Netbios NAT

[jrmann1999]

Can someone give me an example nat statement for a Cisco ASA router to handle netbios requests? My router is throwing off log entries each time a client makes a netbios request to the broadcast address:

<163>%ASA-3-305005: No translation group found for udp src outside:192.168.200.2/138 dst outside:192.168.200.255/138

The relevant sections of my config I have thusfar:
access-list FlowA extended permit ip 192.168.200.0 255.255.255.0 any
access-list outside_nat_outbound extended permit ip 192.168.200.0 255.255.255.0 any
global (outside) 2 interface
nat (inside) 2 access-list FlowA
nat (outside) 2 access-list outside_nat_outbound

I figured doing a nat of the entire subnet would do the trick, but apparently it doesn't include the broadcast address.

 

[burtsbees]

Do you have the NAT acl's applied to the outside interface with the "overload" statement? Please post a sh run.

Burt

 

[jrmann1999]

Ideally I'd like to redirect this request to another subnet, or block it. The VPN clients are setup to get a fixed WINS server so this broadcast request is redundant.

 

[jrmann1999]

I configured this beast with the ASDM utility, so if it's wrong blame cisco's confusing tools.

ciscoasa# sh running-config
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name txhmg.com
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.222 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address pubip 255.255.255.128
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.14
name-server 192.168.1.73
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list FlowA extended permit ip 192.168.200.0 255.255.255.0 any
access-list outside_access_out extended permit ip any any
access-list outside_nat_outbound extended permit ip 192.168.200.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address ciscoasa@txhmg.com
logging recipient-address jmann@txhmg.com level errors
mtu inside 1500
mtu outside 1500
ip local pool corp 192.168.200.1-192.168.200.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 2 access-list FlowA
nat (outside) 2 access-list outside_nat_outbound
access-group outside_access_out out interface outside
route inside 192.168.23.0 255.255.255.0 192.168.1.14 1
route inside 192.168.22.0 255.255.255.0 192.168.1.14 1
route inside 192.168.21.0 255.255.255.0 192.168.1.14 1
route inside 192.168.20.0 255.255.255.0 192.168.1.14 1
route inside 192.168.19.0 255.255.255.0 192.168.1.14 1
route inside 192.168.18.0 255.255.255.0 192.168.1.14 1
route inside 192.168.17.0 255.255.255.0 192.168.1.14 1
route inside 192.168.16.0 255.255.255.0 192.168.1.14 1
route inside 192.168.15.0 255.255.255.0 192.168.1.14 1
route inside 192.168.14.0 255.255.255.0 192.168.1.14 1
route inside 192.168.13.0 255.255.255.0 192.168.1.14 1
route inside 192.168.12.0 255.255.255.0 192.168.1.14 1
route inside 192.168.11.0 255.255.255.0 192.168.1.14 1
route inside 192.168.10.0 255.255.255.0 192.168.1.14 1
route inside 192.168.9.0 255.255.255.0 192.168.1.14 1
route inside 192.168.8.0 255.255.255.0 192.168.1.14 1
route inside 192.168.7.0 255.255.255.0 192.168.1.14 1
route inside 192.168.6.0 255.255.255.0 192.168.1.14 1
route inside 192.168.5.0 255.255.255.0 192.168.1.14 1
route inside 192.168.4.0 255.255.255.0 192.168.1.14 1
route inside 192.168.3.0 255.255.255.0 192.168.1.14 1
route inside 192.168.2.0 255.255.255.0 192.168.1.14 1
route outside 0.0.0.0 0.0.0.0 pubip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ntdomain protocol nt
aaa-server ntdomain host 192.168.1.60
nt-auth-domain-controller CORPDC
aaa-server vpn protocol radius
no eou allow clientless
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value Test
group-policy vpn3000 internal
group-policy vpn3000 attributes
wins-server value 192.168.1.14
dns-server value 192.168.1.14 192.168.1.73
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value txhmg.com
group-policy corp internal
group-policy corp attributes
wins-server value 192.168.1.14
dns-server value 192.168.1.14 192.168.1.73
default-domain value txhmg.com
group-policy corp_1 internal
group-policy corp_1 attributes
wins-server value 192.168.1.14
dns-server value 192.168.1.14 192.168.1.73
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value txhmg.com
msie-proxy server value 192.168.1.14:3128
msie-proxy method use-server
msie-proxy except-list value 192.168.1.*;
msie-proxy local-bypass enable
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 10.10.0.0 255.255.0.0 inside
http authentication-certificate outside
http redirect outside 80
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA
crypto dynamic-map dynmap 10 set reverse-route
crypto map internet_map 65535 ipsec-isakmp dynamic internet_dyn_map
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1000
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool corp
authentication-server-group vpn
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key <removed>
tunnel-group vpn3000 ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 192.168.0.0 255.255.0.0 inside
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
!
!
!
policy-map type inspect http p2p
parameters
class _default_gator
drop-connection
class _default_kazaa
drop-connection
!
ntp server 192.43.244.18 source outside
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
webvpn
url-list Test "Internal Server"

https://192.168.1.63

1
smtp-server 192.168.1.14 192.168.1.73
prompt hostname context
Cryptochecksum:bae13b87cd5c34f09b12728de1d161b7
: end

 

[burtsbees]

I apologize---I do not know the PIX or ASA, and I just noticed that is what you have. There is a PIX forum as well---make sure you post your question there as well.

Burt