cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1170
Views
10
Helpful
3
Replies

ASA 5550 (9.1) inbound connectivity issues

1johnsmith
Level 1
Level 1

I am testing ASA 5550 to allow inside servers outside access through static NAT. I have done reading Cisco's documentation about how to set it up.

my test network:

OUTSIDE ROUTER (2811) ----------(OUTSIDE) ASA 5550 (INSIDE)(OSPF)-----------INSIDE ROUTER (2811) (OSPF)---------SERVERS

my config works fine and I am able to change my ACLs for my test servers.

But when I bring this into the production, ASA does not allow inbound connections from outside.here is my production network:

ISP ---------------(OUTSIDE) ASA 5550 (INSIDE)(OSPF)---------(OSPF)NEXUS 7K(OSPF)---------SERVERS

I am not able to pass ASA using static NAT for my servers. I am using the same config in both cases and it is below. Do you see anything that might block access from outside to inside servers?

Thanks

ASA Version 9.1(4)

!

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

multicast-routing

!

interface GigabitEthernet0/0

nameif INSIDE

security-level 100

ip address 10.10.1.5 255.255.255.252

ospf message-digest-key 1 md5 *****

ospf authentication message-digest

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.4.18.194 255.255.255.192

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name net

same-security-traffic permit intra-interface

object network WEB

host 10.100.2.104

object network RAS

host 10.100.99.2

object network box

host 10.120.1.201

object network inside_network

subnet 10.0.0.0 255.0.0.0

access-list OUTSIDE_IN extended permit icmp any any

access-list OUTSIDE_IN extended permit ip any any

access-list OUTSIDE_IN extended permit gre any any

!

mtu INSIDE 1500

mtu OUTSIDE 1500

ip verify reverse-path interface OUTSIDE

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network WEB

nat (INSIDE,OUTSIDE) static 1.4.18.195

object network RAS

nat (INSIDE,OUTSIDE) static 1.4.18.196

object network box

nat (INSIDE,OUTSIDE) static 1.4.18.198

object network inside_network

nat (INSIDE,OUTSIDE) dynamic interface

access-group OUTSIDE_IN in interface OUTSIDE

!

router ospf 10

router-id 10.10.1.5

network 10.10.1.4 255.255.255.252 area 0

log-adj-changes

default-information originate metric 95

!

route OUTSIDE 0.0.0.0 0.0.0.0 1.4.18.193 1

!

dynamic-access-policy-record DfltAccessPolicy

service resetoutside

!

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect pptp

  inspect icmp

  inspect ipsec-pass-thru

  inspect mgcp

  inspect http

!

service-policy global_policy global

prompt hostname context

3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

Hi;

What device is on the production network? Is that device doing NAT for your current setup?

The ASA does not send a GARP for the Global assigned addresses when it is plugged into the network. 

That being said you may need to clear the ARP entries on the upstream router to make sure that it doesnt have the old ARP entries.

Let me know if you have any questions.

Mike

Mike

Hi Maykol,

If I use Cisco 2911 to do NAT in production, I have not problem with inbound or outbound traffic. But as soon as I replace the router with ASA 5550 (using the above config), device does not allow inbound traffic even though I allow pretty much anything coming from outside. All inside hosts are able to reach to the Internet.

Do you know the timeout for those GARP entries?

I notice that if I use

object network WEB

nat (INSIDE,OUTSIDE) static 1.4.18.195 service tcp 80 80

device allows inbound traffic but why does it not work without port redirection?

Thanks

John

Hi;

Well, is just like any other ARP entry. 4 hours. However, on the upstream router you can clear the ARP table and that should do the trick.

It should work with both, one to one and Port redirection.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: