Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 NAT problem

Status
Not open for further replies.
Dratas

Dratas

IS-IT--Management
Nov 5, 2009
2
LT
Welcome,

I replaced the old Cisco Router in Cisco ASA5510. But can not solve the NAT problem. Internet can only be achieved by two LAN IP the address (172.30.16.230 domain controller, proxy 172.30.16.253). From sh xlate can be seen that the ASA NATing only two LAN addresses into two real IP addresses. Maybe someone has ideas why this is?

Configuration:

================================
!
hostname ciscoasa
domain-name xxxx.xxx
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address xx.xx.66.18 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 99
ip address 192.168.200.254 255.255.255.0
!
interface Ethernet0/2
nameif WWW
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/3
description DMZ-MAIL
nameif MAIL
security-level 49
ip address 192.168.4.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name xxxx.xxx
object-group service DM_INLINE_SERVICE_1
service-object tcp eq domain
service-object udp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object tcp eq domain
service-object udp eq domain
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group network DM_INLINE_NETWORK_1
network-object host xx.xx.81.19
network-object host xx.xx.81.20
access-list LAN_nat0_out extended permit ip 172.30.16.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list LAN_nat0_out extended permit ip 172.30.16.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MAIL_nat0_out extended permit ip 192.168.4.0 255.255.255.0 172.30.16.0 255.255.255.0
access-list MAIL_nat0_out extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list WAN_access_in extended permit tcp any host xx.xx.66.19 eq www
access-list WAN_access_in extended permit tcp any host xx.xx.66.20 object-group DM_INLINE_TCP_1
access-list MAIL_access_in extended permit ip 192.168.4.0 255.255.255.0 172.30.16.0 255.255.255.0
access-list MAIL_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.4.0 255.255.255.0 any inactive
access-list MAIL_access_in extended permit ip any any
access-list extended permit ip 192.168.1.0 255.255.255.0 172.30.16.0 255.255.255.0
access-list extended permit ip host 192.168.1.1 host 172.30.16.207
access-list extended permit object-group DM_INLINE_SERVICE_2 host 192.168.1.1 host 172.30.16.230
access-list extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu mtu MAIL 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any LAN
icmp permit any WWW
icmp permit any MAIL
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN) 101 xx.xx.66.21-xx.xx.66.22 netmask 255.255.255.248
global (WWW) 101 xx.xx.66.19 netmask 255.255.255.248
global (MAIL) 101 xx.xx.66.20 netmask 255.255.255.248
nat (LAN) 0 access-list LAN_nat0_out
nat (LAN) 101 0.0.0.0 0.0.0.0
nat (WWW) 0 access-list nat (WWW) 0 access-list outside
nat (MAIL) 0 access-list MAIL_nat0_out
nat (MAIL) 101 192.168.4.3 255.255.255.255
static (LAN,WAN) tcp interface 255.255.255.255
static (LAN,WAN) tcp interface ftp 172.30.16.231 ftp netmask 255.255.255.255
static (LAN,WAN) tcp interface 8080 172.30.16.217 8080 netmask 255.255.255.255
static (MAIL,WAN) tcp xx.xx.66.20 smtp 192.168.4.3 smtp netmask 255.255.255.255
static ( xx.xx.66.19 192.168.1.1 netmask 255.255.255.255
static (MAIL,WAN) xx.xx.66.20 192.168.4.1 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group in interface WWW
access-group MAIL_access_in in interface MAIL
route WAN 0.0.0.0 0.0.0.0 xx.xx.66.17 1
route LAN 172.30.16.0 255.255.255.0 192.168.200.254 1
route LAN 192.168.101.0 255.255.255.0 192.168.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
: end
================================

ciscoasa# sh xlate
8 in use, 9 most used
PAT Global xx.xx.66.20(25) Local 192.168.4.3(25)
Global xx.xx.66.19 Local 192.168.1.1
Global xx.xx.66.20 Local 192.168.4.1
PAT Global xx.xx.66.18(80) Local 172.30.16.231(80)
PAT Global xx.xx.66.18(21) Local 172.30.16.231(21)
PAT Global xx.xx.66.18(8080) Local 172.30.16.217(8080)
Global xx.xx.66.21 Local 172.30.16.253
Global xx.xx.66.22 Local 172.30.16.230
 
Sort by date Sort by votes
your pool only contains two real ips:
Code: 
global (WAN) 101 xx.xx.66.21-xx.xx.66.22 netmask 255.255.255.248
depending on what you are actually trying to do, add another global statement like this:
Code: 
global (WAN) 101 interface

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Problem solved:
global (WAN) 101 xx.xx.66.21 netmask 255.255.255.248
global (WAN) 102 xx.xx.66.22 netmask 255.255.255.248
global (WAN) 103 xx.xx.66.19 netmask 255.255.255.248
global (WAN) 104 xx.xx.66.20 netmask 255.255.255.248
nat (LAN) 0 access-list LAN_nat0_out
nat (LAN) 101 172.30.16.0 255.255.255.0
nat (LAN) 102 192.168.101.0 255.255.255.0
nat (WWW) 0 access-list nat (WWW) 0 access-list outside
nat (WWW) 103 192.168.1.1 255.255.255.255
nat (MAIL) 0 access-list MAIL_nat0_out
nat (MAIL) 104 192.168.4.3 255.255.255.255
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
628
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
583
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
442
gkreg
gkreg
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
138
ITSUPPORTIT
ITSUPPORTIT
phjames
  • Locked
  • Question
Replacement for ASA-5510
Replies
1
Views
145
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top