11-18-2013 07:33 AM - edited 03-11-2019 08:06 PM
Hi guys,
I read docs both from this site and also from Cisco official documentation.
I would like to do port forward to an AP behind ASA. Additionally this AP does not have a default gateway so I also have to change the source address of the incoming packets.
Scenario:
External_IP --> outside_ASA_IP (((ASA 5505))) inside_ASA_IP --> server_IP (no_default_gateway)
Configuration:
object network AP_real
host 10.10.0.10
object network AP_Mapped
host 10.10.0.1
object network AP_External
host 80.82.A.B
object service web_80
service tcp destination eq www
object service web_8080
service tcp destination eq 8080
show ip
Interface Name IP address Subnet mask Method
Vlan2 outside 80.82.A.B 255.255.255.252 CONFIG
Vlan5 home 10.10.0.1 255.255.255.0 CONFIG
When entering the command:
nat (outside,home) source dynamic any AP_Mapped destination static AP_External AP_real service web_80 web_8080
I receive this:
ERROR: Address 80.82.A.B overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Any thoughts? I mention that object AP_External uses the same IP as the outside interface. I don't have any other IP free as ISP gives us /30 on that location.
Thanks in advance!
Solved! Go to Solution.
11-18-2013 09:28 AM
Hi,
Is this some NEM Client? Just see wierd NAT configurations at the highest priority.
You might want to remove the new NAT configuration you did and insert it with a new format like this
no nat (outside,home) source dynamic any interface destination static interface AP_10 service web_80 web_8080
nat (outside,home) 1 source dynamic any interface destination static interface AP_10 service web_80 web_8080
That is, if the ASA even accepts it since the other Section 1 NAT seem to be generated by the ASA itself but not shown in the actual CLI configuration
Also the capture doesnt show any data captured but the capture ACL shows hits. I wonder if it has anything to do with "packet-tracer" command. Have you used it?
- Jouni
11-18-2013 07:57 AM
Hi,
Seems for the most part fine to me.
You should only need to change one parameter and its the one the ASA is giving the ERROR message about. I am not sure why it doesnt let you use the public IP address inside an "object"
Try the command in this way
nat (outside,home) source dynamic any AP_Mapped destination static interface AP_real service web_80 web_8080
We only replace the "object" with the keyword/parameter "interface"
The following format might also do if the interface "home" is in the same network as the AP
nat (outside,home) source dynamic any interface destination static interface AP_real service web_80 web_8080
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
11-18-2013 09:19 AM
Hi Jouni,
Thanks for the input. I tried before with "interface", ASA agreed with the command but no luck on the translation rule:
show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static _vpnc_nem_internal_net _vpnc_nem_internal_net no-proxy-arp route-lookup
translate_hits = 570379, untranslate_hits = 16252
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_nat_exempt
translate_hits = 0, untranslate_hits = 0
3 (outside) to (home) source dynamic any interface destination static interface AP_real service web_80 web_8080
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (home) to (outside) source dynamic obj_home interface
translate_hits = 187810, untranslate_hits = 53728
Here is the config:
show run nat
nat (outside,home) source dynamic any interface destination static interface AP_10 service web_80 web_8080
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj_home
nat (home,outside) dynamic interface
I started a capture, but it matches no packet:
show capture
capture cap1 type raw-data access-list test interface home [Capturing - 0 bytes]
access-list test line 1 extended permit ip any host 10.10.0.10 (hitcnt=3) 0xd1861e38
access-list test line 2 extended permit ip host 10.10.0.10 any (hitcnt=0) 0x9571683f
I also applied an ACL on the outside interface allowing any traffic from my External_IP
show run access-group
access-group outside_access_in in interface outside
5505-01# show access-l outside_access_in
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip host external_IP any (hitcnt=1) 0xdd2a3668
Any thoughts?
11-18-2013 09:28 AM
Hi,
Is this some NEM Client? Just see wierd NAT configurations at the highest priority.
You might want to remove the new NAT configuration you did and insert it with a new format like this
no nat (outside,home) source dynamic any interface destination static interface AP_10 service web_80 web_8080
nat (outside,home) 1 source dynamic any interface destination static interface AP_10 service web_80 web_8080
That is, if the ASA even accepts it since the other Section 1 NAT seem to be generated by the ASA itself but not shown in the actual CLI configuration
Also the capture doesnt show any data captured but the capture ACL shows hits. I wonder if it has anything to do with "packet-tracer" command. Have you used it?
- Jouni
11-18-2013 09:44 AM
Yes, this ASA is used as EasyVPN Client:
vpnclient server EASY_VPN_SERVER_IP
vpnclient mode network-extension-mode
vpnclient vpngroup VPN_GROUP password *****
vpnclient username 5505-01 password *****
vpnclient management clear
vpnclient enable
Using nat () 1 will move it on the 1st position in show nat output? Am I to affect in any way the VPN service?
About the ACL hit, this is old as I tried first with only a static nat configuration, and all worked well except the lack of def_gw for the AP; then I moved on for the twice nat and here we are.
11-18-2013 09:47 AM
Hi,
I have not tried such configurations on a NEM Client before. Also, the NEM Clients I have used have been running older software version.
I am not sure if the ASA will even accept the command considering the other NAT configurations are generated by the ASA. We usually host all external services on the actual ASA acting as the VPN server.
- Jouni
11-18-2013 10:44 AM
Ok, so finally it works. The trouble was caused by the ports; let's have a look if possible:
5505-01(config)# $stination static interface AP_10 service ?
configure mode commands/options:
WORD Specify object name for real service
any All service objects
From this contextual help I thought real service is linked with the private IP, the IP address from the home interface....
So I rewrote the command:
nat (outside,home) 1 source dynamic any interface destination static interface AP_10 service web_8080 web_80
and it works perfectly. What is to be learn from here: the service syntax is directly related to the interface order from the brackets.
Back in the old days, this port-forward command was using a mirror efect on the syntax, right?
11-18-2013 10:54 AM
Hi,
The only thing I checked regarding to the "object service" were that you were using the "destination" rather than the "source". This is because were doing the "nat" configuration from the perspective that the LAN network is the "destination" (outside -> home). Therefore the Static PAT configurations are in the "nat" commands "destination" section and the "object service" also refer to the "destination".
I guess I could have guessed that you would rather want to map a mapped port of TCP/80 to real port TCP/8080 rather than the other way around. Saves you from typing the port in addition to the IP address when connecting from outside the network.
In general the new "nat" format is
nat (sourceint,destint) source
The old format regarding Static PAT was
static (sourceint,destint)
- Jouni
11-19-2013 03:17 AM
Thank you Jouni, nice walkthrough on this problem!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide