12-28-2013 06:26 AM - edited 03-11-2019 08:22 PM
I am testing ASA 5550 to allow inside servers outside access through static NAT. I have done reading Cisco's documentation about how to set it up.
my test network:
OUTSIDE ROUTER (2811) ----------(OUTSIDE) ASA 5550 (INSIDE)(OSPF)-----------INSIDE ROUTER (2811) (OSPF)---------SERVERS
my config works fine and I am able to change my ACLs for my test servers.
But when I bring this into the production, ASA does not allow inbound connections from outside.here is my production network:
ISP ---------------(OUTSIDE) ASA 5550 (INSIDE)(OSPF)---------(OSPF)NEXUS 7K(OSPF)---------SERVERS
I am not able to pass ASA using static NAT for my servers. I am using the same config in both cases and it is below. Do you see anything that might block access from outside to inside servers?
Thanks
ASA Version 9.1(4)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
multicast-routing
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.10.1.5 255.255.255.252
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.4.18.194 255.255.255.192
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name net
same-security-traffic permit intra-interface
object network WEB
host 10.100.2.104
object network RAS
host 10.100.99.2
object network box
host 10.120.1.201
object network inside_network
subnet 10.0.0.0 255.0.0.0
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit gre any any
!
mtu INSIDE 1500
mtu OUTSIDE 1500
ip verify reverse-path interface OUTSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network WEB
nat (INSIDE,OUTSIDE) static 1.4.18.195
object network RAS
nat (INSIDE,OUTSIDE) static 1.4.18.196
object network box
nat (INSIDE,OUTSIDE) static 1.4.18.198
object network inside_network
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_IN in interface OUTSIDE
!
router ospf 10
router-id 10.10.1.5
network 10.10.1.4 255.255.255.252 area 0
log-adj-changes
default-information originate metric 95
!
route OUTSIDE 0.0.0.0 0.0.0.0 1.4.18.193 1
!
dynamic-access-policy-record DfltAccessPolicy
service resetoutside
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
inspect ipsec-pass-thru
inspect mgcp
inspect http
!
service-policy global_policy global
prompt hostname context
12-29-2013 01:04 PM
Hi;
What device is on the production network? Is that device doing NAT for your current setup?
The ASA does not send a GARP for the Global assigned addresses when it is plugged into the network.
That being said you may need to clear the ARP entries on the upstream router to make sure that it doesnt have the old ARP entries.
Let me know if you have any questions.
Mike
12-29-2013 08:34 PM
Hi Maykol,
If I use Cisco 2911 to do NAT in production, I have not problem with inbound or outbound traffic. But as soon as I replace the router with ASA 5550 (using the above config), device does not allow inbound traffic even though I allow pretty much anything coming from outside. All inside hosts are able to reach to the Internet.
Do you know the timeout for those GARP entries?
I notice that if I use
object network WEB
nat (INSIDE,OUTSIDE) static 1.4.18.195 service tcp 80 80
device allows inbound traffic but why does it not work without port redirection?
Thanks
John
12-29-2013 09:10 PM
Hi;
Well, is just like any other ARP entry. 4 hours. However, on the upstream router you can clear the ARP table and that should do the trick.
It should work with both, one to one and Port redirection.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide