TWICE NAT CONFIGURATION

ciscolunero — Tue, 12 Mar 2019 07:13:20 GMT

Hi,

I have an issue with my CISCO ASA. I need to publish some ports to one server in my DMZ subnet (80, 555 and two range ports (TCP 20100-21999 and UDP 20100-21999) I dont know what I´m doing wrong with the range ports but NAT is not working. For 80 and 555 ports I have used Network Object NAT and it works perfectly. However, I cant do the same with the range ports, so I have to use 'standard NAT' rules, and its not working. I have even tried to remove network object nat rules and use 'standard NAT' for 80 and 555 tcp ports as well. But if do this, 80 and 555 stop working.

Any clues?

Many, many thanks in advance.

: Serial Number: JAD19220344

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

ASA Version 9.4(1)

hostname ciscoasa

enable password WmlxhdtfAnw9XbcA encrypted

passwd ta.qizy4R//ChqQH encrypted

names

ip local pool Pool_139 139.16.1.50-139.16.1.80 mask 255.255.255.0

ip local pool Pool_172 172.16.1.100-172.16.1.130 mask 255.255.255.0

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 192.168.1.100 255.255.255.0

interface GigabitEthernet1/2

nameif inside

security-level 100

ip address 139.16.1.1 255.255.255.0

interface GigabitEthernet1/3

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

interface Management1/1

management-only

nameif management

security-level 100

ip address 11.11.11.11 255.255.255.0

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-subnet

subnet 139.16.1.0 255.255.255.0

object network dmz-subnet

subnet 172.16.1.0 255.255.255.0

object network wialon-server-external-ip

host 192.168.1.132

object network wialon-server

host 172.16.1.69

object service Wialon-services-TCP

service tcp source range 20100 21999 destination range 20100 21999

object service Wialon-services-UDP

service udp source range 20100 21999 destination range 20100 21999

object network NETWORK_OBJ_139.16.1.0_25

subnet 139.16.1.0 255.255.255.128

object network wialon-server-ssl

host 172.16.1.69

object service wialon-ssl

service tcp source range 1 65535 destination eq 555

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq www

service-object udp destination eq domain

service-object tcp destination eq https

access-list outside_acl extended permit tcp any object wialon-server eq www

access-list outside_acl extended permit object Wialon-services-TCP any object wialon-server

access-list outside_acl extended permit object Wialon-services-UDP any object wialon-server

access-list outside_acl extended permit object wialon-ssl any object wialon-server

access-list DMZ_access_in extended permit ip object wialon-server 139.16.1.0 255.255.255.0

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DMZ,outside) source static any any destination static NETWORK_OBJ_139.16.1.0_25 NETWORK_OBJ_139.16.1.0_25 route-lookup

nat (DMZ,outside) source static wialon-server wialon-server-external-ip service Wialon-services-TCP Wialon-services-TCP

object network obj_any

nat (any,outside) dynamic interface

object network inside-subnet

nat (inside,outside) dynamic interface

object network wialon-server

nat (DMZ,outside) static wialon-server-external-ip service tcp www www

object network wialon-server-ssl

nat (DMZ,outside) static wialon-server-external-ip service tcp 555 555

access-group outside_acl in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

http server enable

http 11.11.11.0 255.255.255.0 management

http 139.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des