Microsoft
Software
Hardware
Network
Question : Cisco ASA 5505 not passing traffic (Possible NAT or ACL issue)
I have an ASA 5505 in front of (7) devices. Each device is statically NAT'd to an external IP address with ACLs restricting the specific ports. This setup works perfectly on ASAs with a single host behind the ASA. Below is a sample config of the ASA. Any help would be greatly appreciated!
interface Vlan10
nameif inside
security-level 100
ip address 10.200.3.161 255.255.255.240
!
interface Vlan300
nameif outside
security-level 0
allow-ssc-mgmt
ip address 172.21.3.74 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 300
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Poll tcp
description External Poller
port-object eq 2101
object-group service Poll2 tcp
description Poll 20000
port-object eq 20000
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq 20000
object-group network New_Hosts
description New Hosts
network-object host 192.168.95.0 255.255.255.0
network-object host 192.168.96.0 255.255.255.0
network-object host 192.168.97.0 255.255.255.0
network-object host 192.168.98.0 255.255.255.0
object-group network Old_Hosts
description Old Hosts (Subnets)
network-object 192.168.89.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
group-object New_Hosts
group-object Old_Hosts
network-object 192.168.79.0 255.255.255.0
network-object 192.168.201.0 255.255.255.248
object-group network DM_INLINE_NETWORK_4
network-object 192.168.201.0 255.255.255.248
network-object 192.168.79.0 255.255.255.0
group-object New_Hosts
group-object Old_Hosts
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq 20000
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 host 172.21.3.64 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.65 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.66 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.67 log debugging inactive
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_1 host 172.21.3.69 log debugging
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 172.21.3.69 eq 2101 log debugging
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.70 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.71 log debugging inactive
access-list inside_access_in extended permit ip any any log debugging
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.21.3.65 10.200.3.167 netmask 255.255.255.255
static (inside,outside) 172.21.3.66 10.200.3.168 netmask 255.255.255.255
static (inside,outside) 172.21.3.67 10.200.3.169 netmask 255.255.255.255
static (inside,outside) 172.21.3.69 10.200.3.170 netmask 255.255.255.255
static (inside,outside) 172.21.3.70 10.200.3.171 netmask 255.255.255.255
static (inside,outside) 172.21.3.71 10.200.3.172 netmask 255.255.255.255
static (inside,outside) 172.21.3.64 10.200.3.174 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.21.0.1 1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Answer : Cisco ASA 5505 not passing traffic (Possible NAT or ACL issue)
if your are trying from 192.168.x.x , then you have to add a route on the ASA
route inside 192.168.x.x 255.255.x.x <gw>
to allow ICMP
policy-map global_policy
class inspection_default
inspect icmp
Random Solutions
Access 03 using Windows 7
Write in file
Switch between HTTP and HTTPS pages using vb.net
What CSS Do I Need To Keep a Table TD Selector From Overriding TDs in Nested Tables?
Can we create a SSIS package such that it verifies a Sql statement and depend upon that statement the package should execute if the sql statement does not satisfy then the package should not exe
Windows Server 2008 R2 - Easy Print remote desktop
wired or wireless
Added 2nd Win 2003 DC local site - don't see in auto replication link
if sql files get corrupted..
Any way of listing avi files in Windows 7 by the codec type?
