Hi Rene,
So, i set up the configurations exactly as you did, all the inside, outside, DMZ interfaces and network objects Pools and NAT translations. But when i got to the verification part, i could not telnet neither the DMZ nor the outside interfaces. I could not also telnet the outside interface from the DMZ which has a higher security level. From my ASA 5520, I could only ping the inside and the outside interfaces, but not the DMZ. Hint: Am on GNS3 1.5.3. Thanks for the explanation.
Hello Ebako.
Please be sure that all of your configs are exactly the same as Rene’s. Also can you share a little more of your configuration with us so we can take a closer look and help you out?
Looking forward to hearing from you!
Laz
Here are my configs on all 3 devices ;
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 5QFRjbooNyC4gmxi encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet2
nameif DMZ
security-level 50
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network PUCLIC_POOL
range 192.168.2.100 192.168.2.200
object network INTERNAL
subnet 192.168.1.0 255.255.255.0
object network DMZ_POOL
range 192.168.3.100 192.168.3.200
object network INSIDE_TO_DMZ
subnet 192.168.1.0 255.255.255.0
object network INSIDE_TO_OUTSIDE
subnet 192.168.1.0 255.255.255.0
object network DMZ_TO_OUTSIDE
subnet 192.168.3.0 255.255.255.0
object network INSIDE
subnet 192.168.1.0 255.255.255.0
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE_TO_OUTSIDE
nat (INSIDE,OUTSIDE) dynamic interface
object network INSIDE
nat (INSIDE,OUTSIDE) dynamic 192.168.2.253
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sam password p26VXMQgXge5voSE encrypted privilege 15
!
class-map global_policy
class-map icmp-class
match default-inspection-traffic
class-map icmp
match any
class-map inspection_default
!
!
policy-map icmp_policy
class icmp
inspect icmp
!
service-policy icmp_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d7cfb8f8d5a787d20d1ea7ef88b246d6
: end
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username sam password 0 sam
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 0 0
password sam
logging synchronous
login
!
!
end
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username sam password 0 sam
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.2.2 255.255.255.0
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
password sam
logging synchronous
login
!
!
end
hostname DMZ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username sam password 0 sam
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.3.3 255.255.255.0
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
password sam
logging synchronous
login
!
!
endHi @ebakomukwele,
Glancing over your configs, the first thing I notice is that your routers are unable to get outside of their own subnet. You have two options here:
* Disable routing with no ip routing and then add a default gateway.
Or
* Add a default route pointing to the ASA
Right now, they only know about their own local subnet and they have no idea how to reach anything else.
Hello Rene, please could you take a look at my running configs of all 4 devices. I did this like 2 months ago and I was able to telnet just find. I did the same configs, the only thing I can do now is ping the ASA from the INSIDE router only.
Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 5QFRjbooNyC4gmxi encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet2
nameif DMZ
security-level 50
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network INSIDE
subnet 192.168.1.0 255.255.255.0
object network OUTSIDE_POOL
range 192.168.2.100 192.168.2.200
object network DMZ
subnet 192.168.3.0 255.255.255.0
object network DMZ_POOL
range 192.168.3.100 192.168.3.200
object network INSIDE_TO_DMZ
subnet 192.168.1.0 255.255.255.0
object network INSIDE_TO_OUTSIDE
subnet 192.168.1.0 255.255.255.0
object network DMZ_TO_OUTSIDE
subnet 192.168.3.0 255.255.255.0
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (INSIDE,OUTSIDE) dynamic interface
object network INSIDE_TO_OUTSIDE
nat (INSIDE,OUTSIDE) dynamic interface
object network DMZ_TO_OUTSIDE
nat (DMZ,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ebako password iaxvPs/M.ooE71L2 encrypted privilege 15
!
class-map global_policy
class-map icmp-class
match default-inspection-traffic
class-map icmp
match any
class-map inspection_default
!
!
policy-map icmp_policy
class icmp
inspect icmp
!
service-policy icmp_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:b3675509af1377effdd308cf7fd8c91d
: end
INSIDE#sh run
Building configuration...
IOMEM size set to 53477376 bytes.
Current configuration : 4088 bytes
!
! Last configuration change at 23:42:50 UTC Fri Dec 15 2017
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname INSIDE
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
memory-size iomem 5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip routing
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
no ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
username sam password 0 sam
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip route-cache
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/5
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/6
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/7
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/8
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/9
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 0 0
password sam
logging synchronous
login
transport input none
!
no scheduler allocate
!
end
OUTSIDE#sh run
Building configuration...
IOMEM size set to 53477376 bytes.
Current configuration : 4081 bytes
!
! Last configuration change at 23:44:24 UTC Fri Dec 15 2017
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OUTSIDE
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
memory-size iomem 5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip routing
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
no ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
no ip route-cache
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/5
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/6
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/7
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/8
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/9
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
ip default-gateway 192.168.2.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
password sam
logging synchronous
login
transport input none
!
no scheduler allocate
!
end
Router#sh run
Building configuration...
Current configuration : 3451 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/4
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/5
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/6
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/7
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/8
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/9
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
endHi Ebako,
Instead of scanning your config and pointing out the error, have you tried packet tracer yet? That can be very helpful to figure out why certain packets are permitted/denied. For example, try this:
ASA1# packet-tracer input INSIDE tcp 192.168.1.1 50001 1.2.3.4 80 detailed
This shows you what happens when a packet from the INSIDE with source IP address 192.168.1.1, source TCP port 50001 tries to go to IP address 1.2.3.4 destination port 80.
This is a very useful tool, especially if you have a lot of stuff going on with your ASA like NAT/PAT, access-lists, VPNs, etc.
Rene
ASA(config)# object network PUBLIC_IP
ASA(config-network-object)# host 1.1.1.1
ASA(config)# object network LAN
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (INSIDE,OUTSIDE) static PUBLIC_IP
Hi Rene Waht type of NAT is this ,as to my understanding
ONE to ONE is static NAT
ONE to Many is dynamic NAT /PAT
and the NAT above in the configuration is MANY to ONE
how is that possible as the first translation will occupy that single public IP
please reply
Hello asi
The above configuration is a static NAT configuration. What it is doing is statically mapping real IP addresses 192.168.1.1 to 192.168.1.254 to a single outside (routable) address of 1.1.1.1. This is an unusual configuration since you are statically assigning multiple internal IP addresses to a single outside address. I’m not sure if this will work practically, because as you have stated as well, the first translation will occupy the single external IP address. What will happen when the second attempts to communicate with the outside? I suspect it will take over the IP address and the first will lose connectivity. You can test it out in a lab environment and let us know.
Concerning the definition of static and dynamic NAT. These are not defined by the number of addresses that are being mapped to. Static NAT is any NAT configuration that uses the static keyword. It doesn’t matter if it is one to one or many to one or many to many. It can include transport layer ports or it may not. There are legitimate situations where you can configure one-to-many static NAT such as this found in Cisco’s documentation..
Dynamic NAT is any NAT configuration that uses the dynamic keyword. This is most common with a many-to-one or many-to-few configuration but can also be configured with a one-to-one situation (which will essentially “dynamically” choose the only available option and will function the same as a static configuration). It doesn’t make sense to do so, however it can be done. I’m mentioning this to emphasise that static and dynamic NAT are not confined to many-to-one or one-to-one configurations.
I hope this has been helpful!
Laz
Hi Rene Molenaar ,
Could you please explain me below nat commands in detail .
global (outside) 1 interface
global (guestwifi) 1 interface
nat (outside) 1 10.10.10.0 255.255.255.0
nat (guestwifi) 1 172.168.20.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.10.10.0 255.255.255.0
nat (dmz) 1 192.0.2.24 255.255.255.248Hi Sunil,
These are the pre < 8.3 commands to configure NAT.
Let’s break down these commands:
global (outside) 1 interfaceglobal means we configure a global address pool.(outside) means we define the pool on this interface (outside).1 is the ID of our pool.interface means that we use PAT with the IP address on the interface.global (guestwifi) 1 interfaceSame as above but for the guestwifi interface.
nat (outside) 1 10.10.10.0 255.255.255.0(outside) this is the interface where the NAT network exists. The outside interface in this case.1 this is how we combine the global pool and this NAT statement together.10.10.10.0 255.255.255.0 this is the subnet we want to translate.nat (guestwifi) 1 172.168.20.0 255.255.255.0
nat (inside) 1 10.10.10.0 255.255.255.0
nat (dmz) 1 192.0.2.24 255.255.255.248These three are pretty much the same as on the one I explained above.
nat (inside) 0 access-list inside_nat0_outboundThis is for NAT exemption. Whatever matches your access-list won’t be translated with NAT.
Hope this helps!
Rene
Rene, I am working on the Cisco ASA dynamic NAT Configuration lab in Unit 2 NAT/PAT. I typed in the commands for the assignment, but I was unable to telnet from Router 1 to Router 2. I am using live equipment, an ASA 5510 with IOS 8.4, ASDM 7.5. Is there anything I need to watch for.
Thank you
Hi Robert,
Sorry for the late reply. Have you tried packet tracer on the CLI? That should help to tell you why the traffic is blocked. Here’s a quick example:
ciscoasa# packet-tracer input OUTSIDE tcp 192.168.2.2 23 192.168.3.3 23
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 DMZ
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_INBOUND in interface OUTSIDE
access-list OUTSIDE_INBOUND extended permit tcp any host 192.168.3.3 eq telnet
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network WEB_SERVER
nat (DMZ,OUTSIDE) static 192.168.2.200
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured ruleHello Rene,
This is my first post and hope i am posting it in a right way.
Want to know as per the topology for dynamic NAT, when we convert router to HOST 2 by using the command no ip routing, i am able to piing the 192.168.23.3 IP address without any issues.
but if i do not convert the router to HOST and keep the router with routing enable with the command IP routing, i am not able to ping the 192.168.23.3 this might be because there is no route in HOST2 to reach the router Web1, then why when we configure no IP routing on HOST2 we are able to ping the router WEB1 ip address even though no default gateway is configured on HOST2.
Hello Tejpal,
I moved your post to the Dynamic NAT topic so it’s in the right place 
If you disable ip routing then your router acts as a regular host device. The only way it can get out of its own subnet is if it has a default gateway. If not, it can only reach devices within its own subnet. Are you sure there is no default gateway on your host2?
With ip routing enabled, a router will always check its local routing table. If you have a default gateway, it will ignore it…you will need a default route (0.0.0.0/0).
Rene
Thanks Rene for the reply and your reply helps me understanding the basic concepts which otherwise was difficult
to understand and every time got confused.
your short and simple explanations helps understanding topic very easily.
Thanks to you and your team for being supportive.
Regarding My question, Please check the details i mentioned below.
for the topolocy of dynamci NAT
Host1 —> Switch1 --> NAT(Router) —> Web1
Host2 —> Switch1 --> NAT(Router) —> Web1
no ip routing is enabled on Host1, Host2, Web1
no ip default-gateway is set on Host1, Host2 or Web1
Also, NAT is not enabled at this point of time on NAT Router.
Still i can ping from Host1 to Web1 and from Host2 to Web1 and vice versa.
Configuration of Host1
no ip routing
interface ethernet 0/1
ip address 192.168.123.1 255.255.255.0
Configuration of Host2
no ip routing
interface ethernet 0/0
ip address 192.168.123.2 255.255.255.0
Configuration of NAT router
NAT is not enabled, just a basic configuration on the NAT Router
interface ethernet 0/2
ip address 192.168.123.3 255.255.255.0
interface ethernet 0/0
ip address 192.168.23.2 255.255.255.0
Configuration of Web1
no ip routing
interface ethernet 0/0
ip address 192.168.23.3 255.255.255.0
So, in this scenario the ip default-gateway is not enabled on Host1, Host2, and Web1 but still Host1 and Host2
can leave there subnet and can reach Web1 in other subnet. i.e. we can ping 192.168.23.3 from Host1 and Host2
and also we can ping IP address of Host1 and Host2 from Web1 Host.
SO, it will be helpful if you can help me understanding this.
The log for the debug IP packet for Host1 is -
*Oct 21 10:58:13.488: IP: s=192.168.23.3 (Ethernet0/1), d=192.168.123.1, len 100, input feature, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 21 10:58:13.488: IP: s=192.168.23.3 (Ethernet0/1), d=192.168.123.1, len 100, rcvd 1
*Oct 21 10:58:13.488: IP: s=192.168.123.1 (local), d=192.168.23.3, len 100, local feature, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 21 10:58:13.488: IP: tableid=0, s=192.168.123.1 (local), d=192.168.23.3 (Ethernet0/1), routed via RIB
*Oct 21 10:58:13.488: IP: s=192.168.123.1 (local), d=192.168.23.3 (Ethernet0/1), len 100, sending
Host1#
*Oct 21 10:58:13.489: IP: s=192.168.123.1 (local), d=192.168.23.3 (Ethernet0/1), len 100, sending full packet
Second Scenario in which i enable ip routing on Web1 and set the default gateway on Web1 to NAT router
as now routing is enabled so Web1 will check for routes in its routing table as explained by you.
and still we are able to ping Host1 and Host2 from web1 (still no ip default-gateway set on the Host1 and Host2)
Third scenario even after enabling the NAT on inside and outside interface still we do not need the ip default-gateway
on Host1 and Host2 to send packets to Web1
Hello Tejpal
First of all, let’s clarify what the no ip route command does. It will cause a router to reach outside of its own subnet only if a default gateway is set. If a default gateway is NOT set, then there is no way for the router to reach any subnet other than those directly connected to its interfaces. If you are able to ping beyond your own subnet, then either the default-gateway command exists or there is a default gateway configured in the routing table. There is no other way to reach outside networks. Verify these settings to determine why you are able to ping outside of the directly connected networks.
If ip route is enabled, then the router essentially is able to examine its routing table for something beyond just the default gateway, in order to determine where to send packets. So in both cases, a router can function as a host when pinging. The state of these commands just determines if only a default gateway is examined as a potential next hop or if details within the routing table are used for more specific routing options.
I hope this has been helpful!
Laz
Hello There,
can you please explain me what does " pool overlap with existing pool" means?
it affects any configuration?
do i need to take it seriously?
Thanks
Ankit
Hello ankit
When configuring features such as NAT and DHCP, an IP address pool is a range of IP address that are used for these operations. For NAT in particular, if you are defining multiple IP pools for use as internal IP addresses to be translated and you get an error that states that a pool is overlapping with an existing pool, this means that some of the address ranges in the pools overlap, that is, they contain some of the same addresses. For example, an address pool of 10.10.10.10 to 10.10.10.250 overlaps with another range that may be defined as 10.10.10.25 to 10.10.10.45. When using subnet masks to define ranges, the 10.10.10.0/26 overlaps with 10.10.10.32/27.
This is not permissible when defining address pools.
I hope this has been helpful!
Laz
hello how to clear the existing NAT configuration ? thanks
hello say
router <— layer 2 vlan trunk – vlan 10, vlan 20, vlan 30, vlan 40 ----> ASA firewall <----- OUTSIDE---->
does the vlan is required to have a layer 3 interface on ASA in order to NAT all the vlans on inside ? or do we need to respecify the network address while creating network objects for each vlan ?