topic Re: ASA 5505 - Static NAT in Network Security

ASA 5505 - Static NAT

jfendrody — Mon, 11 Mar 2019 19:06:41 GMT

Hello,

I stuck with a static nat configuration problem on ASA 5505 equipment.

While there is already quite a few post regarding NAT on this forum I could not find anything solving my problem so any help from the community would be most welcome.

Problem is quite simple : I would like external computers (coming through outside interface) to access one internal HTTP server.

Here's my test configuration :

ASA outside address : 192.168.0.11
ASA inside address : 192.168.1.1
Internal server address : 192.168.1.6
External computer trying to access to the internal server : 192.168.0.10

ASA configuration :

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in remark autorise le reseau interne a accéder à internet
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in remark Autorise le reseau interne a faire des pings externes
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.6 www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:2e0ea6f12299faadcb90b77fbaea79cb
: end

Access Log:

				Source IP	Source Port	Destination IP	Destination Port	Description
6	Nov 09 2010	10:26:07	302013	192.168.0.10	1649	192.168.1.6	80	Built inbound TCP connection 473 for outside:192.168.0.10/1649 (192.168.0.10/1649) to inside:192.168.1.6/80 (192.168.0.11/80)
6	Nov 09 2010	10:26:37	302014	192.168.0.10	1649	192.168.1.6	80	Teardown TCP connection 473 for outside:192.168.0.10/1649 to inside:192.168.1.6/80 duration 0:00:30 bytes 0 SYN Timeout

Re: ASA 5505 - Static NAT

mirober2 — Tue, 09 Nov 2010 17:57:10 GMT

Hi Jean-Francois,

The config looks okay and the logs indicate that the connection is allowed. However, the connection eventually closes due to a SYN timeout. This means that the ASA never saw a reply from your web server.

Can you verify that the server is listening on TCP/80 and that there is nothing else in the path that would filter this traffic? Also, double check to make sure the server doesn't have a host-based firewall or security software that would block this connection.

Are you able to connect to the server from inside your network? A packet capture on the server will help to verify if the request is being received by the server or if the server is not replying.

-Mike

Re: ASA 5505 - Static NAT

Maykol Rojas — Tue, 09 Nov 2010 17:58:10 GMT

Hello,

Mike here , NAT is right, problem is that the server is not responding (SYN timeout). You can check the following things.

Make sure that the server default gateway is the ASA

Put wireshark on the server and check if the server is receiving the packets.

If you need anything just let me know.

Cheers.

Mike

Re: ASA 5505 - Static NAT

jfendrody — Tue, 09 Nov 2010 18:31:49 GMT

Hi Mike,

Thanks for the super fast answer ! Unfortunately it makes me even more confuse ...

For the test purposes, the "internal server" (192.168.1.6) was a SLM switch and I was trying to access its http admin server.

To reply to your post, I updated the test configuration and replaced the SLM with a PC running EasyPHP and WireShark.

This setup was supposed to allow me the see what was wrong with the reply.

To my surprise with this new configuration the setup works just fine ...

When I switch back to the SLM configuration, it just fails ...

Any idea why the switch would reject/not reply to the connection coming from the ASA ??

Re: ASA 5505 - Static NAT

jfendrody — Tue, 09 Nov 2010 18:36:23 GMT

Mike,

Thanks for the reply, please see my reply to the other Mike .

I was setting up exactly was you were suggesting and the result was quite surprising ...

Regarding the SLM configuration, it has the ASA as default gateway.

Re: ASA 5505 - Static NAT

Maykol Rojas — Tue, 09 Nov 2010 18:48:15 GMT

Hey,

Yeah, I saw that Mike answer first and we both thought the same. He is really good in what he does..... In that switch do you have any type of acl or restriction of any type? Are you able to access it from the inside?

Let us know.

Mike

Re: ASA 5505 - Static NAT

jfendrody — Tue, 09 Nov 2010 22:06:29 GMT

Yes, I can access it from inside. I will try to fond what's wrong with wireshark.

I consider the issue solved and tag the thread as such.

Thanks you guys for the support !