cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2956
Views
0
Helpful
21
Replies

ASA 8.42 nat problems

pbuch
Level 1
Level 1

Hi

Configuring an asa 5505 with 8.42 software.

I need to access an https server on the inside via the outside interface.

I have moved the http server enable to port 10443

Tried to make a "network object nat rule"

Have even checked the video :-)

I cant get access.

Packet tracer points to the nat rule.

object network Vejrstation

host 192.168.4.15

object network Vejrstation

nat (any,outside) static interface service tcp https https object network Vejrstation
nat (any,outside) static interface service tcp https https

Where do i do wrong ?

1 Accepted Solution

Accepted Solutions

The packet-tracer shows everything is fine, is it still not working??

Varun

Thanks,
Varun Rao

View solution in original post

21 Replies 21

pbuch
Level 1
Level 1

The log says

3Nov 25 201106:03:49188.177.226.89343683.89.223.42443TCP access denied by ACL from 188.177.226.89/3436 to outside:83.89.223.42/443

access-list outside_access_in extended permit object https any object Vejrstation

but why ?

No hits on the accesslist

ajay chauhan
Level 7
Level 7

nat (inside,outside)  use this as you said server is in inside zone .

Thanks

Ajay

I hve tried that, same result exept that the tracer says ok

change you outside ACL as well since packet is not directly coming for 192.168.4.15.

You should allow acl for public IP which is going to be mapped.

Not according to the video.... but i have tried that

Post you full config.

: Saved
:
ASA Version 8.4(2)
!
hostname xxxxxxxxxx
enable password EnFClNY/JeYR4dhI encrypted
passwd EnFClNY/JeYR4dhI encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.6 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.89.223.42 255.255.255.252
!
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.8.0-6
subnet 192.168.8.0 255.255.255.248
object network obj-192.168.18.0
subnet 192.168.18.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj-192.168.15.0
subnet 192.168.15.0 255.255.255.0
object network obj-192.168.251.0
subnet 192.168.251.0 255.255.255.0
object service https
service tcp destination eq https
object service 4001
service tcp destination eq 4001
object network Vejrstation
host 192.168.4.15
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.8.0 255.255.255.248
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Vejrstation eq https
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool vpnklient 192.168.4.51-192.168.4.55
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.4.0 obj-192.168.4.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.8.0-6 obj-192.168.8.0-6 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.18.0 obj-192.168.18.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.15.0 obj-192.168.15.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.251.0 obj-192.168.251.0 no-proxy-arp
nat (inside,outside) source dynamic any interface
!
object network Vejrstation
nat (inside,outside) static interface service tcp https https
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.89.223.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 10443
http 192.168.1.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
http 188.177.226.88 255.255.255.248 outside
http 188.120.69.106 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpnswarcolan esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set vpnklientswarco esp-aes-256 esp-md5-hmac
crypto dynamic-map vpnklientswarco 10 set ikev1 transform-set vpnklientswarco
crypto map partnermap 200 match address 200
crypto map partnermap 200 set pfs group1
crypto map partnermap 200 set peer 93.162.119.26 89.88.87.89
crypto map partnermap 200 set ikev1 transform-set vpnswarcolan
crypto map partnermap 65535 ipsec-isakmp dynamic vpnklientswarco
crypto map partnermap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash md5
group 1
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh 87.48.245.198 255.255.255.255 outside
ssh 188.120.69.106 255.255.255.255 outside
ssh 188.177.226.88 255.255.255.248 outside
ssh timeout 60
console timeout 0
management-access inside

dhcpd dns 194.239.134.83 193.162.153.164
!
dhcpd address 192.168.4.190-192.168.4.220 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnklientswarco internal
group-policy vpnklientswarco attributes
dns-server value 194.239.134.83 193.162.153.164
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
username swarco password .FRI9vfYdLduSJia encrypted privilege 15
username jep-it password 1aqZEKKMU1dntc85 encrypted privilege 15
tunnel-group 93.162.119.26 type ipsec-l2l
tunnel-group 93.162.119.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group vpnklientswarco type remote-access
tunnel-group vpnklientswarco general-attributes
address-pool vpnklient
default-group-policy vpnklientswarco
tunnel-group vpnklientswarco ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 89.88.87.89 type ipsec-l2l
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dec4c88475f8dd4ceeaebc23b2f4cf94
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Hi,

Thses shpould be your configuration:

object network Vejrstation

host 192.168.4.15

object service tcp_https

  service tcp destination eq 443

nat (outside,inside) source static any any destination static interface Vejrstation service tcp_https tcp_https

access-list outside_access_in extended permit any object Vejrstation eq 443

access-group outside_access_in in interface outside

This should do, if not then you would need to check which party is not responding by using captures. Also can you post the output of packet-tracer???

Thanks,

Varun

Thanks,
Varun Rao

Varun,

Just wondering why it should be nat (outside,inside) as you suggested.

isnt he is trying to map internal ip with interface IP of outside interface for redirection.

I can only see one thing here that the access is blocked from outside .

Also capture should be there sourced from outside.

Thanks

Ajay

Capture was sourced from autside

Do not put private IP that wont work .

Please edit your outside ACL to allow source any destination 83.89.223.42 eq 443

Hi Ajay,

He has done it correct, in 8.3, you don't use public ip of the , instead you use the private ip, because order of operation has changed, first the packet is un-natted and then the access-list is hit.

Thanks,

Varun

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card