NATting and Passing traffic - What am i doing wrong

[t7fire]

Greetings,

I am new to the PIX / ASA hardware and I am trying to setup our new ASA to allow traffic to our web server. We have 8 IP's 209.x.x.112 255.255.255.248.

Our edge router is 209.x.x.113 and the ASA external interface is 209.x.x.118. I am wanting to use 209.x.x.119 as our main site IP and have all web traffic go to an internal IP of 192.168.10.36

Traffic is getting to the ASA on both 209.x.x.118 and 209.x.x.119 because I can ping the 118 and get ICMP Denied on the 119

I am trying to get the following flow

Internet host going to 209.x.x.119 translate / forward to 192.168.10.36

Once again this is my first run at a PIX / ASA Thank you in advance for any help.




ASA Version 7.2(1)
!
hostname ciscoasa
domain-name companyname.org
enable password abcdefg. encrypted
names
!
interface Ethernet0/0
nameif Inside
security-level 2
ip address 192.168.10.253 255.255.254.0
!
interface Ethernet0/1
nameif Outside
security-level 1
ip address 209.x.x.118 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.192.168 255.255.255.0
management-only
!
passwd abcdefg. encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name companyname.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list web extended permit tcp any host 209.x.x.119
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 209.x.x.119
nat (Inside) 1 192.168.10.0 255.255.254.0
static (Inside,Outside) 209.x.x.119 192.168.10.36 netmask 255.255.255.255
access-group web in interface Outside
route Inside 192.168.10.0 255.255.255.0 192.168.10.253 1
route Outside 0.0.0.0 0.0.0.0 209.x.x.113 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.192.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.192.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9c2ead3604473fd7697e05ead7eacabf
: end

 

[Supergrrover]

You will need to change these
interface Ethernet0/0
nameif Inside
security-level 2
ip address 192.168.10.253 255.255.254.0
and
nat (Inside) 1 192.168.10.0 255.255.254.0
*** I think you wanted the mask to be 255.255.255.0, if not then leave that alone.

*** At the top you said the pix was .118, where you had
global (Outside) 1 209.x.x.119
*** you would want
global (Outside) 1 209.x.x.118

***and delete this line here
route Inside 192.168.10.0 255.255.255.0 192.168.10.253 1



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[t7fire]

We are using 192.168.10.x and 192.168.11.x which is the reason for the 255.255.254.0 netmask

when I remove the global (outside) 1 209.x.x.119 and replace it with the global (outside) 1 209.x.x.118 i get

Error: 209.x.x.118-209.x.x.118 overlaps with Outside interface address

 

[Supergrrover]

I have had trouble with 7.2(1) and the global command with an IP address - try this instead
global (Outside) 1 interface



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[t7fire]

Still no love, I cant surf out either. It is building the outbound connection but returning no results.... I swear this thing hates me.

 

[Supergrrover]

Did you take this lineout?
route Inside 192.168.10.0 255.255.255.0 192.168.10.253 1

Try the connection again after enabling logging
logging enable
logging timestamp
logging buffered debugging

then after the connection is tried, do a
sho logg



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[boymarty24]

Is the asa a replacment for another box? I would reboot your edge router so no mac address issues are messing with your installation.

 

[t7fire]

This is a new site that is going to replace all other sites. We are still doing construction on some of the building but do have people moved in. So the current configuration has a new internet circuit (t1) coming in and a Point to Point T1 linking to another site temporarily. We are routing internal date for our 192.168.10 date to the other site (192.168.1.), Telephone data (10.10.30.0) to the other site (10.10.10.) and internet traffic out the new internet T1. The company has a linux box as the firewall on the other end that when we come over here, the ASA will take its place.

I blanked the ASA config and started from scratch with no luck


Here are my current configs




Current Edge Router
Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname chkenrtr
!
enable password 7 abcdefghijklmnop
!
ip nat inside source list 1 interface Serial0/1 overload
no ip domain-lookup
!
!
!
interface Ethernet0/0
ip address 209.x.x.113 255.255.255.248
!
interface Serial0/0
description connected to chneilrtr
ip address 172.16.10.2 255.255.255.252
ip rtp header-compression
ip rtp reserve 16384 100 1000
encapsulation ppp
no ip mroute-cache
bandwidth 1536
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
!
interface Ethernet0/1
ip address 10.10.30.10 255.255.255.0 secondary
ip address 192.168.10.254 255.255.254.0
ip nat inside
!
interface Serial0/1
description Internet
ip address 209.y.y.206 255.255.255.252
ip nat outside
encapsulation ppp
bandwidth 1536
service-module t1 timeslots 1-24
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.253.103.205
ip route 10.10.10.0 255.255.255.0 Serial0/0
ip route 10.10.20.0 255.255.255.0 Serial0/0
ip route 192.168.1.0 255.255.255.0 Serial0/0
ip route 192.168.10.0 255.255.254.0 Ethernet0/1
ip route 209.x.x.0 255.255.255.0 209.x.x.118
access-list 1 permit any
snmp-server community public RO
banner exec ^C



**********************************************************************
* *
* *
* *
* This is the ABCD gateway *
* *
* *
* || || *
* || || *
* |||| |||| *
* ..:||||||:..:||||||:.. *
* c i s c o S y s t e m s *
* Kenyon Office Router System *
* *
**********************************************************************
^C
banner motd ^C


**** Unauthorised Access is Strictly Forbidden ****

******* To logon enter appropriate password ******

*********** ALL LOGIN ATTEMPS ARE LOGGED **********
^C
!
line con 0
exec-timeout 0 0
password 7 ABCDEFGHIJKLMNOP
login
line aux 0
line vty 0 4
password 7 ABCDEFGHIJKLMNOP
login




Current ASA



ASA Version 7.2(1)
!
hostname ciscoasa
domain-name c-uphd.org
enable password abcdefghijklmno. encrypted
names
!
interface Ethernet0/0
nameif Inside
security-level 0
ip address 192.168.1.253 255.255.254.0
!
interface Ethernet0/1
nameif Outside
security-level 0
ip address 209.x.x.118 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.192.168 255.255.255.0
management-only
!
passwd abcdefghijklmno encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name company.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_access_in extended permit tcp any host 209.x.x.119 eq www
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Inside) 1 192.168.1.252 netmask 255.255.255.0
global (Outside) 100 interface
nat (Inside) 100 0.0.0.0 0.0.0.0
static (Inside,Outside) 209.x.x.119 192.168.10.36 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.192.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.192.169-192.168.192.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:663b2105d74ee49cd24d2f3681ccd4f9
: end