Problems with SMB and dynamic NAT?

[MichealC4]

I'm trying to diagnose a problem we have with SMB. I think I've narrowed it down to dynamic NAT as when I set it to static NAT, it works just fine. Or is this just coincedence?

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt

 

[Supergrrover]

Need a little more to go on. Can you post a config?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[MichealC4]

I have to say that I did not set this up and I'm trying to get this changed.

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 acl1 security99
nameif ethernet2 acl2 security95
nameif ethernet3 acl3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password <removed> encrypted
passwd <removed> encrypted
hostname <removed>
domain-name <removed>
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_acl2 permit tcp any any
access-list acl_acl2 permit udp any any
access-list acl_acl2 permit icmp any any
access-list acl_acl1 permit tcp any any
access-list acl_acl1 permit udp any any
access-list acl_acl1 permit icmp any any
access-list acl3_access_in permit tcp any any
access-list acl3_access_in permit udp any any
access-list outside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu acl1 1500
mtu acl2 1500
mtu acl3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside <removed> 255.255.255.0
ip address acl1 <removed> 255.224.0.0
ip address acl2 <removed> 255.224.0.0
ip address acl3 <removed> 255.224.0.0
ip address intf4 <removed> 255.255.255.0
no ip address intf5
ip verify reverse-path interface outside
ip verify reverse-path interface acl1
ip verify reverse-path interface acl2
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside <removed>
failover ip address acl1 <removed>
failover ip address acl2 <removed>
no failover ip address acl3
failover ip address intf4 <removed>
no failover ip address intf5
failover link outside
<removed PDM location>
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 2 <range1>-<range2> netmask 255.255.255.0
global (outside) 2 <range3>-<range4>
global (outside) 2 <range5>-<range6>
global (outside) 2 interface
global (acl1) 1 <removed>
global (acl2) 1 <removed>
global (acl3) 1 <removed>
nat (acl1) 2 0.0.0.0 0.0.0.0 0 0
nat (acl2) 2 0.0.0.0 0.0.0.0 0 0
nat (acl3) 2 0.0.0.0 0.0.0.0 0 0
static (acl2,outside) <removed inside/outside range> netmask 255.255.255.255 0 0
static (acl1,outside) <removed inside/outside range> netmask 255.255.255.255 1 0
static (acl3,outside) <removed inside/outside range> netmask 255.255.255.255 1 0
static (acl3,outside) <removed outside/inside ip inactive> netmask 255.255.255.255 0 0
static (acl1,outside) <removed outside/inside ip works> netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group acl_acl1 in interface acl1
access-group acl_acl2 in interface acl2
access-group acl3_access_in in interface acl3
rip outside passive version 2
route outside 0.0.0.0 0.0.0.0 <removed> 1
route outside <removed> 255.255.255.255 <removed> 2
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-acl3 TACACS+ protocol tacacs+
aaa-acl3 RADIUS protocol radius
aaa-acl3 LOCAL protocol local
http acl3 enable
http <removed> 255.255.255.255 acl1
http <removed> 255.255.255.255 acl1
http <removed> 255.255.255.255 acl1
no snmp-acl3 location
no snmp-acl3 contact
snmp-acl3 community public
no snmp-acl3 enable traps
floodguard enable
telnet <removed range> 255.224.0.0 acl1
telnet timeout 5
ssh timeout 5
console timeout 10
url-block url-mempool 1500
url-block url-size 4
terminal width 80

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt

 

[Supergrrover]

Ok,
A few quick things -
What exactly is happening and what are you trying to achieve?
Can you put in place holders for the IPs a.b.c.d so they can be matched up( a simple search and replace so they are all consistent?)



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[MichealC4]

What's happening is that SMB traffic (logging in to the windows domain, printers on the domain, etc) are timing out. Logins fail or take an incredibly long time, printers lose print jobs altogether, or in the middle of the job, those sorts of things.

I'll get the updated config in a bit.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt