Cisco – ASA5506 Likely NAT issue with ISP

ciscoispnat;

Background: I am setting up a network for a local church I attend. The setup will be:

Currently ATT DSL –> Motorola 3801HGV set in transparent (bridging) mode –>outside interface of ASA5506 (configured for DHCP from DSL modem) –>Inside interface of 5506 (172.16.0.2 IP) –> routed interface on Cisco 3750 (Gi1/0/3).

The 3750 has 3 private networks. All networks can talk to each other without issue. All networks can ping the 172.16.0.2 IP (inside interface of ASA5506). Those three private networks are:

10.1.1.0/24
10.1.2.0/24
10.1.3.0/24

Note: I have single area OSPF running on the 3750 that performs my routing. I have default information originate configured there as well.

I currently have NAT configured on my ASA so that when traffic leaves the outside interface, it is PAT-ed to the external ISP IP (108.x.x.x). I ran packet-tracer to confirm – and packet tracer says it is allowed out – and shows it PAT-ed to the 108.x.x.x IP.

The problem: None of my 10.x.x.x networks can get out to the Internet. If i plug directly into the ATT 5031NV with a statically assigned 192.168.1.x IP (that's the DHCP Pool range the 5031nv gives out) – I can get out to the Internet with no issues.

I found that I can also not ping my default (ISP) gateway from my Cisco ASA. See below with updated (11/5/2015) config. I made several changes based on comments from this thread.

Relevant config on Cisco 3750:

SRPC-CORE-OFFICE#sho run | s router ospf
 router ospf 1
   passive-interface default
   no passive-interface GigabitEthernet1/0/3
   network 10.1.1.0 0.0.0.255 area 1
   network 10.1.2.0 0.0.0.255 area 1
   network 10.1.3.0 0.0.0.255 area 1

SRPC-CORE-OFFICE#sho ip route

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Vlan100
L        10.1.1.1/32 is directly connected, Vlan100
C        10.1.2.0/24 is directly connected, Vlan120
L        10.1.2.1/32 is directly connected, Vlan120
C        10.1.3.0/24 is directly connected, Vlan130
L        10.1.3.1/32 is directly connected, Vlan130
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/24 is directly connected, GigabitEthernet1/0/3
L        172.16.0.1/32 is directly connected, GigabitEthernet1/0/3
S     192.168.0.0/16 is directly connected, GigabitEthernet1/0/3
S     192.168.5.0/24 is directly connected, GigabitEthernet1/0/3

!
!

SRPC-CORE-OFFICE#sho ip int br | ex un
    Interface              IP-Address      OK? Method Status            Protocol
    Vlan100                10.1.1.1        YES NVRAM  up                    up      
    Vlan120                10.1.2.1        YES NVRAM  up                    up      
    Vlan130                10.1.3.1        YES NVRAM  up                    up    
    GigabitEthernet1/0/3   172.16.0.1      YES NVRAM  up                    up

!
!

SRPC-CORE-OFFICE#sho vlan br | i active
    100  MANAGEMENT                       active 
    120  SRPC_WIFI                        active 
    130  SRPC_DATA                        active

Cisco ASA5506 relevant config:

SRPC-FW-01# sho run nat
        !
        object network obj_any
         nat (dmzTest,outside) dynamic interface

router ospf 1
 network 7.0.1.0 255.255.255.0 area 1
 network 10.1.1.10 255.255.255.255 area 1
 network 192.168.1.0 255.255.255.0 area 1
 log-adj-changes
 default-information originate

!
route dmzTest 10.1.0.0 255.255.224.0 172.16.0.1 1
!
!
SRPC-FW-01# sh int ip br 
Interface                  IP-Address      OK? Method Status            Protocol
GigabitEthernet1/1         108.225.177.202 YES DHCP   up                    up  
GigabitEthernet1/2         172.16.0.2      YES CONFIG up                    up  

!
!
SRPC-FW-01# sho nameif
       Interface                Name                     Security
       GigabitEthernet1/1       outside                    0
       GigabitEthernet1/2       dmzTest                  100
        !

access-list dmzTest-in extended permit tcp any any 
access-list dmzTest-in extended permit icmp any any 
access-list dmzTest-out extended permit tcp any any 
access-list management-in extended permit ip any any 
access-list management-out extended permit ip any any 
access-list OutsideATT-in extended permit ip any any 
access-list OutsideATT-out extended permit ip any any 
access-list dmztest-out extended permit icmp any any 
access-list outside_inbound_to_SRPC extended deny ip any any 
access-list outside_inbound_to_SRPC extended permit ip host 108.225.176.1 any 
access-list outside_outbound_to_INET extended permit ip 108.225.176.0 255.255.252.0 any 
access-list outside_outbound_to_INET extended permit ip any any 
!
!
!   
access-group outside_inbound_to_SRPC in interface outside
access-group outside_outbound_to_INET out interface outside
access-group dmzTest-in in interface dmzTest
access-group dmzTest-out out interface dmzTest
access-group OutsideATT-in in interface OutsideATT
access-group OutsideATT-out out interface OutsideATT
access-group management-in in interface management
access-group management-out out interface management
!

SRPC-FW-01# sho route
    Gateway of last resort is 108.225.176.1 to network 0.0.0.0

    S*    0.0.0.0 0.0.0.0 [1/0] via 108.225.176.1, outside
    S        10.1.0.0 255.255.224.0 [1/0] via 172.16.0.1, dmzTest
    C        108.225.176.0 255.255.252.0 is directly connected, outside
    L        108.225.177.202 255.255.255.255 is directly connected, outside
    C        172.16.0.0 255.255.255.0 is directly connected, dmzTest
    L        172.16.0.2 255.255.255.255 is directly connected, dmzTest

Best Answer

First, OSPF is not necessary (or recommended) for such a tiny network. I run much larger networks and still don't bother with dynamic routing.

Second, never, ever, route to a broadcast interface (ie. ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0/3) BTW, that's proxy-arp; I'm 1000% certain that is not what you want.

Third, AT&T's 3801 does not have a "bridge mode". And those modems have a particularly nasty bit of brain damage where the IP:MAC table is one-to-one -- a MAC can have only one IP and v.v., which means with a static block each IP must go to a different device.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco IOS outbound filtering

The reason why the port forwarding is not working with the access-list applied to the interface is quite simple.

Let's see what happens when the outside client requests the https webpage.

The destination port in the request packet is 443, while the source port is random. This request gets translated by nat at the router, then goes all the way to the server, server answers with the packet sourced from port 443 and destined to that client's random number port.

The packet in its journey back to the client gets to your router, but router wouldn't let the packet leave, because the destination port (that random port) is not specified in the access-list you have created.

And that would be the reason you are looking for.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco IOS outbound filtering

Related Topic