cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2641
Views
0
Helpful
16
Replies

Static NAT problem due to new version

netbin2009
Level 1
Level 1

Hi!

i´m trying to make a traditional port forward (http to http) on our new asa5510. Previous releases off 5505 and software prior 8.3 was no problem. Could someone tell me how do it in new 8.4 version? I ám a rookie on the new ASA series!

My setup is as this (config not in full info):

interface Ethernet0/0

nameif outside

security-level 0

ip address 87.96.xxx.75 255.255.255.128

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.200.2 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside-entry extended permit tcp any host 87.96.xxx.75 eq www

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in_1 extended permit tcp any any eq www

nat (inside,sll) source dynamic obj_any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network SRV02

nat (outside,inside) static interface service tcp www www

access-group outside_access_in_1 in interface outside

access-group inside_access_in in interface inside

access-group sll_access_in in interface sll

route outside 0.0.0.0 0.0.0.0 87.96.xxx.1 1

If nothing makes sense in this configuration please give example on how to do it correct. The object on the inside is SRV02 wich is running a webserver on port 80. So i want to open upp for http on outside interface and forward that traffic to srv02 (inside webserver)

I aslo tried to use Public Server Wizard but i fail even there. Se attached image.

1 Accepted Solution

Accepted Solutions

Fantastic....Check the route and default gateway on the server, it is responding correctly to its own subnet but not sending packets for internet ip's back to the ASA inside interface. Check what is the gateway on the server.

Hope that helps,

Varun

Thanks,
Varun Rao

View solution in original post

16 Replies 16

Jennifer Halim
Cisco Employee
Cisco Employee

The line interface is the other way round:

object network SRV02

  nat (outside,inside) static interface service tcp www www

should be:

object network SRV02

  nat (inside,outside) static interface service tcp www www

Hi!

In all my tries i reversed it....sorry. This does not help. Could it be that i cannot use my outside interface ipaddress for my purpose? Do i need another ipadress "attached" to my outside interface to make rules like NAT? I wonder why even the public server wizard doesn´t work? Is there a know bug that the wizard doesn´t work? Thanks for your quick and good reply!

Hi,

access-list outside_access_in extended permit tcp any interface outside eq www

In newest code you must use the private address not the public natted address so you must change your ACL like this:

access-list outside_access_in extended permit tcp any   eq www

Regards.

Alain.

Don't forget to rate helpful posts.

I tried your suggestion access-list outside_access_in extended permit tcp any   eq www

but it didn´t work. Just for information a had to specify mask after . Any other suggestion?


It looks like the traffic flow and rules are correct but it still doesn´t work.

-

-

Hi,

object network SRV02

  nat (outside,inside) static interface service tcp www www

Isn't there something missing here like the ip address of SRV02 ?

object network SRV02

  host x.x.x.x where x.x.x.x is private address of SRV02

  nat (inside,outside) static interface service tcp www www

Alain.

Don't forget to rate helpful posts.

netbin2009
Level 1
Level 1

I did a factory default reset and tried some. Please have a look and see if i missed out something. I changed to forward smtp service instead of http.

ASA Version 8.4(1)

!

hostname ciscoasa

enable password 2IDkypgMdFNeCGP1 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 87.96.xxx.75 255.255.255.128

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.200.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 87.96.222.1

host 87.96.222.1

object network srv02

host 192.168.200.51

access-list outside_access_in extended permit tcp any host 192.168.200.51 eq smtp

access-list outside_access_in_1 extended permit tcp any any eq smtp

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

object network srv02

nat (inside,outside) static interface service tcp smtp smtp

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 87.96.XXX.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 management

http 192.168.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpn-addr-assign local reuse-delay 5

dhcpd address 192.168.0.2-192.168.0.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e36b774ee17e4905da70de245a3dea85

: end

ciscoasa(config)#

Hi Fredrick,

Can you use this particular nat instead:

object service tcp_25

  service tcp destination eq 25

nat (outside,inside) source static any any destination static interface srv02 service tcp_25 tcp_25

If it still does not work.

take captures and paste here:

access-list cap permit tcp any host 87.96.xxx.75 eq 25

access-list cap permit tcp host 87.96.xxx.75 any eq 25

access-list cap permit tcp host 192.168.200.51 any eq 25

access-list cap permit tcp any host 192.168.200.51 eq 25

cap capin access-list cap interface inside

cap capo access-list cap interface outside

Initiate some traffic after that and chcek "show cap capin" and "show cap capo"

Thanks,

Varun

Thanks,
Varun Rao

Here is the capture:

1: 06:43:02.344876 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

   2: 06:43:05.327802 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

   3: 06:43:11.327787 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

   4: 06:43:27.957454 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192

   5: 06:43:30.953472 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192

   6: 06:43:36.953930 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192

6 packets shown

6 packets captured

   1: 06:43:02.344617 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192

   2: 06:43:05.327726 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192

   3: 06:43:11.327726 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192

   4: 06:43:27.957195 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192

   5: 06:43:30.953411 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192

   6: 06:43:36.953869 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192

6 packets shown

Thanks!

Hi Fredrik,

I guess we now have the picture a bit more clear:

If you see in the captures, there is no replies from the server for the request, like for a pibg you get request timeout, similarly for tcp, you get SYN timeout and thats what happening.

The client is sending a request to the server but not getting any reply back:

1: 06:43:02.344876 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192

   2: 06:43:05.327802 77.53.145.76.63019 >  192.168.200.51.25: S 2068699776:2068699776(0) win 8192

   3: 06:43:11.327787  77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0)  win 8192

Next step woudl be to troubleshoot on the server end, check if any firewall on the server is blocking the conection or why is it not responding back to the requests.

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

Thanks for your quick reply! As far as i can check there is no trouble accessing smtp service from inside network. I tried creating the rule in our production Astaro fw and that is work perfectly. Could there be a bug? I think i should try either downgrade or reinstall the running firmware. Any other suggestion i could try?

Can you try this natting:

nat (outside,inside) 1 source dynamic any interface destination static interface srv02 service tcp_25 tcp_25

I dont see this to be a issue with the firewall, beacuse firewall is forwarding the packets but no receiving any replies.

Can you test this and let me know.

Varun

Thanks,
Varun Rao

This is working! Can you explain why?

Fantastic....Check the route and default gateway on the server, it is responding correctly to its own subnet but not sending packets for internet ip's back to the ASA inside interface. Check what is the gateway on the server.

Hope that helps,

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: