Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
1
Replies

ASA 5505 static nat issues

danail-petrov
Level 1
Level 1

‎11-09-2007 04:38 AM - edited ‎02-21-2020 01:46 AM

Hi there!

For the last two days i'm working on some very strange issue regarding 'static' or '1:1' mapping. Here is the scenario:

I have one firewall (ASA 5505) with two interfaces (vlan1 - which is the 'inside' and vlan2 - which is the outside) Vlan1 has default security level100 and vlan2 with security level 0. So, i have an ip address configured on vlan2 (10.0.0.2) with gateway 10.0.0.1 . On the other interface i have configured ip addres 192.168.0.1.

192.168.0.1(inside +ASA+ outside)10.0.0.2

Behind vlan1, i have network station with ip address 192.168.0.2. The goal is to achieve two-way NAT (static) for all packets going from 192.168.0.2 to be translated into public ipv4 ip x.x.x.x. For this i'm using the static command with following arguments:

static (inside,outside) x.x.x.x 192.168.0.2 netmask 255.255.255.255

And here is where my problems started. From inside to outside (i mean traffic initiated from 192.168.0.2) everything looks fine. The address is translated into x.x.x.x and it works fine. BUT when i try to reach the ip address x.x.x.x from ip located behind outside interface (let's say from 10.0.0.1) the traffic IS NOT redirected to address 192.168.0.2 (which the command static should process) but it's have been processed by the ASA itself like the traffic is destined for 10.0.0.2 (which is the outside ip address of the firewall). I have configured access-list which permits ip from any to any (with testing purposes) applied as an access-group for inbound traffic to outside interface:

[snip]

access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

[/snip]

Does anyone can give me a clue, because i'am getting desperate! What should i do to stop the ASA processing this traffic which should be redirected/translated? One more thing. I did a network scan with nmap software to check the open ports of the ASA: (here is the result)

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

443/tcp open https

8080/tcp open http-proxy

Which application is using the http-proxy port? Because my problems starts here (traffic destined to x.x.x.x is with dst port 8080, so i believe there must be a reason for ASA to process it by itself)

Best Regards,

Danail Petrov

0 Helpful
1 Reply 1

pszczola1
Level 1
Level 1

‎11-11-2007 08:17 PM

I guess you must have a router after the firewall. It's hard to advise without the picture of the whole architecture. I used ASA 5505

with the following architecture:

Inside Network or vlan 1> ASA > DSL Model

How many public addresses do you have available?

Do you have any other translations (PAT?)

Why not to give a public address to the outside interface of ASA instead of 10.0.0.2 ?

The setting: private address on inside, public address on outside should fix the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card