Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2489
Views
0
Helpful
21
Replies

ASA 8.42 nat problems

Go to solution
pbuch
Level 1
Level 1

‎11-25-2011 05:15 AM - edited ‎03-11-2019 02:55 PM

Hi

Configuring an asa 5505 with 8.42 software.

I need to access an https server on the inside via the outside interface.

I have moved the http server enable to port 10443

Tried to make a "network object nat rule"

Have even checked the video :-)

I cant get access.

Packet tracer points to the nat rule.

object network Vejrstation

host 192.168.4.15

object network Vejrstation

nat (any,outside) static interface service tcp https https object network Vejrstation
nat (any,outside) static interface service tcp https https

Where do i do wrong ?

Labels:
0 Helpful
21 Replies 21

Go to solution
varrao
Level 10
Level 10
In response to ajay chauhan

‎11-25-2011 06:35 AM

Hi Ajay,

8.3 nat is all flow based nat, the one that was used earlier is called auto nat and the one I used i manual nat. My nat statement means, any source coming from outside, should be translated to itself, if it is hitting the outside interface on port 443 and that shoudl be translted to the internal ip. It's still the same thing.

Please try this:

packet-tracer input outside tcp 4.2.2.2 23456 443 detailed.

and please paste that here.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to varrao

‎11-25-2011 06:42 AM

Thanks Varun.

Another question comes here as he has shown log any packet comes for public IP (interface) on port 443 is getting denied.

0 Helpful

Go to solution
pbuch
Level 1
Level 1
In response to varrao

‎11-25-2011 06:44 AM

packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 443                                                              $ tcp 4.2.2.2 23456 83.89.223.42 443                                                   detailed                                             packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 44$   

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 83.89.223.42/443 to 192.168.4.15/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Vejrstation eq http
s
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb395078, priority=13, domain=permit, deny=false
hits=8, user_data=0xc94ddbd0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
<--- More --->               input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb36e208, priority=0, domain=inspect-ip-options, deny=true
hits=200, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb332e68, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=170, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
<--- More --->               src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb3478d8, priority=0, domain=host-limit, deny=false
hits=23, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
<--- More --->              Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbebe160, priority=6, domain=nat-reverse, deny=false
hits=8, user_data=0xcbebe4d0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xcb343f80, priority=0, domain=inspect-ip-options, deny=true
hits=35, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
<--- More --->              Result: ALLOW
Config:
Additional Information:
New flow created with id 215, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
<--- More --->              input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
pbuch
Level 1
Level 1
In response to pbuch

‎11-25-2011 07:14 AM

Seems like i have traffic throgh now.

Don't really kbow why ;-)

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to pbuch

‎11-25-2011 07:17 AM

The packet-tracer shows everything is fine, is it still not working??

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
pbuch
Level 1
Level 1
In response to varrao

‎11-25-2011 07:19 AM

I changed the dynamic nat to a network object rule.

Looks like that did a difference.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to pbuch

‎11-25-2011 07:23 AM

Hi,

In 8.3 nat, the order of operation of traffic for nat rules is, first the manual nat is hit and then the auto nat, when you had configured the dynamic nat as auto nat, it might have been hitting it everytime instead of the static rule that you had configured as object nat, deleting it and moving it down in the nat list made the difference.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top