Just playing around with an ASA here and I'm having trouble getting inside hosts to get out. I can ping externally through the router, but any inside hosts fail. Packet Tracer says "(acl-drop) Flow is denied by configured rule" I'm not seeing any conflicting ACLs... I've just started with ICND2 studying so I'm not super sure on how to all configure NAT properly, hence why I'm asking. Thanks!
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
Cisco ASA NAT Problems
- Thread starter /usr/home
- Start date
Protoform-X
[H]ard|Gawd
- Joined
- Jan 30, 2002
- Messages
- 1,203
Load up ASDM, go to Tools>Preferences>Check "Preview commands before sending them to the device." Make a change to the NAT configuration and send the change; you'll get a box with the commands ASDM is entering on the CLI for approval. This is how I've learned the ASA command line from day 1 - It's nothing like a router, as it runs a different OS, so ICND1&2 aren't going to help you much.
No doubt. The CCNA doesn't even really talk about firewalls.. especially not ASA's. Not sure why you're trying to confuse yourself by working on ASA's when the CCNA is all about routers and switches.
It wasn't for learning CCNA, just something to learn and play with.
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
This isn't doing what you think:
nat (inside,outside) after-auto source dynamic any interface
Remove it. Then add:
nat (inside,outside) after-auto source dynamic any interface
Remove it. Then add:
Code:
object network OBJ_NAT-Any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interfaceI figured you'd post an answer
Thanks. It's working now. Now to mess with getting port forwarding working.Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
I figured you'd post an answer
Port forwarding is interesting with the new code. There are two ways to do it. One is with Manual/Twice NAT. It will look something like this:
Code:
object network OBJ_2811-Router
host 192.168.13.2
object service OBJ_SIP-Port-TCP
service tcp source eq sip
nat (inside,outside) source static OBJ_2811-Router interface service OBJ_SIP-Port-TCP OBJ_SIP-Port-TCPThis is a static PAT. it says PAT the 2811 object to the outside interface usiing port the port objects. This is the more complex way, but it saves a lot of lines in the config.
The other way is within the object, so:
Code:
object network OBJ_H-Test_PAT-80
host 192.168.22.100
nat (inside,outside) static interface service tcp 80 80The problem with this way is that you can only do one NAT per object. So you'd need another one if you were going to do 443 for instance:
Code:
object network OBJ_H-Test_PAT-443
host 192.168.22.100
nat (inside,outside) static interface service tcp 443 443I got everything working here finally. I had to do a lot of "cheating" and use the ASDM. I got the SSL VPN and everything working as well. Even NATing two public IPs to different hosts. I would have been screwed doing just CLI for it. I could do CLI up until some of the more advanced port forwards and then I had to use the GUI. Oh well, I'm still working on my CCENT and CCNA so I guess I'm a newbie
I do have to say my Mikrotik was a lot easier to setup.
I do have to say my Mikrotik was a lot easier to setup.
Protoform-X
[H]ard|Gawd
- Joined
- Jan 30, 2002
- Messages
- 1,203
Dude, I've been working on ASA's for about 3 years now and I still use ASDM whenever I can. ASDM actually works pretty well compared to other Cisco software. Minimal complaints here!
But, but, but, use the CLI NEWB! I thought it was alright. It doesn't seem very specific on some items. It would say for example interface: then give an option. Not having done it before, I had no idea which interface I wanted. Having done it now I understand, but it's not very first-time-user friendly. Then again if you are using Cisco gear you aren't really a networking noob I guess.
Protoform-X
[H]ard|Gawd
- Joined
- Jan 30, 2002
- Messages
- 1,203
Hahaha... Yeah, I dunno... The great thing about ASDM isn't so much that it's user friendly, but more that you learn the CLI pretty quickly by using it. Understanding both ASDM and the CLI gives you the option to pick the fastest method for whatever you're setting up. E.g. if I'm configuring a new VPN, I almost always use the VPN wizard in ASDM, but if I'm making a change to a VPN, like altering the key or the interesting traffic, I'll hop on the CLI.
Using a GUI tool to make your job easier and to learn isn't a bad thing. Don't get on that bandwagon or you'll be doing more work for no reason!
Using a GUI tool to make your job easier and to learn isn't a bad thing. Don't get on that bandwagon or you'll be doing more work for no reason!
Ugh, had to downgrade to 8.2.4 since that RAM I tried to upgrade to 512 with keeps causing issues so I'm back to 256 of RAM for a while here till the real stuff I ordered gets here. Anyways, the 8.2 NAT stuff is different from 8.4. I can get my main IP port forwards to work, but not my second static IP. It worked great on 8.4 so I'm not sure what's going on here.
Well, I can't say I know what you are trying to do based on those nat commands... neither the policy nat nor the statics really make much sense as configured.
Pull all that stuff off and do a clear xlate. Since you have nat-control enabled you will need to have translations defined for all flows through the firewall between interfaces in both directions. Start with the static nat statements, build those and test them first since they are higher in precedence than dynamic or policy nat. Once you have the static translations working add the other nat statements back in. Remember any time you make a change to nat you should be issuing a clear xlate, clear arp, clear conn, etc because the firewall is going to remember all that state information until it times out...
Pull all that stuff off and do a clear xlate. Since you have nat-control enabled you will need to have translations defined for all flows through the firewall between interfaces in both directions. Start with the static nat statements, build those and test them first since they are higher in precedence than dynamic or policy nat. Once you have the static translations working add the other nat statements back in. Remember any time you make a change to nat you should be issuing a clear xlate, clear arp, clear conn, etc because the firewall is going to remember all that state information until it times out...
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
You don't necessarily need 512 to run 8.4:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp321918
Cisco said:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp321918
It was working but some stuff was disabled, mainly the VPN which is the biggest reason for going with an ASA. It seemed to crash too, but I'm on 8.2.5 and I tried 8.2.4 and they are crashing as well, looks like it may be a hardware issue... If Mikrotik had as slick a VPN setup as the ASAs do, I'd be all over it. What annoys me is not being able to push routes on the Mikrotik to the VPN clients like Cisco does.
Last edited:
Hi /usr/home,
I have been looking for a config for the 5505 8.4(2) that allows multiple servers behind the firewall with static mappings to public IPs for each server. I came across this thread and though you address a different issue I notice that you mention that you already have your ASA doing this.
Would you be so kind as to post your config here? Cisco of says it is not possible. A number of people have posted workarounds but in pre-8.3. 8.4 being the totally different animal that it is has me stumped. Yours is the first success story I have seen on the 8.4.
Please help?
I have been looking for a config for the 5505 8.4(2) that allows multiple servers behind the firewall with static mappings to public IPs for each server. I came across this thread and though you address a different issue I notice that you mention that you already have your ASA doing this.
Would you be so kind as to post your config here? Cisco of says it is not possible. A number of people have posted workarounds but in pre-8.3. 8.4 being the totally different animal that it is has me stumped. Yours is the first success story I have seen on the 8.4.
Please help?
QFT!!! Never use ASDM to modify a VPN config. It'll fubar it every time!
How mine is setup is I have 2 static IPs from my ISP. I have my first IP configured on the external interface and then I create NAT rules for my second static IP. All servers use the first static IP for traffic, but for specific services like WW, SMTP, etc, I have the ports all set to the second static IP.
Is this kinda of what you want to do, or do you want a 1:1 mapping of static to private? I'm not doing a complete mapping, just a select few ports.
Gonna give this a third'ed here. My boss showed me a change he did via ASDM once to the VPN and holy shit it was messed up. CLI is much preferred for playing with the vpn itself, even more so if I'm doing point to point
I think mine is a bit different.
I have an IP range that I have been assigned by my provider. I am trying to place servers behind the ASA so that they are accessible from the internet on their respective IPs. I am currently doing this in transparent mode quite okay. But now a requirement for a VPN has come up and so I need the servers to be available and also be able to terminate a couple of VPNs on it. Transparent mode cannot terminate VPNs.
I want a static 1:1 mapping so servers can receive and reply on their specific addresses. I don't need all ports to be open though, just a few per server.
I've read about ARP static mapping for the subsequent IPs being able to do this but all the examples I've seen are pre-8.4
CiscoInside
Gawd
- Joined
- Mar 26, 2010
- Messages
- 546
I had issues with the ASDM and vpn as well. I learned how to do ipsec through the cli and the correct code was being shot down by all the crap the ASDM threw in there. I had to manually delete a lot of stuff.
Now I got that working even with split tunneling.
Edit: Spoke to fast... all of the sudden the ASA has been blocking internal hosts. Looking at the logs, all I see is a bunch of "inbound TCP connection denied from flags SYN on interface inside".
I added "same-security-traffic-permit intra-interface" and everything is now back up, and the logs are clear from errors. Is this a normal statement to have in an ASA with only one subnet? Or is my config just so foo-fooed from a year before when I started to learn that its time for a clear slate to write a new config...
Now I got that working even with split tunneling.
Edit: Spoke to fast... all of the sudden the ASA has been blocking internal hosts. Looking at the logs, all I see is a bunch of "inbound TCP connection denied from flags SYN on interface inside".
I added "same-security-traffic-permit intra-interface" and everything is now back up, and the logs are clear from errors. Is this a normal statement to have in an ASA with only one subnet? Or is my config just so foo-fooed from a year before when I started to learn that its time for a clear slate to write a new config...
Last edited:
If you don't mind I'll just post this here though it is a slight thread hijack. Just in case someone else with my issue finds this thread.
I figured out the issue and it was not as hard as I thought. Initially I was trying to put the public IPs on the outside interface and this is where all the problems were. It's a well-known no-no for Cisco ASAs and PIXs.
However, static 1:1 maps are pretty straightforward. For this scenario
ASA 5505 8.4(2)
Real IP (external IP) = 172.18.62.141
Mapped IP (Internal IP ) = 192.168.62.141
1) Create the objects for the real IP (external) and the mapped IP (internal):
object network ip_internal_141
host 192.168.62.141
object network ip_external_141
host 172.18.62.141
2) Create the static 1:1 map
object network ip_internal_141
nat (inside,outside) static ip_external_141
3)Create the access list to allow the traffic in (note the IP used here is the internal IP even though this will be applied on the outside interface). Apparently Cisco has changed something so NAT happens before access lists or something like that.
access-list outside_access_in extended deny ip any host 192.168.62.141
4) Apply the access list to the outside interface
access-group outside_access_in in interface outside
That's it. Repeat for all other IP mappings.
Notes:
a) I tried subnet 1:1 mapping and I am not sure if it worked. The show xlate showed some very weird stuff though. The individual IP mappings had seemingly random /29 /30 and /31 subnets which I did not understand.
b) Even after inputting this config I could not get any traffic through till after maybe an hour (In fact I had given up and left. Tried it after an hour and it worked!). Some people say it is due to ARP values that need to expire. I don't know. This is also the reason I am not sure (a) above didn't work
I figured out the issue and it was not as hard as I thought. Initially I was trying to put the public IPs on the outside interface and this is where all the problems were. It's a well-known no-no for Cisco ASAs and PIXs.
However, static 1:1 maps are pretty straightforward. For this scenario
ASA 5505 8.4(2)
Real IP (external IP) = 172.18.62.141
Mapped IP (Internal IP ) = 192.168.62.141
1) Create the objects for the real IP (external) and the mapped IP (internal):
object network ip_internal_141
host 192.168.62.141
object network ip_external_141
host 172.18.62.141
2) Create the static 1:1 map
object network ip_internal_141
nat (inside,outside) static ip_external_141
3)Create the access list to allow the traffic in (note the IP used here is the internal IP even though this will be applied on the outside interface). Apparently Cisco has changed something so NAT happens before access lists or something like that.
access-list outside_access_in extended deny ip any host 192.168.62.141
4) Apply the access list to the outside interface
access-group outside_access_in in interface outside
That's it. Repeat for all other IP mappings.
Notes:
a) I tried subnet 1:1 mapping and I am not sure if it worked. The show xlate showed some very weird stuff though. The individual IP mappings had seemingly random /29 /30 and /31 subnets which I did not understand.
b) Even after inputting this config I could not get any traffic through till after maybe an hour (In fact I had given up and left. Tried it after an hour and it worked!). Some people say it is due to ARP values that need to expire. I don't know. This is also the reason I am not sure (a) above didn't work