6 Replies Latest reply: Apr 23, 2012 7:02 AM by carlos - CCNP, CCSI, CCNA Security RSS

    ASA 5510 static nat

    carlos - CCNP, CCSI, CCNA Security

      Hallo good people,

      Something really strange is happening with ASA 5510.

      I have configured a static nat translation for a dmz - web server.

      what happens is that the pings to this servers are unstopable.

      Even when the server is down, you still can ping it.

      I unplugged the ethernet cable and still the pings are going through,

      So my question is how comes?

       

      Thanks in advance.

      Carlos Dias.  

        • 1. Re: ASA 5510 static nat
          Fabio - FW specialist

          Hi Carlos,

           

          please upload your nat configuration (complete) and the output of show xlate.

           

           

          bye

          fabio

          • 2. Re: ASA 5510 static nat
            carlos - CCNP, CCSI, CCNA Security

            ASA-FERRA1# show xlate
            596 in use, 935 most used
            Global DNS_EXTERNO Local DNS_DMZ_PRI
            Global Web_EXT Local WEB_DMZ
            Global DNS_EXT2 Local DNS_DMZ2
            Global ISA_EXT Local ISA_INT
            Global 10.1.80.9 Local 41.72.21.241
            Global 10.1.80.8 Local 107.6.131.250
            Global WEB_DMZ Local 168.187.174.227
            Global ISA_INT Local 109.188.223.162
            PAT Global 66.178.75.81(53964) Local 10.1.20.29(51716)
            PAT Global 66.178.75.81(14134) Local 10.1.20.29(51715)
            PAT Global 66.178.75.81(6471) Local 10.1.20.29(51543)
            PAT Global 66.178.75.81(5334) Local 10.1.20.29(51535)
            PAT Global 66.178.75.81(29157) Local 10.1.20.29(62861)
            PAT Global 66.178.75.81(51450) Local 10.1.20.23(50519)
            PAT Global 66.178.75.81(9039) Local 10.1.20.26(49868)
            PAT Global 66.178.75.81(28429) Local 10.1.20.26(49867)
            PAT Global 66.178.75.81(1055) Local 10.1.20.26(49866)
            PAT Global 66.178.75.81(61915) Local 10.1.20.26(49865)
            PAT Global 66.178.75.81(54584) Local 10.1.20.26(49864)
            PAT Global 66.178.75.81(58867) Local 10.1.20.26(49863)


            ASA-FERRA1# show nat

            NAT policies on Interface inside:
              match ip inside any inside any
                dynamic translation to pool 1 (No matching global)
                translate_hits = 0, untranslate_hits = 0
              match ip inside any Outside any
                dynamic translation to pool 1 (66.178.75.81 [Interface PAT])
                translate_hits = 47233, untranslate_hits = 7306
              match ip inside any dmz any
                dynamic translation to pool 1 (WEB_DMZ - 10.1.80.9)
                translate_hits = 0, untranslate_hits = 0
              match ip inside any management any
                dynamic translation to pool 1 (No matching global)
                translate_hits = 0, untranslate_hits = 0

            NAT policies on Interface Outside:
              match ip Outside any inside host Web_EXT
                dynamic translation to pool 1 (No matching global)
                translate_hits = 0, untranslate_hits = 0
              match ip Outside any Outside host Web_EXT
                dynamic translation to pool 1 (66.178.75.81 [Interface PAT])
                translate_hits = 0, untranslate_hits = 0
              match ip Outside any dmz host Web_EXT
                dynamic translation to pool 1 (WEB_DMZ - 10.1.80.9)
                translate_hits = 2190, untranslate_hits = 338
              match ip Outside any management host Web_EXT
                dynamic translation to pool 1 (No matching global)
                translate_hits = 0, untranslate_hits = 0

            NAT policies on Interface dmz:
              match ip dmz host DNS_DMZ_PRI Outside any
                static translation to DNS_EXTERNO
                translate_hits = 19572, untranslate_hits = 1423
              match ip dmz host WEB_DMZ Outside any
                static translation to Web_EXT
                translate_hits = 83202, untranslate_hits = 2205
              match ip dmz host DNS_DMZ2 Outside any
                static translation to DNS_EXT2
                translate_hits = 259, untranslate_hits = 3516
              match ip dmz host ISA_INT Outside any
                static translation to ISA_EXT
                translate_hits = 0, untranslate_hits = 577

            • 3. Re: ASA 5510 static nat
              Fabio - FW specialist

              I need the running-configuration of all NAT (static, dynamic).

              What xlate match your issue-case?

               

               

              fabio

              • 4. Re: ASA 5510 static nat
                carlos - CCNP, CCSI, CCNA Security


                name 66.178.75.184 DNS_EXTERNO description NAT_DMZ_DNS
                name 10.1.80.4 DNS_DMZ_PRI description DNS_DMZ_PRI
                name 10.1.80.6 WEB_DMZ description WEB_D
                name 66.178.175.86 Web_EXT description WEB_X
                name 10.1.80.5 DNS_DMZ2 description DNS_D2
                name 66.178.75.185 DNS_EXT2 description DNS_X2
                name 66.178.75.182 ISA_EXT description IP PUBLICO PARA O ISA
                name 10.1.80.7 ISA_INT description Isa parte interna
                !
                access-list inside_access_in extended permit ip any any
                access-list Outside_access_in extended permit ip any host Web_EXT
                access-list Outside_access_in extended permit ip any host DNS_EXTERNO
                access-list Outside_access_in extended permit ip any host DNS_EXT2
                access-list dmz_access_in extended permit ip host DNS_DMZ_PRI interface Outside
                access-list dmz_access_in extended permit ip any any
                access-list Outside_nat_outbound remark This is for DMZ server pool
                access-list Outside_nat_outbound extended permit ip any host Web_EXT 


                global (Outside) 1 interface
                global (dmz) 1 WEB_DMZ-10.1.80.9 netmask 255.255.255.0
                nat (inside) 1 0.0.0.0 0.0.0.0
                nat (Outside) 1 access-list Outside_nat_outbound outside
                static (dmz,Outside) DNS_EXTERNO DNS_DMZ_PRI netmask 255.255.255.255
                static (dmz,Outside) Web_EXT WEB_DMZ netmask 255.255.255.255
                static (dmz,Outside) DNS_EXT2 DNS_DMZ2 netmask 255.255.255.255
                static (dmz,Outside) ISA_EXT ISA_INT netmask 255.255.255.255
                access-group inside_access_in in interface inside
                access-group Outside_access_in in interface Outside
                access-group dmz_access_in in interface dmz

                • 5. Re: ASA 5510 static nat
                  Fabio - FW specialist

                  ok

                   

                  now, which one of these are the NAT which you spoke?

                  • 6. Re: ASA 5510 static nat
                    carlos - CCNP, CCSI, CCNA Security

                    name 66.178.175.86 Web_EXT description WEB_X

                    access-list Outside_access_in extended permit ip any host Web_EXT

                    static (dmz,Outside) Web_EXT WEB_DMZ netmask 255.255.255.255

                     

                     

                    >Thats the one