topic Re: Static NAT Problem - Help Me Understand This in Network Security

Static NAT Problem - Help Me Understand This

spottedowl — Mon, 11 Mar 2019 10:34:02 GMT

In my ASA 5510 config (posted below), I have an inside interface, two DMZ's, and an outside interface. I have a web server on the 1st DMZ at local address 10.1.2.2. I want this web server to be accessible from the Internet at global address xx.xx.150.80, which is the same address as the outside interface.

The relevant lines from the config are:

static (dmz1,outside) xx.xx.150.80 10.1.2.2 netmask 255.255.255.255

access-list outside_in extended permit tcp any host xx.xx.150.80 eq www

access-group outside_in in interface outside

This doesn't work. When I try to access the web server from the Internet, I get a message in the log saying "TCP connection blocked by ACL". When I change the static statement to:

static (dmz1,outside) interface 10.1.2.2 netmask 255.255.255.255

everything works. My question is: why does this work when I use "interface" in place of the actual IP address of the outside interface in the static statement?

asdm image disk0:/asdm506.bin

no asdm history enable

: Saved

ASA Version 7.0(6)

hostname asa

domain-name example.com

enable password xxxxxxxxxxx encrypted

names

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.150.80 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

interface Ethernet0/2

nameif dmz1

security-level 50

ip address 10.1.2.1 255.255.255.0

interface Ethernet0/3

nameif dmz2

security-level 10

ip address 10.1.3.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

passwd xxxxxx.xxxxxxxxx encrypted

ftp mode passive

access-list inside_dmz1 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list dmz1_in extended permit tcp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 eq ssh

access-list dmz1_in extended deny ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list dmz1_in extended permit ip any any

access-list outside_in extended permit tcp any host xx.xx.150.80 eq www

pager lines 77

logging enable

logging monitor informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

mtu management 1500

no failover

monitor-interface outside

monitor-interface inside

monitor-interface dmz1

monitor-interface dmz2

monitor-interface management

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_dmz1

nat (inside) 1 10.1.1.0 255.255.255.0

nat (dmz1) 1 10.1.2.0 255.255.255.0

static (dmz1,outside) xx.xx.150.80 10.1.2.2 netmask 255.255.255.255

access-group outside_in in interface outside

access-group dmz1_in in interface dmz1

route outside 0.0.0.0 0.0.0.0 xx.xx.150.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.1.1.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Cryptochecksum:xxx

: end

Re: Static NAT Problem - Help Me Understand This

gurdsing — Fri, 22 Jun 2007 23:27:19 GMT

Thats the way static command works in 7.x code.

Read through the note in command reference, syntax description (interface):

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1540284

Regards,

Guru.

Re: Static NAT Problem - Help Me Understand This

kcarjun2002 — Sat, 23 Jun 2007 01:22:58 GMT

I got the exact sam eproblem as yours after I migrated to asa5510. I see all the NAT and access-list fine but the web server located at dmz is not accessible form outside. But I have not issued that command that you mentioned.

When you run the command this way which public ip gets mapped with your internal ip

10.1.2.2?

static (dmz1,outside) interface 10.1.2.2 netmask 255.255.255.255

Re: Static NAT Problem - Help Me Understand This

gurdsing — Sat, 23 Jun 2007 06:49:35 GMT

The outside interface IP address will get mapped to the 10.1.2.2 address in your case.

Regards,

Guru.

Re: Static NAT Problem - Help Me Understand This

kcarjun2002 — Sat, 23 Jun 2007 14:48:44 GMT

Thanks Guru

I already have different public ip mapped with my new web server,located at dmz. When I compare the nat and access-list with the other web servers at the same location, I don't see anything different. Why is it not still accessible from outside? Can you explain me in little details how can I troubleshoot this.

Thanks in advance.

Thanks

Re: Static NAT Problem - Help Me Understand This

JBDanford2002 — Sat, 23 Jun 2007 15:16:33 GMT

The problem is that you were trying use the IP address assigned to the interface. When using the interface IP you must use the "interface" keyword.

INTERFACE:

Specifies the interface IP address for the global address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

Note You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry. "

Re: Static NAT Problem - Help Me Understand This

kcarjun2002 — Sat, 23 Jun 2007 19:58:47 GMT

Actually, I am using the static NAT address not the one from the outside interface.

My outside interface is x.x.2.147

and the internal ip that I am using for web server is 172.16.1.6.

The following is the relevant config that I am using. But its still not accesible from outside. DO I have to do anything special for version 7.x

static (dmz,outside) X.X.2.125 172.16.1.6 netmask 255.255.255.255

access-list acl_allow_in permit tcp any host X.X.2.125 eq www

access-list acl_allow_in in interface outside

Re: Static NAT Problem - Help Me Understand This

JBDanford2002 — Sat, 23 Jun 2007 21:54:17 GMT

Kind of confused. Your config above shows the following for your DMZs and I didnt see any additional route so I am figuring you have conflicting subnets. Below you DMZ shows

10.1.3.1 but your server IP is 172.16.1.6. Has something changed? Post a full scrubbed config.

interface Ethernet0/2

nameif dmz1

security-level 50

ip address 10.1.2.1 255.255.255.0

interface Ethernet0/3

nameif dmz2

security-level 10

ip address 10.1.3.1 255.255.255.0

Re: Static NAT Problem - Help Me Understand This

kcarjun2002 — Sat, 23 Jun 2007 22:42:01 GMT

Sorry for confusion. May be I should have posted my problem separately.

Re: Static NAT Problem - Help Me Understand This

JBDanford2002 — Sat, 23 Jun 2007 23:34:04 GMT

My apologies. I didnt realize you werent the original poster.