Microsoft
Software
Hardware
Network
Question : Cisco ASA 5505 not passing traffic (Possible NAT or ACL issue)
I have an ASA 5505 in front of (7) devices. Each device is statically NAT'd to an external IP address with ACLs restricting the specific ports. This setup works perfectly on ASAs with a single host behind the ASA. Below is a sample config of the ASA. Any help would be greatly appreciated!
interface Vlan10
nameif inside
security-level 100
ip address 10.200.3.161 255.255.255.240
!
interface Vlan300
nameif outside
security-level 0
allow-ssc-mgmt
ip address 172.21.3.74 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 300
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Poll tcp
description External Poller
port-object eq 2101
object-group service Poll2 tcp
description Poll 20000
port-object eq 20000
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq 20000
object-group network New_Hosts
description New Hosts
network-object host 192.168.95.0 255.255.255.0
network-object host 192.168.96.0 255.255.255.0
network-object host 192.168.97.0 255.255.255.0
network-object host 192.168.98.0 255.255.255.0
object-group network Old_Hosts
description Old Hosts (Subnets)
network-object 192.168.89.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
group-object New_Hosts
group-object Old_Hosts
network-object 192.168.79.0 255.255.255.0
network-object 192.168.201.0 255.255.255.248
object-group network DM_INLINE_NETWORK_4
network-object 192.168.201.0 255.255.255.248
network-object 192.168.79.0 255.255.255.0
group-object New_Hosts
group-object Old_Hosts
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq 20000
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 host 172.21.3.64 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.65 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.66 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.67 log debugging inactive
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_1 host 172.21.3.69 log debugging
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 172.21.3.69 eq 2101 log debugging
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.70 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.71 log debugging inactive
access-list inside_access_in extended permit ip any any log debugging
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.21.3.65 10.200.3.167 netmask 255.255.255.255
static (inside,outside) 172.21.3.66 10.200.3.168 netmask 255.255.255.255
static (inside,outside) 172.21.3.67 10.200.3.169 netmask 255.255.255.255
static (inside,outside) 172.21.3.69 10.200.3.170 netmask 255.255.255.255
static (inside,outside) 172.21.3.70 10.200.3.171 netmask 255.255.255.255
static (inside,outside) 172.21.3.71 10.200.3.172 netmask 255.255.255.255
static (inside,outside) 172.21.3.64 10.200.3.174 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.21.0.1 1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Answer : Cisco ASA 5505 not passing traffic (Possible NAT or ACL issue)
if your are trying from 192.168.x.x , then you have to add a route on the ASA
route inside 192.168.x.x 255.255.x.x <gw>
to allow ICMP
policy-map global_policy
class inspection_default
inspect icmp
Random Solutions
advance image editing via the web
Is the HP Support Assistant worth keeping?
Conditional formatting for text box?
Access 2007 Runtime "A potential Security Concern has been identified"
MS CRM 4.0 User account/login account mismatch.
Format time cell in excel
ClientScript.RegisterStart
upScript not working
passing multiple values from subreport to main report in CR
Exchange external email suddenly stopped
Everytime I do a search in IE7, I am redirected to another web site. Why is this?