cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3105
Views
0
Helpful
59
Replies
Cisco Employee

NAT ASA 5510

Hi Daniel,

Try this: assign static IPs to the source and destination hosts(in the 10.0.0.0/24 range) and then test. Make sure you have the correct static NAT for the destination IP. Take packet captures on the inside interface. Enable syslogs and post them here.

Regards,

Anu

Beginner

NAT ASA 5510

Hi Anu,

Mi internal IP address is 10.0.0.52 and I try access to public IP address 84.88.36.7.

The live log says:

6|Jul 05 2011 09:49:07|302013: Built outbound TCP connection 43704 for outside:84.88.36.7/443 (84.88.36.7/443) to inside:10.0.0.52/64913 (84.88.36.3/8664)

6|Jul 05 2011 09:49:04|302013: Built inbound TCP connection 43703 for outside:195.10.10.59/55659 (195.10.10.59/55659) to inside:10.0.0.124/3202 (84.88.36.7/3202)

6|Jul 05 2011 09:49:04|302013: Built outbound TCP connection 43702 for outside:84.88.36.7/443 (84.88.36.7/443) to inside:10.0.0.52/64912 (84.88.36.3/8663)

6|Jul 05 2011 09:48:46|302013: Built outbound TCP connection 43701 for outside:84.88.36.7/443 (84.88.36.7/443) to inside:10.0.0.52/64911 (84.88.36.3/8662)

6|Jul 05 2011 09:48:46|302013: Built outbound TCP connection 43700 for outside:84.88.36.7/443 (84.88.36.7/443) to inside:10.0.0.52/64910 (84.88.36.3/8661)

7|Jul 05 2011 09:48:46|609001: Built local-host outside:84.88.36.7

7|Jul 05 2011 09:48:37|609002: Teardown local-host outside:84.88.36.7 duration 0:00:51

6|Jul 05 2011 09:48:37|302014: Teardown TCP connection 43682 for outside:84.88.36.7/443 to inside:10.0.0.52/64894 duration 0:00:30 bytes 0 SYN Timeout

Thanks

Cisco Employee

NAT ASA 5510

Hi Daniel,

What is the private IP address of the PC from which you are trying to access 84.88.36.7 internally? Also, did you assign static IPs to the source and destination hosts?

Regards,

Anu

Beginner

NAT ASA 5510

Hi Anu,

My private address is 10.0.0.52.

"Also, did you assign static IPs to the source and destination hosts?"

No, I want to acces to all public IP addresses from all my network.

The 10.0.0.52 address is an example.

Thanks

Daniel

Beginner

NAT ASA 5510

Hi Anu,

Last saturday I migrated all rules to ASA and all.

Only I have a problem. Access to Public IP addresses from inside network.

Can you help me?

Thanks

Engager

NAT ASA 5510

Hi Daniel,

Can you provide the show run from the new firewall, as well as the ip address of the server you are trying to access and from which interface you are trying to access??

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

Re: NAT ASA 5510

Hi,

I attach you my shRun.

I would to access to all public IP addresses form inside network.

Public IP addressess: 84.88.36.1 - 15 (255.255.255.240)

Inside Network: 10.0.0.0 - 10.0.1.255 (255.255.254.0)

inside --> access --> Interface outside

Thanks

Engager

NAT ASA 5510

Hi Daniel,

Let me give you one example, you can configure the rest similarly

static (inside,inside) 84.88.36.6 10.0.0.123 norand nailed

Similarly you can configure it for the rest of the servers and it should work.

Let me know if this works

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

NAT ASA 5510

Hi,

I configured your commands but doesn't work.

static (inside,inside) 84.88.36.6 10.0.0.123 netmask 255.255.255.255 norandomseq nailed

What happens!!!!!! Grrrr!

Engager

NAT ASA 5510

Hi Daniel,

Can you enable this command as well:

sysopt noproxyarp inside

if it still doesnt work, kindly provide me the output of the following:

packet-tracer input inside tcp 10.0.0.1 2345 84.88.36.6 80 detailed

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

NAT ASA 5510

Hi Varun,

Doesn't work and I can not put packet-tracer command.

Via ASDM I view this:

6|Jul 11 2011 15:03:17|302013: Built inbound TCP connection 99016 for outside:84.88.36.8/45176 (84.88.36.8/45176) to inside:10.0.0.123/80 (84.88.36.6/80)

6|Jul 11 2011 15:05:06|302014: Teardown TCP connection 99043 for inside:10.0.0.63/52301 to inside:10.0.0.123/443 duration 0:00:00 bytes 0 Flow is a loopback

6|Jul 11 2011 15:05:00|302014: Teardown TCP connection 99042 for inside:10.0.0.63/52301 to inside:10.0.0.123/443 duration 0:00:00 bytes 0 Flow is a loopback

6|Jul 11 2011 15:04:57|302014: Teardown TCP connection 99041 for inside:10.0.0.63/52301 to inside:10.0.0.123/443 duration 0:00:00 bytes 0 Flow is a loopback

Mi IP is 10.0.0.63

IP inside server is 10.0.0.123

IP public server is 84.88.36.6

Thanks

Engager

NAT ASA 5510

Hi Daniel,

Can you pull the latest show run output from the firewall and provide it to me. Are you trying to access the server using the Public IP address, because the logs show me the private IP instead of Public ip?

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

Re: NAT ASA 5510

Hi,

I attach you my shRun.

Yes, I try to access to my server with Ip public.

Mi Pc has 10.0.0.63 and I try to access to 84.88.36.6 that is the public address of my internal server with IP 10.0.0.123.

Understand me? I know that my explanation is bad. Sorry.

Thanks

Engager

NAT ASA 5510

Hi Daniel,

If that is the case, then i guess we would need to take captures on the ASA:

access-list cap permit ip host 10.0.0.63 host 84.88.36.6

access-list cap permit ip host 84.88.36.6 host 10.0.0.63

access-list cap permit ip host 10.0.0.63 host 10.0.0.123

access-list cap permit ip host 10.0.0.123 host 10.0.0.63

capture capin access-list cap interface inside

try accessing the server after that, and check "show capture", plz provide the output.

To summarize everything, you should have the above commands enabled on ASA:

static (inside,inside) 84.88.36.6 10.0.0.123 norand nailed

sysopt noproxyarp inside

same-security-traffic permit intra-interface

after that collect the output.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Highlighted
Beginner

NAT ASA 5510

Hi,

The result is the same. I paste the output:

ttrendsASA(config)# sh capture capin

18 packets captured

   1: 11:34:31.978327 10.0.0.63.63575 > 84.88.36.6.80: S 1040445759:1040445759(0) win 8192

   2: 11:34:31.978510 10.0.0.63.63574 > 84.88.36.6.80: S 1455068754:1455068754(0) win 8192

   3: 11:34:34.979578 10.0.0.63.63575 > 84.88.36.6.80: S 1040445759:1040445759(0) win 8192

   4: 11:34:34.981562 10.0.0.63.63574 > 84.88.36.6.80: S 1455068754:1455068754(0) win 8192

   5: 11:34:40.976740 10.0.0.63.63574 > 84.88.36.6.80: S 1455068754:1455068754(0) win 8192

   6: 11:34:40.981653 10.0.0.63.63575 > 84.88.36.6.80: S 1040445759:1040445759(0) win 8192

   7: 11:34:52.983362 10.0.0.63.63577 > 84.88.36.6.80: S 2560066600:2560066600(0) win 8192

   8: 11:34:55.984461 10.0.0.63.63577 > 84.88.36.6.80: S 2560066600:2560066600(0) win 8192

   9: 11:35:01.980570 10.0.0.63.63577 > 84.88.36.6.80: S 2560066600:2560066600(0) win 8192

  10: 11:35:26.357678 10.0.0.63.63589 > 84.88.36.6.80: S 2893740273:2893740273(0) win 8192

  11: 11:35:26.357967 10.0.0.63.63590 > 84.88.36.6.80: S 1238314767:1238314767(0) win 8192

  12: 11:35:29.357617 10.0.0.63.63589 > 84.88.36.6.80: S 2893740273:2893740273(0) win 8192

  13: 11:35:29.361614 10.0.0.63.63590 > 84.88.36.6.80: S 1238314767:1238314767(0) win 8192

  14: 11:35:35.360744 10.0.0.63.63590 > 84.88.36.6.80: S 1238314767:1238314767(0) win 8192

  15: 11:35:35.361706 10.0.0.63.63589 > 84.88.36.6.80: S 2893740273:2893740273(0) win 8192

  16: 11:35:47.363460 10.0.0.63.63608 > 84.88.36.6.80: S 636176705:636176705(0) win 8192

  17: 11:35:50.360454 10.0.0.63.63608 > 84.88.36.6.80: S 636176705:636176705(0) win 8192

  18: 11:35:56.361645 10.0.0.63.63608 > 84.88.36.6.80: S 636176705:636176705(0) win 8192

18 packets shown

Thanks