitEthernet0/1), but it can't ping the default gateway ASA 192.168.168.233 (ASA GigabitEthernet0/0) or beyond.

<------------------ASA-------------->
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.168.233 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.171.1 255.255.255.0
!
interface GigabitEthernet0/3
 nameif mngt
 security-level 0
 ip address 10.10.10.13 255.255.255.224
!
 icmp permit any mngt
 icmp permit any inside
 icmp permit any outside
!
object network INSIDE-SUBNET
 subnet 192.168.171.0 255.255.255.0
nat (inside,outside) source dynamic INSIDE-SUBNET interface
route outside 0.0.0.0 0.0.0.0 192.168.168.1 5

  dhcpd address 192.168.171.3 - 192.167.171.63 inside
  dhcpd address 192.168.171.3-192.167.171.63 inside
  dhcpd address 192.168.171.3-192.168.171.63 inside
  dhcp dns 192.168.168.1
  dhcpd dns 192.168.168.1
  dhcpd lease 3000
  dhcpd domain cortana.com
  dhcpd ping_timeout 20
  dhcpd option 3 192.168.171.1
  dhcpd option 3 ip 192.168.171.1
  dhcpd enable inside
  dhcpd option 2 ascii dhcpd_option_2_ascii_examplestring_HERE

<-----------------SWITCH------------------>
---- ASA GigabitEthernet0/1 -> switch on inside of the ASA ----
!
interface FastEthernet0/1
des to_ASA_GigabitEthernet0/1_inside
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport trunk allowed vlan 1,200
 switchport mode trunk
!
----PC -> witch on inside of the ASA ----
interface FastEthernet0/2
 des PC_to_Switch_on_the_inside_of_ASA
 switchport access vlan 200
 switchport mode access
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SouljaSr.Net.Eng
Top Expert 2011

Commented:
post your output of
sh nat translated interface inside

Open in new window



Aslo do you have firewall rules created to allow access out to the internet or are you using default security level flow?
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Also on the inside ASA interface I see you have it connected to a switch trunk port.  You will need to create subinterfaces on that inside interface tagging the appropriate vlan and ip address for the associated vlan. Otherwise if you just want vlan 200, just change the switchport it's connected to to an access port in vlan 200.
huffmanaSystem Admin and Network Engineer

Author

Commented:
OH  I didn't think of FW rules.  I should make an "any any" rule for now?

ciscoasa# sh nat translated interface inside
   No matching NAT policy found.

I tried this, it works on the ASA but not from the PC...

!
object-group network OUTSIDE-INT-IP
  network-object host 192.168.168.233
!
nat (inside,outside) source dynamic INSIDE-SUBNET interface destination static interface OUTSIDE-INT-IP interface
!
ciscoasa(config)# traceroute 8.8.8.8

Type escape sequence to abort.
Tracing the route to 8.8.8.8

 1  192.168.168.1 0 msec 0 msec 0 msec
 2  10.5.88.1 10 msec 10 msec 10 msec
 3  100.123.212.40 0 msec 10 msec 10 msec
 4  100.121.20.2 10 msec 0 msec 20 msec
 5  68.1.4.139 10 msec 10 msec 10 msec
 6  209.85.148.120 0 msec
    98.182.1.86 20 msec 0 msec
 7  108.170.246.65 10 msec
    108.170.246.33 10 msec
    108.170.240.97 10 msec
 8  209.85.251.82 10 msec 10 msec
    216.239.49.168 10 msec
 9  8.8.8.8 0 msec 110.5.88.1 100 msec 10 msec
ciscoasa(config)# ping 10.5.88.1
Type escape sequence to abort.
Sending 5, 100-byte10.5.88.1 10 ICMP Echos to 10.5.88.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
ciscoasa(config)#

NOTE the 10.5.88.1 10 is not on my network and appears to be behind our outside address of 98.175.98.XX, the 10. must be inside the Cox ISP?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

huffmanaSystem Admin and Network Engineer

Author

Commented:
ciscoasa# sh nat translated interface outside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
    translate_hits = 78, untranslate_hits = 0
ciscoasa#

NAT works from the ASA but not from the PC
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Looks like it's hitting the NAT rule. So what about your firewall rule?
huffmanaSystem Admin and Network Engineer

Author

Commented:
Changed the switchport it's connected to to an access port in vlan 200 interface connected to the inside ASA interface - but I still can't ping from the PC....
huffmanaSystem Admin and Network Engineer

Author

Commented:
I'm googling the FW rule now :-| LOOK at this????

ciscoasa(config)# sh nat translated interface inside
No matching NAT policy found
ciscoasa(config)# sh nat translated interface outside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
    translate_hits = 78, untranslate_hits = 0

No changes made on the ASA - changed the switchport to  mode access....

ciscoasa(config)# sh nat int outside
No matching NAT policy found
ciscoasa(config)# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
    translate_hits = 240, untranslate_hits = 0
ciscoasa(config)#
Technical Consultant
Commented:
>>The PC picks up DHCP OK and can ping 192.168.171.1 (ASA GigabitEthernet0/1), but it can't ping the default gateway ASA 192.168.168.233 (ASA GigabitEthernet0/0) or beyond.

This is completely normal?

Do this...

object network INSIDE-SUBNET
no nat (inside,outside) source dynamic INSIDE-SUBNET interface
nat (inside,outside) dynamic interface
clear xlate

try again?

You dont need any of these

 icmp permit any mngt
 icmp permit any inside
 icmp permit any outside

To enable Ping/ICMP just add icmp inspection see the following article
Cisco Firewalls and PING

Pete
huffmanaSystem Admin and Network Engineer

Author

Commented:
The closest I can get on the 5520 is the following.

object network INSIDE-SUBNET
  nat (inside,outside) source dynamic any interface

Thanks for the reference to Cisco Firewalls and PING - I added the following from it.
policy-map global_policy
  class inspection_default
    inspect icmp

I still can't ping across interfaces so I'm finding out how to apply ACLs... I'll start with "any any"
huffmanaSystem Admin and Network Engineer

Author

Commented:
The NAT is working because my PC can browse the internet.  I added in and out acls to outside and inside interfaces but I don't get any hit count?  I'd like be able to ping for testing, like ping out to the internet....

ACL ADDED TO outside and inside:

access-list OUTSIDE-IN extended permit ip any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any
access-list OUTSIDE-OUT extended permit ip any any
access-list OUTSIDE-OUT extended permit icmp any any
access-list OUTSIDE-OUT extended permit tcp any any
access-list INSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit icmp any any
access-list INSIDE-IN extended permit tcp any any
access-list INSIDE-OUT extended permit ip any any
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any

nat (inside,outside) source dynamic any interface

access-group OUTSIDE-OUT out interface outside
access-group OUTSIDE-IN in interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.168.1 5

------------NAT IS WORKING---------
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 133, untranslate_hits = 0

------------------>Chrome Browse to google.com <------------ Browsing Works :-)

ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
    translate_hits = 233, untranslate_hits = 0

--------------------> but ACL shows no hits ?????????????
#sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=0) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=301) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=301) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=0) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ciscoasa#
ciscoasa#
SouljaSr.Net.Eng
Top Expert 2011

Commented:
I see hits:

access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=0) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=301) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=301) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=0) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
huffmanaSystem Admin and Network Engineer

Author

Commented:
Well what ever I did, traceroute now works from my PC but ping still does not work.

debug icmp trace
logging monitor debug
logging enable
------------------------PC ping to outside (default router)
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=239 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=239 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=240 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=240 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=241 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=241 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=242 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=242 len=32

------------------------ASA ping to PC
ciscoasa(config)# ping 192.168.171.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.171.5, timeout is 2 seconds:
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
!ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72

---------------> PC tracert 8.8.8.8
C:\Users\root>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  my.meraki.net [192.168.168.1]
  2     7 ms    14 ms     9 ms  100.123.212.40
  3     7 ms     8 ms     8 ms  100.121.20.2
  4    10 ms     8 ms     8 ms  ashbbprj01-ae2.rd.as.cox.net [68.1.0.242]
  5     8 ms     9 ms     9 ms  98.182.1.86
  6    12 ms     7 ms     8 ms  108.170.246.65
  7     8 ms     8 ms     8 ms  216.239.41.201
  8    17 ms    10 ms     8 ms  google-public-dns-a.google.com [8.8.8.8]
Trace complete.
C:\Users\root>

ciscoasa(config)#
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=247 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=247 len=64
ICMP echo reply untranslating outside:192.168.168.233 to inside:192.168.171.5
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=248 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=248 len=64
ICMP echo reply untranslating outside:192.168.168.233 to inside:192.168.171.5
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=249 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=249 len=64
AND SO ON . . . . . . . . . . .

----------------------> PC ping to outside ip address
NOTHING ON ASA
huffmanaSystem Admin and Network Engineer

Author

Commented:
Yes there are IP hits but no ICMP hits ??????
huffmanaSystem Admin and Network Engineer

Author

Commented:
OH :-) I just read this: Since the Cisco ASA acts as a Security appliance, it usually does not let you see when the packet goes across to it, it is a security measure, so this is the way we can make this to function as you are looking for. If you have another question please let me know!

So I tested pinging 8.8.8.8 from my PC and it works :-)  I don't know what I did but I can now ping everything but the outside interface ip address.

C:\Users\root>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=8ms TTL=252
Reply from 8.8.8.8: bytes=32 time=12ms TTL=252
Reply from 8.8.8.8: bytes=32 time=12ms TTL=252
Reply from 8.8.8.8: bytes=32 time=8ms TTL=252

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 12ms, Average = 10ms

C:\Users\root>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! OH THAT'S WHY !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
There are no ICMP hits in the ACL because IP is the first rule, and ICMP is IP !!!!!!!!!!!  Boy I'm a dummy.

ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=42) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=1420) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=1432) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=21) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ciscoasa(config)#
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Haha, well you see I didn't respond after my post highlighting the hits. I figured you would figure it out..lol!
huffmanaSystem Admin and Network Engineer

Author

Commented:
I guess that it is normal that the ASA will not ping the outside ip address.  Once it is connected to the ISP static external ip address, I guess that all you want to be able to do is ping the external address, not the outside port....  So all is good.

Now I have to put int the PAT rules for our external clients to access our services.  I've built a Linux box with several VMs running various things like sql and Apache.  So I'll have several address/port applications to PAT to and test.

I'm sure that I'll be back.

Soulja and Pete-Long have been a terrific help setting up my ASA firewall.  Many thanks for their help.
huffmanaSystem Admin and Network Engineer

Author

Commented:
Soulja and Pete-Long have been a terrific help setting up my ASA firewall.  Many thanks for their help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial