Skip to main content

Help with Setting up NAT correctly.

More
15 years 10 months ago #29193 by timparker
I am still working on my ASA for Remote VPN and Site to Site between our remote offices. I am working on the NAT'ing now to make sure that everything flows properly.

I have the following segments that will be flowing through this box at some point soon or a portion might be already there.

192.168.5.x - Remote VPN Users
192.168.16.x - Internal main HQ LAN (users,servers,printers,etc)
192.168.116.x - Remote Office #1
192.168.216.x - Remote Office #2

I have the following in my config already:

global (outside) 1 interface
nat (inside) 1 Lancaster-Net 255.255.255.0
static (outside, inside) 192.168.16.95 192.168.5.95 netmask 255.255.255.255
static (outside,dmz) internal_web_mail_server external_web_mail_server netmask 255.255.255.255
static (dmz,outside) external_web_mail_server internal_web_mail_server netmask 255.255.255.255

Going out when users are surfing from the Lancaster-Net they should use the IP of the external interface, which appears to be working fine. I will be changing this to another IP when I get this into production and can't swipe back the one that we are currently using externally.

For all other internal traffic, the original IP should be still
used.

the static (outside, inside) is what I am currently using for testing with the remote vpn. It appears to work, but then I can't seem to get anywhere on the network and get an error in the logs of "No translation group found for udp src outside...." So I am guessing I still have something wrong for the VPN.

Any thoughts? I hope I gave enough details.
More
15 years 10 months ago #29201 by Elohim
You static translations are not correct. Static translations are for making hosts from higher security zones appear in lower security zones. I have no idea what you are trying to do. At least I haven't encounter it.

Your static should read:
static (inside, outside) 192.168.5.95 192.168.16.95 192.168.5.95 netmask 255.255.255.255

I don't see any ACL allowing traffic to your inside servers.

I am still working on my ASA for Remote VPN and Site to Site between our remote offices. I am working on the NAT'ing now to make sure that everything flows properly.

I have the following segments that will be flowing through this box at some point soon or a portion might be already there.

192.168.5.x - Remote VPN Users
192.168.16.x - Internal main HQ LAN (users,servers,printers,etc)
192.168.116.x - Remote Office #1
192.168.216.x - Remote Office #2

I have the following in my config already:

global (outside) 1 interface
nat (inside) 1 Lancaster-Net 255.255.255.0
static (outside, inside) 192.168.16.95 192.168.5.95 netmask 255.255.255.255
static (outside,dmz) internal_web_mail_server external_web_mail_server netmask 255.255.255.255
static (dmz,outside) external_web_mail_server internal_web_mail_server netmask 255.255.255.255

Going out when users are surfing from the Lancaster-Net they should use the IP of the external interface, which appears to be working fine. I will be changing this to another IP when I get this into production and can't swipe back the one that we are currently using externally.

For all other internal traffic, the original IP should be still
used.

the static (outside, inside) is what I am currently using for testing with the remote vpn. It appears to work, but then I can't seem to get anywhere on the network and get an error in the logs of "No translation group found for udp src outside...." So I am guessing I still have something wrong for the VPN.

Any thoughts? I hope I gave enough details.

More
15 years 10 months ago #29203 by timparker
The second two statics were supposed to be for our External web Server to allow traffic to it. I thought I had to set that up to get traffic to them.

The interfaces are:

inside - 100
dmz - 10
outside - 0

Am I in left field here?
More
15 years 10 months ago #29208 by Elohim
You only need the third static. The one that reads:

static (dmz,outside) external_web_mail_server internal_web_mail_server netmask 255.255.255.255

The second two statics were supposed to be for our External web Server to allow traffic to it. I thought I had to set that up to get traffic to them.

The interfaces are:

inside - 100
dmz - 10
outside - 0

Am I in left field here?

More
15 years 10 months ago #29224 by timparker
so I only need the initial translation, not one that goes back the opposite way? Ok.

Guess, the next problem I have is figuring out the remote VPN setup. The users are going to come in as 192.168.5.x and hopefully will be NAT'd to the same IP but on the 192.168.16.x subnet (internal LAN).

They should then be allowed to access machines on that subnet. Currently when I connect from my test laptop from home. I get a bunch of errors of "No translation group found for udp src outside" and some TCP ones to different machines on the internal LAN.

any thoughts?
More
15 years 10 months ago #29225 by Smurf
Hi Timparker,

It seems like you are getting bogged down with the NAT'ing, generally you wouldn't NAT your VPN (Site-to-Site or Remote Users) traffic.

You would create an access-list that defined your NoNAT traffic

e.g.

[code:1]access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 192.168.116.0 255.255.255.0
access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 192.168.5.0 255.255.255.0[/code:1]

etc...

Then you would define a no nat statement as follow's;


[code:1]nat (inside) 0 access-list NoNAT[/code:1]

Your normal nat's would be defined as;

[code:1]global (outside) 1 interface
nat (inside) 1 Lancaster-Net 255.255.255.0[/code:1]

Then you may want to allow access from the Intenet to your Web/Mail server, since this is going from a low to high security-level you need to specifically define a Static NAT translation,

[code:1]static (outside,dmz) internal_web_mail_server_ip external_web_mail_server_ip netmask 255.255.255.255[/code:1]

N.B. this is doing a whole IP mapping (this is both ways so not only does traffic incoming in that IP get translated to the Internal Server but also when the Internal Server is going out to the internet, it will appear to be coming from that same Public IP because the Static defines the 1to1 mapping in both directions). If you want to though, you could just define Static translations on single ports and then outbound traffic from these servers will just use the global translation thats configured.

Now, VPN Traffic will usually bypass Access-Lists using the following command (which i beleive is the default action, well it is in version 8 )

[code:1]sysopt connection permit-ipsec[/code:1]

So, now to define some access-lists;

[code:1]access-list Inbound_ACL extended permit tcp any host external_web_mail_server_ip eq www
access-list Inbound_ACL extended permit tcp any host external_web_mail_server_ip eq http
[/code:1]

Now to map the access-list to the interface

[code:1]access-group Inbound_ACL in interface outside[/code:1]

So, hope it helps

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.135 seconds