ASA 5510 UDP NAT problem

Discussion in 'Cisco' started by will74103@yahoo.com, Feb 6, 2007.

  1. Guest

    Hello all,

    Just received new ASA 5510 and am doing initial testing and config in
    my lab. I have set up three interfaces

    e0/0 as inside security=100
    e0/1 as dmz security=50
    e0/2 as outside security=0

    I used the following statement to set up dynamic nat

    nat (inside) 1 0.0.0.0 0.0.0.0
    global (outside) 1 interface


    I have two simple access lists configured for testing.

    access-list inside_in extended permit icmp any any echo
    access-list inside_in deny ip any any

    access-list outside_in permit icmp any any echo-reply

    So here's what I'm seeing:

    When I ping an address on the outside, it works fine. The address is
    properly NAT'd
    and I get the reply. If I try to telnet out to a device, it blocks
    it as expected as per the access-list.

    Now the strange part. My 6509 in my lab is running the the config
    from my production switch and is configured to
    hit a NTP server on our internal network. This VLAN is not up in the
    lab. So it is sending NTP UDP packets looking for the server. Since
    that NTP server is not there and the VLAN is not up, the 6509 is
    sending these requests out the default route which sends them to the
    ASA 5510.

    I am seeing these UDP packets coming out of the outside interface of
    the ASA. They also are not being NAT'd Which is quite disturbing.


    We are moving to this from another firewall and this is my first go
    around with a Cisco firewall, so I'm sure I'm just missing something.


    Thanks for your help,


    Will
     
    , Feb 6, 2007
    #1
    1. Advertising

  2. Guest

    On Feb 6, 8:29 am, wrote:
    > Hello all,
    >
    > Just received new ASA 5510 and am doing initial testing and config in
    > my lab. I have set up three interfaces
    >
    > e0/0 as inside security=100
    > e0/1 as dmz security=50
    > e0/2 as outside security=0
    >
    > I used the following statement to set up dynamic nat
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > global (outside) 1 interface
    >
    > I have two simple access lists configured for testing.
    >
    > access-list inside_in extended permit icmp any any echo
    > access-list inside_in deny ip any any
    >
    > access-list outside_in permit icmp any any echo-reply
    >
    > So here's what I'm seeing:
    >
    > When I ping an address on the outside, it works fine. The address is
    > properly NAT'd
    > and I get the reply. If I try to telnet out to a device, it blocks
    > it as expected as per the access-list.
    >
    > Now the strange part. My 6509 in my lab is running the the config
    > from my production switch and is configured to
    > hit a NTP server on our internal network. This VLAN is not up in the
    > lab. So it is sending NTP UDP packets looking for the server. Since
    > that NTP server is not there and the VLAN is not up, the 6509 is
    > sending these requests out the default route which sends them to the
    > ASA 5510.
    >
    > I am seeing these UDP packets coming out of the outside interface of
    > the ASA. They also are not being NAT'd Which is quite disturbing.
    >
    > We are moving to this from another firewall and this is my first go
    > around with a Cisco firewall, so I'm sure I'm just missing something.
    >
    > Thanks for your help,
    >
    > Will


    Update:

    I just applied the nat-control command. This did not have
    any effect. The UDP packets are still being routed thru the ASA and
    are not NAT'd.
     
    , Feb 6, 2007
    #2
    1. Advertising

  3. Guest

    On Feb 6, 8:56 am, wrote:
    > On Feb 6, 8:29 am, wrote:
    >
    >
    >
    > > Hello all,

    >
    > > Just received new ASA 5510 and am doing initial testing and config in
    > > my lab. I have set up three interfaces

    >
    > > e0/0 as inside security=100
    > > e0/1 as dmz security=50
    > > e0/2 as outside security=0

    >
    > > I used the following statement to set up dynamic nat

    >
    > > nat (inside) 1 0.0.0.0 0.0.0.0
    > > global (outside) 1 interface

    >
    > > I have two simple access lists configured for testing.

    >
    > > access-list inside_in extended permit icmp any any echo
    > > access-list inside_in deny ip any any

    >
    > > access-list outside_in permit icmp any any echo-reply

    >
    > > So here's what I'm seeing:

    >
    > > When I ping an address on the outside, it works fine. The address is
    > > properly NAT'd
    > > and I get the reply. If I try to telnet out to a device, it blocks
    > > it as expected as per the access-list.

    >
    > > Now the strange part. My 6509 in my lab is running the the config
    > > from my production switch and is configured to
    > > hit a NTP server on our internal network. This VLAN is not up in the
    > > lab. So it is sending NTP UDP packets looking for the server. Since
    > > that NTP server is not there and the VLAN is not up, the 6509 is
    > > sending these requests out the default route which sends them to the
    > > ASA 5510.

    >
    > > I am seeing these UDP packets coming out of the outside interface of
    > > the ASA. They also are not being NAT'd Which is quite disturbing.

    >
    > > We are moving to this from another firewall and this is my first go
    > > around with a Cisco firewall, so I'm sure I'm just missing something.

    >
    > > Thanks for your help,

    >
    > > Will

    >
    > Update:
    >
    > I just applied the nat-control command. This did not have
    > any effect. The UDP packets are still being routed thru the ASA and
    > are not NAT'd.


    OK. I removed the NAT commands, reloaded the ASA, re-entered the
    same NAT commands. This seemed to relieve the problem. No more of
    the NTP packets showing up outbound on the ASA outside interface. The
    ACL that is denying all IP on the inside interface is incrementing.
    So it looks like it is working as expected now.

    But this should not have had to be reloaded to resolve this. Is it
    possible that a clear local-host would have cleared this up?


    Your thoughts on this appreciated.



    Thanks,


    Will
     
    , Feb 6, 2007
    #3
  4. Smokey Guest

    wrote:
    > On Feb 6, 8:56 am, wrote:
    >> On Feb 6, 8:29 am, wrote:
    >>
    >>
    >>
    >>> Hello all,
    >>> Just received new ASA 5510 and am doing initial testing and config in
    >>> my lab. I have set up three interfaces
    >>> e0/0 as inside security=100
    >>> e0/1 as dmz security=50
    >>> e0/2 as outside security=0
    >>> I used the following statement to set up dynamic nat
    >>> nat (inside) 1 0.0.0.0 0.0.0.0
    >>> global (outside) 1 interface
    >>> I have two simple access lists configured for testing.
    >>> access-list inside_in extended permit icmp any any echo
    >>> access-list inside_in deny ip any any
    >>> access-list outside_in permit icmp any any echo-reply
    >>> So here's what I'm seeing:
    >>> When I ping an address on the outside, it works fine. The address is
    >>> properly NAT'd
    >>> and I get the reply. If I try to telnet out to a device, it blocks
    >>> it as expected as per the access-list.
    >>> Now the strange part. My 6509 in my lab is running the the config
    >>> from my production switch and is configured to
    >>> hit a NTP server on our internal network. This VLAN is not up in the
    >>> lab. So it is sending NTP UDP packets looking for the server. Since
    >>> that NTP server is not there and the VLAN is not up, the 6509 is
    >>> sending these requests out the default route which sends them to the
    >>> ASA 5510.
    >>> I am seeing these UDP packets coming out of the outside interface of
    >>> the ASA. They also are not being NAT'd Which is quite disturbing.
    >>> We are moving to this from another firewall and this is my first go
    >>> around with a Cisco firewall, so I'm sure I'm just missing something.
    >>> Thanks for your help,
    >>> Will

    >> Update:
    >>
    >> I just applied the nat-control command. This did not have
    >> any effect. The UDP packets are still being routed thru the ASA and
    >> are not NAT'd.

    >
    > OK. I removed the NAT commands, reloaded the ASA, re-entered the
    > same NAT commands. This seemed to relieve the problem. No more of
    > the NTP packets showing up outbound on the ASA outside interface. The
    > ACL that is denying all IP on the inside interface is incrementing.
    > So it looks like it is working as expected now.
    >
    > But this should not have had to be reloaded to resolve this. Is it
    > possible that a clear local-host would have cleared this up?



    After making any translation changes it is best practice to issue the
    clear xlate command, this will clear the translations in the firewall
    already, what you did by reloading the firewall basically did this as
    well but you should not have to reload the firewall
     
    Smokey, Feb 6, 2007
    #4
  5. Guest

    On Feb 6, 11:04 am, Smokey <> wrote:
    > wrote:
    > > On Feb 6, 8:56 am, wrote:
    > >> On Feb 6, 8:29 am, wrote:

    >
    > >>> Hello all,
    > >>> Just received new ASA 5510 and am doing initial testing and config in
    > >>> my lab. I have set up three interfaces
    > >>> e0/0 as inside security=100
    > >>> e0/1 as dmz security=50
    > >>> e0/2 as outside security=0
    > >>> I used the following statement to set up dynamic nat
    > >>> nat (inside) 1 0.0.0.0 0.0.0.0
    > >>> global (outside) 1 interface
    > >>> I have two simple access lists configured for testing.
    > >>> access-list inside_in extended permit icmp any any echo
    > >>> access-list inside_in deny ip any any
    > >>> access-list outside_in permit icmp any any echo-reply
    > >>> So here's what I'm seeing:
    > >>> When I ping an address on the outside, it works fine. The address is
    > >>> properly NAT'd
    > >>> and I get the reply. If I try to telnet out to a device, it blocks
    > >>> it as expected as per the access-list.
    > >>> Now the strange part. My 6509 in my lab is running the the config
    > >>> from my production switch and is configured to
    > >>> hit a NTP server on our internal network. This VLAN is not up in the
    > >>> lab. So it is sending NTP UDP packets looking for the server. Since
    > >>> that NTP server is not there and the VLAN is not up, the 6509 is
    > >>> sending these requests out the default route which sends them to the
    > >>> ASA 5510.
    > >>> I am seeing these UDP packets coming out of the outside interface of
    > >>> the ASA. They also are not being NAT'd Which is quite disturbing.
    > >>> We are moving to this from another firewall and this is my first go
    > >>> around with a Cisco firewall, so I'm sure I'm just missing something.
    > >>> Thanks for your help,
    > >>> Will
    > >> Update:

    >
    > >> I just applied the nat-control command. This did not have
    > >> any effect. The UDP packets are still being routed thru the ASA and
    > >> are not NAT'd.

    >
    > > OK. I removed the NAT commands, reloaded the ASA, re-entered the
    > > same NAT commands. This seemed to relieve the problem. No more of
    > > the NTP packets showing up outbound on the ASA outside interface. The
    > > ACL that is denying all IP on the inside interface is incrementing.
    > > So it looks like it is working as expected now.

    >
    > > But this should not have had to be reloaded to resolve this. Is it
    > > possible that a clear local-host would have cleared this up?

    >
    > After making any translation changes it is best practice to issue the
    > clear xlate command, this will clear the translations in the firewall
    > already, what you did by reloading the firewall basically did this as
    > well but you should not have to reload the firewall


    Thanks for the input. I had seen this, but had not thought of trying
    it.

    Any thoughts on why this was initially not meeting any of that nat
    rules and being routed without being translated?
     
    , Feb 6, 2007
    #5
  6. Smokey Guest

    wrote:
    > On Feb 6, 11:04 am, Smokey <> wrote:
    >> wrote:
    >>> On Feb 6, 8:56 am, wrote:
    >>>> On Feb 6, 8:29 am, wrote:
    >>>>> Hello all,
    >>>>> Just received new ASA 5510 and am doing initial testing and config in
    >>>>> my lab. I have set up three interfaces
    >>>>> e0/0 as inside security=100
    >>>>> e0/1 as dmz security=50
    >>>>> e0/2 as outside security=0
    >>>>> I used the following statement to set up dynamic nat
    >>>>> nat (inside) 1 0.0.0.0 0.0.0.0
    >>>>> global (outside) 1 interface
    >>>>> I have two simple access lists configured for testing.
    >>>>> access-list inside_in extended permit icmp any any echo
    >>>>> access-list inside_in deny ip any any
    >>>>> access-list outside_in permit icmp any any echo-reply
    >>>>> So here's what I'm seeing:
    >>>>> When I ping an address on the outside, it works fine. The address is
    >>>>> properly NAT'd
    >>>>> and I get the reply. If I try to telnet out to a device, it blocks
    >>>>> it as expected as per the access-list.
    >>>>> Now the strange part. My 6509 in my lab is running the the config
    >>>>> from my production switch and is configured to
    >>>>> hit a NTP server on our internal network. This VLAN is not up in the
    >>>>> lab. So it is sending NTP UDP packets looking for the server. Since
    >>>>> that NTP server is not there and the VLAN is not up, the 6509 is
    >>>>> sending these requests out the default route which sends them to the
    >>>>> ASA 5510.
    >>>>> I am seeing these UDP packets coming out of the outside interface of
    >>>>> the ASA. They also are not being NAT'd Which is quite disturbing.
    >>>>> We are moving to this from another firewall and this is my first go
    >>>>> around with a Cisco firewall, so I'm sure I'm just missing something.
    >>>>> Thanks for your help,
    >>>>> Will
    >>>> Update:
    >>>> I just applied the nat-control command. This did not have
    >>>> any effect. The UDP packets are still being routed thru the ASA and
    >>>> are not NAT'd.
    >>> OK. I removed the NAT commands, reloaded the ASA, re-entered the
    >>> same NAT commands. This seemed to relieve the problem. No more of
    >>> the NTP packets showing up outbound on the ASA outside interface. The
    >>> ACL that is denying all IP on the inside interface is incrementing.
    >>> So it looks like it is working as expected now.
    >>> But this should not have had to be reloaded to resolve this. Is it
    >>> possible that a clear local-host would have cleared this up?

    >> After making any translation changes it is best practice to issue the
    >> clear xlate command, this will clear the translations in the firewall
    >> already, what you did by reloading the firewall basically did this as
    >> well but you should not have to reload the firewall

    >
    > Thanks for the input. I had seen this, but had not thought of trying
    > it.
    >
    > Any thoughts on why this was initially not meeting any of that nat
    > rules and being routed without being translated?
    >


    nat (inside) 1 0.0.0.0 0.0.0.0

    Instead of using 0.0.0.0 0.0.0.0 I would suggest limiting the statement
    to your internal subnet.

    net (inside) 1 192.168.0.0 255.255.255.0
     
    Smokey, Feb 6, 2007
    #6
  7. Guest

    On Feb 6, 12:02 pm, Smokey <> wrote:
    > wrote:
    > > On Feb 6, 11:04 am, Smokey <> wrote:
    > >> wrote:
    > >>> On Feb 6, 8:56 am, wrote:
    > >>>> On Feb 6, 8:29 am, wrote:
    > >>>>> Hello all,
    > >>>>> Just received new ASA 5510 and am doing initial testing and config in
    > >>>>> my lab. I have set up three interfaces
    > >>>>> e0/0 as inside security=100
    > >>>>> e0/1 as dmz security=50
    > >>>>> e0/2 as outside security=0
    > >>>>> I used the following statement to set up dynamic nat
    > >>>>> nat (inside) 1 0.0.0.0 0.0.0.0
    > >>>>> global (outside) 1 interface
    > >>>>> I have two simple access lists configured for testing.
    > >>>>> access-list inside_in extended permit icmp any any echo
    > >>>>> access-list inside_in deny ip any any
    > >>>>> access-list outside_in permit icmp any any echo-reply
    > >>>>> So here's what I'm seeing:
    > >>>>> When I ping an address on the outside, it works fine. The address is
    > >>>>> properly NAT'd
    > >>>>> and I get the reply. If I try to telnet out to a device, it blocks
    > >>>>> it as expected as per the access-list.
    > >>>>> Now the strange part. My 6509 in my lab is running the the config
    > >>>>> from my production switch and is configured to
    > >>>>> hit a NTP server on our internal network. This VLAN is not up in the
    > >>>>> lab. So it is sending NTP UDP packets looking for the server. Since
    > >>>>> that NTP server is not there and the VLAN is not up, the 6509 is
    > >>>>> sending these requests out the default route which sends them to the
    > >>>>> ASA 5510.
    > >>>>> I am seeing these UDP packets coming out of the outside interface of
    > >>>>> the ASA. They also are not being NAT'd Which is quite disturbing.
    > >>>>> We are moving to this from another firewall and this is my first go
    > >>>>> around with a Cisco firewall, so I'm sure I'm just missing something.
    > >>>>> Thanks for your help,
    > >>>>> Will
    > >>>> Update:
    > >>>> I just applied the nat-control command. This did not have
    > >>>> any effect. The UDP packets are still being routed thru the ASA and
    > >>>> are not NAT'd.
    > >>> OK. I removed the NAT commands, reloaded the ASA, re-entered the
    > >>> same NAT commands. This seemed to relieve the problem. No more of
    > >>> the NTP packets showing up outbound on the ASA outside interface. The
    > >>> ACL that is denying all IP on the inside interface is incrementing.
    > >>> So it looks like it is working as expected now.
    > >>> But this should not have had to be reloaded to resolve this. Is it
    > >>> possible that a clear local-host would have cleared this up?
    > >> After making any translation changes it is best practice to issue the
    > >> clear xlate command, this will clear the translations in the firewall
    > >> already, what you did by reloading the firewall basically did this as
    > >> well but you should not have to reload the firewall

    >
    > > Thanks for the input. I had seen this, but had not thought of trying
    > > it.

    >
    > > Any thoughts on why this was initially not meeting any of that nat
    > > rules and being routed without being translated?

    >
    > nat (inside) 1 0.0.0.0 0.0.0.0
    >
    > Instead of using 0.0.0.0 0.0.0.0 I would suggest limiting the statement
    > to your internal subnet.
    >
    > net (inside) 1 192.168.0.0 255.255.255.0


    I need to allow access from multiple subnets. Would this require
    multiple NAT statements or can an access list be used to classify
    traffic. I haven't seen a good example of doing this in any of the
    materials that I have. Using the 0.0.0.0 mask was the suggestion in
    the command reference.

    But I will be playing with it over the next couple of weeks.
     
    , Feb 6, 2007
    #7
  8. In article <>,
    <> wrote:
    >On Feb 6, 12:02 pm, Smokey <> wrote:
    >> wrote:
    >> > On Feb 6, 11:04 am, Smokey <> wrote:
    >> >> wrote:
    >> >>> On Feb 6, 8:56 am, wrote:
    >> >>>> On Feb 6, 8:29 am, wrote:


    It's good to trim out previous text that is no longer necessary
    to the discussion.


    >> Instead of using 0.0.0.0 0.0.0.0 I would suggest limiting the statement
    >> to your internal subnet.


    >> net (inside) 1 192.168.0.0 255.255.255.0


    >I need to allow access from multiple subnets. Would this require
    >multiple NAT statements or can an access list be used to classify
    >traffic.


    You can use multiple nat (inside) 1 statements each naming
    a different subnet, or (with PIX 6.3) you can use nat with an access-list .

    If you do use nat with an access-list, be sure to look up the
    priority order for the various forms of the 'nat' command.
     
    Walter Roberson, Feb 6, 2007
    #8
  9. Guest

    On Feb 6, 1:34 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >On Feb 6, 12:02 pm, Smokey <> wrote:
    > >> wrote:
    > >> > On Feb 6, 11:04 am, Smokey <> wrote:
    > >> >> wrote:
    > >> >>> On Feb 6, 8:56 am, wrote:
    > >> >>>> On Feb 6, 8:29 am, wrote:

    >
    > It's good to trim out previous text that is no longer necessary
    > to the discussion.
    >
    > >> Instead of using 0.0.0.0 0.0.0.0 I would suggest limiting the statement
    > >> to your internal subnet.
    > >> net (inside) 1 192.168.0.0 255.255.255.0

    > >I need to allow access from multiple subnets. Would this require
    > >multiple NAT statements or can an access list be used to classify
    > >traffic.

    >
    > You can use multiple nat (inside) 1 statements each naming
    > a different subnet, or (with PIX 6.3) you can use nat with an access-list .
    >
    > If you do use nat with an access-list, be sure to look up the
    > priority order for the various forms of the 'nat' command.


    Very cool. access-list in place and working well.
     
    , Feb 6, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom
    Replies:
    2
    Views:
    5,430
  2. Replies:
    3
    Views:
    2,948
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,399
    Tilman Schmidt
    Jan 24, 2008
  4. Tilman Schmidt
    Replies:
    5
    Views:
    19,517
    Lutz Donnerhacke
    Feb 18, 2008
  5. rossk
    Replies:
    1
    Views:
    1,262
    News Reader
    May 1, 2008
Loading...

Share This Page