Help! ASA5510 Lower to Higher

Discussion in 'Cisco' started by dmurray14, Mar 14, 2008.

  1. dmurray14

    dmurray14 Guest

    Hi Guys,

    So here's my setup:

    outside
    |
    |
    ASA
    | |
    inside clients

    On the inside network, which is 172.23.14.0/24, I have some servers
    hooked up. Security is level 100.
    On the clients network, which is 172.23.20.0/24, I have a bunch of
    clients. Security is level 80.

    Basically, I want my client to be able to talk to my servers. Right
    now I can't figure out how the heck to do that though. Actually, I had
    it working an hour ago, but somehow managed to screw it up. I believe
    I got it working bt doing:

    global (inside) 1 172.23.14.200-172.23.14.249
    nat (clients) 1 172.23.20.0 255.255.255.0

    However that's still in there and its not working. It's telling me:
    Deny inbound icmp src clients:172.23.20.100 ds2 inside:172.23.14.101

    I'm sure there's a better way to do this, I'm very new to it. Any help
    much appreciated.

    Thanks
    Dan
     
    dmurray14, Mar 14, 2008
    #1
    1. Advertisements

  2. dmurray14

    Doan Guest

    Couldn't you just setup an ACL for this?
    access-list client2servers extend permit ip 172.23.20.0 255.255.255.0 172.23.14.0 255.255.255.0
    access-group client2servers in interface clients

    Doan
     
    Doan, Mar 14, 2008
    #2
    1. Advertisements

  3. dmurray14

    dmurray14 Guest

    Hi Doan,

    I tried that, however I'm told I don't have a translation route then.
    I must be missing something.

    Dan
     
    dmurray14, Mar 14, 2008
    #3
  4. Do you have version 7.0 or higher of the OS? Then it depends if you have
    enabled NAT control.

    If NAT control is enabled, you need a NAT rule for everything what
    should pass between the interfaces (even if you don't want to change the
    address at all).

    If NAT control is disabled (default), only the appropiate access lists
    are used.

    Command for this

    (no) nat-control

    Regards
    Markus
     
    Markus Marquardt, Mar 14, 2008
    #4
  5. dmurray14

    dmurray14 Guest

    Hi Markus,

    Still not working. I must be doing something wrong. Included below is
    my config, maybe someone can spot something. Again I am trying to go
    from clients to inside (and vice versa).

    Here's the config:

    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password XXXX encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address XX.XX.XX.51 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 172.23.14.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    nameif client
    security-level 80
    ip address 172.23.20.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd XXX encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-
    exceeded
    access-list client-to-inside extended permit ip 172.23.20.0
    255.255.255.0 172.23.14.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu client 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (client) 1 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    access-group client-to-inside in interface client
    route outside 0.0.0.0 0.0.0.0 XX.XX.XX.50 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 172.23.14.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 172.23.14.100-172.23.14.105 inside
    dhcpd dns 4.2.2.2 interface inside
    dhcpd enable inside
    !
    dhcpd address 172.23.20.100-172.23.20.155 client
    dhcpd dns 4.2.2.2 interface client
    dhcpd enable client
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    : end
    asdm image disk0:/asdm-602.bin
    no asdm history enable
     
    dmurray14, Mar 14, 2008
    #5
  6. dmurray14

    dmurray14 Guest

    And I did try no nat-control, didn't seem to make a difference
     
    dmurray14, Mar 14, 2008
    #6
  7. dmurray14

    mcaissie Guest

    You can use Nat Exemption in this situation

    Try adding

    access-list nonat_inside extended permit ip 172.23.14.0 255.255.255.0
    172.23.20.0 255.255.255.0
    nat (inside) 0 access-list nonat_inside
    clear xlate

    The clear xlate is to delete existing translation , wich may will existing
    connection..

    And keep your access-group on the client interface , you still need it


    Hi Markus,

    Still not working. I must be doing something wrong. Included below is
    my config, maybe someone can spot something. Again I am trying to go
    from clients to inside (and vice versa).

    Here's the config:

    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password XXXX encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address XX.XX.XX.51 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 172.23.14.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    nameif client
    security-level 80
    ip address 172.23.20.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd XXX encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-
    exceeded
    access-list client-to-inside extended permit ip 172.23.20.0
    255.255.255.0 172.23.14.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu client 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (client) 1 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    access-group client-to-inside in interface client
    route outside 0.0.0.0 0.0.0.0 XX.XX.XX.50 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 172.23.14.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 172.23.14.100-172.23.14.105 inside
    dhcpd dns 4.2.2.2 interface inside
    dhcpd enable inside
    !
    dhcpd address 172.23.20.100-172.23.20.155 client
    dhcpd dns 4.2.2.2 interface client
    dhcpd enable client
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    : end
    asdm image disk0:/asdm-602.bin
    no asdm history enable
     
    mcaissie, Mar 14, 2008
    #7
  8. Maybe you can get more information with using the powerful capture
    function with trace enabled. There you should be able to see what
    happens to the packets. On a PIX with 7.x you can do something like

    capture capture_name interface interface_name trace trace_count

    to start capturing packets, especially trace is useful to see how
    packets are processed, and

    show capture capture_name

    to display the results. For further information look into the refernce
    manual.

    Regards
    Markus
     
    Markus Marquardt, Mar 16, 2008
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.