1 2 Previous Next 15 Replies Latest reply: Dec 7, 2011 12:31 AM by L34rn1n9n3v43nd5 RSS

    NAT config problem

    Abhishek

      Hi,

       

      I am trying to learn NAT with the help of simple network diagram, Please see attached file and suggest Why I am not able to ping R3 from R1 ? I did NAT config on ASA which is in between R1 and R2.

       

      Thanks a lot

        • 1. Re: NAT config problem
          Conwyn

          Hi Abhishek.

           

          I can not see the attachment.

           

          Maybe http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml

           

          Regards Conwyn

          • 2. Re: NAT config problem
            Abhishek

            I just reposted same question again with attachment - please suggest.

            • 3. Re: NAT config problem
              L34rn1n9n3v43nd5

              Abhishek,

               

              Again there is no attachment. Why don't you copy-paste the relevant configuration from R1, R3 and ASA?

               

              Regards,

              Mohit

              • 4. Re: NAT config problem
                Abhishek

                hi mohit - here  is the config . Also there is NAT.PDF in another question that I posted with subject "NAT config problem-Reposting with attachment" just in case. please suggest what mistake I am making


                R1-------------------àASA-----------------------àR2

                 

                Requirement: R1 (interface towards ASA-10.1.2.27) should reach/ping R2 ( interface towards ASA 209.165.201.3) using NAT.

                 

                R1 and R2 both are simple routers (As I do not have PC in GNS3)

                 

                Config that I made are below :

                 

                 

                 

                R1 Config  (just gave IP)

                 

                 

                 

                R1#sh run

                 

                !

                 

                interface FastEthernet0/0

                 

                ip address 10.1.2.27 255.255.255.0

                 

                duplex auto

                 

                speed auto

                 

                !

                 

                 

                 

                ASA CONFIG   (gave IP and made Nat config)

                 

                !

                 

                interface Ethernet0/0

                 

                nameif inside

                 

                security-level 100

                 

                ip address 10.1.2.1 255.255.255.0

                 

                !

                 

                interface Ethernet0/1

                 

                nameif outside

                 

                security-level 0

                 

                ip address 209.165.201.2 255.255.255.0

                 

                !

                 

                global (outside) 1 209.165.201.4-209.165.201.15

                 

                nat (inside) 1 10.1.2.0 255.255.255.0

                 

                !

                 

                route outside 0.0.0.0 0.0.0.0 209.165.201.3 1

                 

                R2 config (just gave IP and reverse route)

                 

                !

                 

                interface FastEthernet0/0

                 

                ip address 209.165.201.3 255.255.255.0

                 

                duplex auto

                 

                speed auto

                 

                !

                 

                ip route 209.165.201.0 255.255.255.0 209.165.201.2

                 

                !

                • 5. Re: NAT config problem
                  Fernando

                  Looks like you are missing the route to 10.1.2/24 on R2...

                  • 6. Re: NAT config problem
                    L34rn1n9n3v43nd5

                    @Fernando not really, because R2 will never see the 10.1.2.27 with its real IP address...

                     

                    @Abhishek.. your config looks pretty straight... you don't have any access rules or anything specific configured right?

                     

                    can u try this:-

                     

                     

                     

                    static(inside,outside) 209.165.201.4 10.1.2.27

                    • 7. Re: NAT config problem
                      Fernando

                      @L34rn1n9n3v43nd

                      you are right my bad is NAT we are talking about

                      BTW nice nick

                       

                      @abhishek

                      By default ASA not make any inspection on ICMP you have to enable it:

                       

                      fixup protocol icmp

                       

                       

                      Cheers,

                      • 8. Re: NAT config problem
                        L34rn1n9n3v43nd5

                        thanks man. Hope you got what it says

                         

                        FYI

                        fixup is 6.x keyword... from 7.x onwards its now "inspect"

                        http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080b5a512.shtmlf

                        • 9. Re: NAT config problem
                          Piotr Matusiak

                          do you have default route on R1 pointing to the ASA and ICMP inspection? Try telnet instead of ICMP.

                          enable 'debug icmp trace' on ASA and you'll see everything.

                           

                          Regards,

                          Piotr

                          • 10. Re: NAT config problem
                            Abhishek

                            nothing worked guys :-(

                            I gave fixup protocol icmp but no help.

                            I dont want to give any route on R1 as I am treating it as a PC.

                            Can anyone of you load this simple config in your GNS and see if you are able to ping ?

                             

                            thanks guys

                            • 11. Re: NAT config problem
                              L34rn1n9n3v43nd5

                              did you try static as suggested?

                               

                              apply bidirectional captures on inside and outside interface of ASA and then initiate ICMP/Telnet to R2 and share it with us

                              • 12. Re: NAT config problem
                                Abhishek

                                yeah I did . here is complete config of all 3 devices

                                 

                                ASA config

                                 

                                ciscoasa# sh run

                                : Saved

                                :

                                ASA Version 8.0(2)

                                !

                                hostname ciscoasa

                                enable password 8Ry2YjIyt7RRXU24 encrypted

                                names

                                !

                                interface Ethernet0/0

                                nameif inside

                                security-level 100

                                ip address 10.1.2.1 255.255.255.0

                                !

                                interface Ethernet0/1

                                nameif outside

                                security-level 0

                                ip address 209.165.201.2 255.255.255.0

                                !

                                interface Ethernet0/2

                                shutdown

                                no nameif

                                no security-level

                                no ip address

                                !

                                interface Ethernet0/3

                                shutdown

                                no nameif

                                no security-level

                                no ip address

                                !

                                interface Ethernet0/4

                                shutdown

                                no nameif

                                no security-level

                                no ip address

                                !

                                interface Ethernet0/5

                                shutdown

                                no nameif

                                no security-level

                                no ip address

                                !

                                passwd 2KFQnbNIdI.2KYOU encrypted

                                ftp mode passive

                                pager lines 24

                                mtu inside 1500

                                mtu outside 1500

                                no failover

                                icmp unreachable rate-limit 1 burst-size 1

                                no asdm history enable

                                arp timeout 14400

                                global (outside) 1 209.165.201.4-209.165.201.15

                                nat (inside) 1 10.1.2.0 255.255.255.0

                                static (inside,outside) 209.165.201.4 10.1.2.27 netmask 255.255.255.255

                                route outside 0.0.0.0 0.0.0.0 209.165.201.3 1

                                timeout xlate 3:00:00

                                timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

                                timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

                                timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

                                timeout uauth 0:05:00 absolute

                                dynamic-access-policy-record DfltAccessPolicy

                                no snmp-server location

                                no snmp-server contact

                                snmp-server enable traps snmp authentication linkup linkdown coldstart

                                no crypto isakmp nat-traversal

                                telnet timeout 5

                                ssh timeout 5

                                console timeout 0

                                threat-detection basic-threat

                                threat-detection statistics access-list

                                !

                                class-map inspection_default

                                match default-inspection-traffic

                                !

                                !

                                policy-map global_policy

                                class inspection_default

                                  inspect icmp

                                !

                                service-policy global_policy global

                                prompt hostname context

                                Cryptochecksum:00000000000000000000000000000000

                                : end

                                 

                                 

                                R1 CONFIG

                                 

                                R1#sh run

                                Building configuration...

                                 

                                Current configuration : 669 bytes

                                !

                                version 12.4

                                service timestamps debug datetime msec

                                service timestamps log datetime msec

                                no service password-encryption

                                !

                                hostname R1

                                !

                                boot-start-marker

                                boot-end-marker

                                !

                                !

                                no aaa new-model

                                memory-size iomem 5

                                ip cef

                                !

                                !

                                !

                                !

                                ip auth-proxy max-nodata-conns 3

                                ip admission max-nodata-conns 3

                                !

                                !

                                interface FastEthernet0/0

                                ip address 10.1.2.27 255.255.255.0

                                duplex auto

                                speed auto

                                !

                                interface FastEthernet0/1

                                no ip address

                                shutdown

                                duplex auto

                                speed auto

                                !

                                ip forward-protocol nd

                                !

                                !

                                ip http server

                                no ip http secure-server

                                !

                                !

                                !

                                !

                                control-plane

                                !

                                !

                                line con 0

                                line aux 0

                                line vty 0 4

                                login

                                !

                                !

                                end

                                 

                                R2 CONFIG

                                 

                                R2#sh run

                                *Mar  1 00:12:22.155: %SYS-5-CONFIG_I: Configured from console by console

                                Building configuration...

                                 

                                Current configuration : 673 bytes

                                !

                                version 12.4

                                service timestamps debug datetime msec

                                service timestamps log datetime msec

                                no service password-encryption

                                !

                                hostname R2

                                !

                                boot-start-marker

                                boot-end-marker

                                !

                                !no aaa new-model

                                memory-size iomem 5

                                ip cef

                                !

                                !

                                !

                                ip auth-proxy max-nodata-conns 3

                                ip admission max-nodata-conns 3

                                !

                                !

                                !

                                interface FastEthernet0/0

                                ip address 209.165.201.3 255.255.255.0

                                duplex auto

                                speed auto

                                !

                                interface FastEthernet0/1

                                no ip address

                                shutdown

                                duplex auto

                                speed auto

                                !

                                ip forward-protocol nd

                                !

                                !

                                ip http server

                                no ip http secure-server

                                !

                                !

                                control-plane

                                !

                                !

                                line con 0

                                line aux 0

                                line vty 0 4

                                login

                                !

                                !

                                end

                                • 13. Re: NAT config problem
                                  L34rn1n9n3v43nd5

                                  Configure statement below on R1

                                   

                                  ip route 0.0.0.0 0.0.0.0 10.1.2.1

                                  • 14. Re: NAT config problem
                                    Abhishek

                                    Hey thanks ..works.

                                     

                                    what if I have just one PC instead R1. will it work or I will have to give a gateway on PC . I thought since it is directly connected to 10.1.2.x IP on ASA we do not need a default gateway on R1.

                                    1 2 Previous Next