topic ASA 9.1 NAT Problem in Network Security

ASA 9.1 NAT Problem

Ed Willson — Tue, 12 Mar 2019 03:26:28 GMT

Hi all. I'm playing with a cool program called Subsonic - You can stream music from your home server to whatever. The problem I'm having is getting a NAT statement to access the server from inside.

Here's my current config for the service:

object network SubSonic

host 192.168.2.32

nat (inside,outside) static interface service tcp 4040 4040

access-list outside_inbound permit tcp any object SubSonic eq 4040

This is working great when I'm out in the world, but when I'm home and connected inside no luck. I'm thinking I need some sort of nat statement for inside to inside, but I'm at a loss really. Any help here would be appricated.

Thanks,

ASA 9.1 NAT Problem

Istvan kelemen — Wed, 08 Jan 2014 03:31:04 GMT

Hi,

Assuming your stream server is sitting behind the inside interface and you want to stream music to a host which is sitting behind the inside interface as well.

More info would be useful like a topology visio.

1 you need to enable communication between hosts connected to the same interface

2 if your pc and stream server are behind different interfaces then the interfaces should have the same security level, and you should enable communication between interfaces with same security level. Or create an ACL with the right permit statement.

ASA 9.1 NAT Problem

Ed Willson — Wed, 08 Jan 2014 03:37:10 GMT

Both devices (Server and AP) are connected to the inside vlan with the ASA doing DHCP. Communication is fine on the LAN side. I can change the server address on my phone to the inside address for the server and it works.

Syslog is showing:

Jan 07 2014

19:36:10

110002

192.168.2.232

33871

Failed to locate egress interface for TCP from inside:192.168.2.232/33871 to OU.TS.ID.E/4040

Re: ASA 9.1 NAT Problem

Istvan kelemen — Wed, 08 Jan 2014 03:46:42 GMT

Do you want to access the stream server via outside ip when you are connected to inside?

ASA 9.1 NAT Problem

Ed Willson — Wed, 08 Jan 2014 03:54:53 GMT

Exactly - so a mobile device can be mobile without having to change configuration.

ASA 9.1 NAT Problem

jumora — Wed, 08 Jan 2014 04:18:27 GMT

Can you access the device with a PC so we can run a sniffer trace on the PC when it works and compare what port and protocol is used. It would be also a good idea to check logs and captures that can be runned on the ASA when you setup the server behind the ASA with NAT, that way we can check when your phone is trying to connect to the server with the phones source address through logs and captures.

Value our effort and rate the assistance!

ASA 9.1 NAT Problem

Ed Willson — Wed, 08 Jan 2014 04:29:01 GMT

Well I can tell you its on TCP 4040. When I access on the lan I'm just using http://192.168.2.238:4040. Nothing special there. Looking at the syslog from my traffic headed to the public address it's getting NATted. That's why I'm thinking I need to hairpin the traffic.

TCP 4040 from 192.168.2.0/24 headed to myoutsideIP needs to be redirected to 192.168.2.238:4040.

ASA 9.1 NAT Problem

jumora — Wed, 08 Jan 2014 04:36:08 GMT

All you need to do is configure an object for the external IP address that you have on the ASA and then configure the U turn:

If you think that is the case configure the next:

object network External_IP

host External_IP

nat (inside,inside) source dynamic any interface destination static External_IP SubSonic

same-security-traffic permit intra-interface

Value our effort and rate the assistance!

ASA 9.1 NAT Problem

Ed Willson — Wed, 08 Jan 2014 04:57:37 GMT

Thank You Sir! I was damn close a couple times, but was getting messed up on the nat statement.

The commands I used:

object network SubSonicLAN

host OUTSIDEIP

nat (inside,inside) source dynamic any interface destination static SubSonicLAN SubSonic

That made my night. I was messing with this for hours!

Thanks,

ASA 9.1 NAT Problem

jumora — Wed, 08 Jan 2014 05:44:42 GMT

happy to help!!!!

Value our effort and rate the assistance!