Prev: nat transparency and %CRYPTO-4-RECVD_PKT_INV_SPI
Next: CiscoSpares.com - Used Cisco Gear - Lifetime Warranty
From: Andrew Hodgson on 22 Jul 2010 15:51 Hi, I recently upgraded to ASA 8.3 and so that I could work out the new syntax of the NAT statements, I removed all the migrated config and started again. I have created NAT statements for all the relevant hosts, however, I didn't create a NAT statement for comunication between the local network and the host gollum in the DMZ network, yet I am able to connect to the host fine from any machine on the internal network, and gollum is able to connect to servers on the inside network, and the IP addresses aren't being NATted. Could someone take a look at this and tell me why this seems to be the case? Thanks. Andrew. ASA Version 8.3(1) ! hostname pippin domain-name hodgsonfamily.org enable password [...] passwd [...] names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.1.1.1 255.255.255.240 ! interface Vlan3 nameif dmz security-level 90 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS domain-name hodgsonfamily.org object network elrond host 192.168.1.2 object network frodo host 192.168.1.4 object network pc01 host 192.168.1.11 object network gollum host 192.168.0.2 object network NATPool range 10.1.1.10 10.1.1.15 object network obj_any subnet 0.0.0.0 0.0.0.0 access-list dmz_access extended permit tcp host 192.168.0.2 host 192.168.1.2 eq smtp access-list dmz_access extended permit tcp host 192.168.0.2 host 192.168.1.2 eq domain access-list dmz_access extended permit udp host 192.168.0.2 host 192.168.1.2 eq domain access-list dmz_access extended permit tcp host 192.168.0.2 host 192.168.1.2 eq ldap access-list dmz_access extended deny ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list dmz_access extended permit ip any any access-list outside_access extended permit icmp any any echo-reply access-list outside_access extended permit icmp any any source-quench access-list outside_access extended permit icmp any any unreachable access-list outside_access extended permit icmp any any time-exceeded access-list outside_access extended permit tcp any host 192.168.0.2 eq smtp access-list outside_access extended permit tcp any host 192.168.0.2 eq domain access-list outside_access extended permit udp any host 192.168.0.2 eq domain access-list outside_access extended permit tcp any host 192.168.1.2 eq https access-list outside_access extended permit tcp any host 192.168.1.4 eq www access-list outside_access extended permit tcp any host 192.168.1.4 eq https access-list outside_access extended permit udp host 10.1.1.8 host 192.168.1.11 eq tftp access-list outside_access extended permit tcp any host 192.168.1.11 eq 54088 access-list outside_access extended permit udp any host 192.168.1.11 eq 54088 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 ! object network elrond nat (inside,outside) static 10.1.1.3 object network frodo nat (inside,outside) static 10.1.1.4 object network pc01 nat (inside,outside) static 10.1.1.5 object network gollum nat (dmz,outside) static 10.1.1.2 object network obj_any nat (inside,outside) dynamic NATPool interface access-group outside_access in interface outside access-group dmz_access in interface dmz route outside 0.0.0.0 0.0.0.0 10.1.1.8 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.1.2 webvpn username admin password [...] encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome(a)cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:2d147f74431341e46b68ffa9bdffc689 : end pippin#
From: Igor Mamuzić aka Pseto on 23 Jul 2010 07:36
On 22.7.2010. 21:51, Andrew Hodgson wrote: > Hi, > > I recently upgraded to ASA 8.3 and so that I could work out the new > syntax of the NAT statements, I removed all the migrated config and > started again. > > I have created NAT statements for all the relevant hosts, however, I > didn't create a NAT statement for comunication between the local > network and the host gollum in the DMZ network, yet I am able to > connect to the host fine from any machine on the internal network, and > gollum is able to connect to servers on the inside network, and the IP > addresses aren't being NATted. > > Could someone take a look at this and tell me why this seems to be the > case? > > Thanks. > Andrew. > > That's probably because ASA 8.3 has new NAT concepts called Object NAT and Twice NAT... I haven't played yet with 8.3 but if I understood correctly now you can bind network object with NAT in the network object configuration so you don't need "old" NAT statement to NAT this object. More on this subject: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html i |