cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

417
Views
10
Helpful
10
Replies

ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

Hello everyone,

I hope I can get some help with my configuration of my ASA.

The current situation:

5 Public IP addresses.

2 Servers that needs to connect to the internet.

Server1 is already connect to the internet at the 2nd Public IP.

Server2 needs to be connected the internet  with multiple ports (5001 to 5001 & 2222 to 2222) at the 1st Public IP address, so it can be accessed from the WAN site.

But at this moment I can't even get it working with just 1 port.

I tried several NAT rules but nothing seams to work.

 

Can someone guide me into the right direction?

 

Have a nice day.

S.O.

 


ASA Version 9.4(4)16
!
hostname ASA-5515
domain-name xxxxxxx.local
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
ip local pool VPN-Clients 172.17.2.1-172.17.2.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
 description WAN Interface
 nameif outside
 security-level 0
 ip address 1st Public IP 255.255.255.248
!
interface GigabitEthernet0/1
 description LAN Interface
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.3
 description DMZ
 vlan 3
 nameif inside_vlan3
 security-level 100
 ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet0/1.250
 description Management
 vlan 250
 nameif inside_vlan250
 security-level 100
 ip address 192.168.250.254 255.255.255.0
!
interface GigabitEthernet0/1.251
 description Server
 vlan 251
 nameif inside_vlan251
 security-level 100
 ip address 192.168.251.254 255.255.255.0
!
interface GigabitEthernet0/1.252
 description Printer
 vlan 252
 nameif inside_vlan252
 security-level 100
 ip address 192.168.252.254 255.255.255.0
!
interface GigabitEthernet0/1.253
 description Test
 vlan 253
 nameif inside_vlan253
 security-level 100
 ip address 192.168.253.254 255.255.255.0
!
interface GigabitEthernet0/1.254
 description Guest
 vlan 254
 nameif inside_vlan254
 security-level 100
 ip address 192.168.254.254 255.255.255.0
!
interface GigabitEthernet0/1.255
 description Production
 vlan 255
 nameif inside_vlan255
 security-level 100
 ip address 192.168.255.254 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa944-16-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name xxxxxx.local
object network inside_vlan255
 subnet 192.168.255.0 255.255.255.0
object network inside_vlan254
 subnet 192.168.254.0 255.255.255.0
object network inside_vlan253
 subnet 192.168.253.0 255.255.255.0
object network inside_vlan252
 subnet 192.168.252.0 255.255.255.0
object network inside_vlan251
 subnet 192.168.251.0 255.255.255.0
object network inside_vlan250
 subnet 192.168.250.0 255.255.255.0
object network Server1_TCP_8080-80
 host 172.16.0.1
object network Server1-external-ip
 host 2nd Public IP
object network inside_vlan3
 subnet 172.16.0.0 255.255.255.0
object network Server1_TCP_eq_5001
 host 172.16.0.1
object network Server1
 host 172.16.0.1
object service 445
 service tcp destination eq 445
object service 8080-80
 service tcp source eq www destination eq 8080
object network Server2
 host 192.168.253.2
object network Server1-external-ip
 host 1st Public IP
object network Server2_TCP_eq_5001
 host 192.168.253.2
object network Server2_TCP_eq_2222
 host 192.168.253.2
object service 2222
 service tcp source eq 2222 destination eq 2222
object service 5001
 service tcp source eq 5001 destination eq 5001
object-group network RFC_1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group user VPN-Client
 description Use of Cisco VPN Client
 user LOCAL\user1
access-list outside_in extended permit tcp any object Server1_TCP_8080-80 eq 8080
access-list outside_in extended permit tcp any object Server1_TCP_eq_5001 eq 5001
access-list outside_in extended permit tcp object Server2-external-ip object Server2_TCP_eq_5001 eq 5001
access-list VPN-Clients_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 16
mtu outside 1500
mtu inside_vlan3 1500
mtu inside_vlan250 1500
mtu inside_vlan251 1500
mtu inside_vlan252 1500
mtu inside_vlan253 1500
mtu inside_vlan254 1500
mtu inside_vlan255 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside_vlan255
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside_vlan255
 nat (inside_vlan255,outside) dynamic interface
object network inside_vlan254
 nat (inside_vlan254,outside) dynamic interface
object network inside_vlan253
 nat (inside_vlan253,outside) dynamic interface
object network Server1_TCP_8080-80
 nat (inside_vlan3,outside) static Server1-external-ip service tcp 8080 www
object network inside_vlan3
 nat (inside_vlan3,outside) dynamic 2nd Public IP
object network Server1_TCP_eq_5001
 nat (inside_vlan3,outside) static Server1-external-ip service tcp 5001 5001
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 ISP Gateway 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http server idle-timeout 60
http 192.168.255.0 255.255.255.0 inside_vlan255
http 192.168.253.0 255.255.255.0 inside_vlan253
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.253.0 255.255.255.0 inside_vlan253
ssh 192.168.255.0 255.255.255.0 inside_vlan255
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
dhcpd address 172.16.0.100-172.16.0.102 inside_vlan3
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan3
dhcpd option 3 ip 172.16.0.254 interface inside_vlan3
dhcpd enable inside_vlan3
!
dhcpd address 192.168.253.100-192.168.253.150 inside_vlan253
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan253
dhcpd option 3 ip 192.168.253.254 interface inside_vlan253
dhcpd enable inside_vlan253
!
dhcpd address 192.168.254.100-192.168.254.150 inside_vlan254
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan254
dhcpd option 3 ip 192.168.254.254 interface inside_vlan254
!
dhcpd address 192.168.255.100-192.168.255.150 inside_vlan255
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan255
dhcpd option 3 ip 192.168.255.254 interface inside_vlan255
dhcpd enable inside_vlan255
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 ssl-client
group-policy VPN-Clients internal
group-policy VPN-Clients attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-Clients_splitTunnelAcl
 default-domain value hoekstra.local
dynamic-access-policy-record DfltAccessPolicy
username user1 password xxxxx encrypted
username user1 attributes
 service-type remote-access
username xxxxxxxxxxxx password xxxxxxx encrypted privilege 15
tunnel-group VPN-Clients type remote-access
tunnel-group VPN-Clients general-attributes
 address-pool VPN-Clients
 default-group-policy VPN-Clients
tunnel-group VPN-Clients ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map dcerpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 16
  subscribe-to-alert-group configuration periodic monthly 16
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6632ef964518bf7caeca3ef85c8fe152
: end
ASA-5515#

1 ACCEPTED SOLUTION

Accepted Solutions

This is a typical error you would get if you are using an object that is configured with the ASA interface IP you are trying to NAT to.  Use the interface keyword instead of the object.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

10 REPLIES 10
Marius Gunnerud
VIP Advisor

Try running a packet tracer to see which NAT rules it is hitting

 

packet-tracer input outside tcp 8.8.8.8 12345 **server public IP** 5001

--
Please remember to select a correct answer and rate helpful posts

Hello Marius,

Thank for your time :)

Hereby the results

 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop "1st Public IP" using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Could you also run the command for port 8080?

packet-tracer input outside tcp 8.8.8.8 12345 **server public IP** 8080

--
Please remember to select a correct answer and rate helpful posts


Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop **1st Public IP** using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Is the configuration above the full configuration of the ASA or did you leave out something?

Please try moving the NAT statements to manual NAT section.

 

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

It is the full configuration. I did only an cleanup for security,

What do you mean with "Please try moving the NAT statements to manual NAT section."?

 

I did a clean up of the config.

So we can start from scratch.

Can you guide me stap by step?

Thanks in advance.

S.O.

 

Goal:

Access the inside "Server2" (IP 192.168.253.2:5001) from the "1st Public IP" (also the IP address for the outside interface) on port 5001

 

 

Hereby the current configuration.


ASA-5515# show run
: Saved

:
: Serial Number: xxxxxxx
: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(4)16
!
hostname ASA-5515
domain-name xxxxxxx.local
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
names
ip local pool VPN-Clients 172.17.2.1-172.17.2.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
 description WAN Interface
 nameif outside
 security-level 0
 ip address **1st Public IP** 255.255.255.248
!
interface GigabitEthernet0/1
 description LAN Interface
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.3
 description DMZ
 vlan 3
 nameif inside_vlan3
 security-level 100
 ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet0/1.250
 description Management
 vlan 250
 nameif inside_vlan250
 security-level 100
 ip address 192.168.250.254 255.255.255.0
!
interface GigabitEthernet0/1.251
 description Server
 vlan 251
 nameif inside_vlan251
 security-level 100
 ip address 192.168.251.254 255.255.255.0
!
interface GigabitEthernet0/1.252
 description Printer
 vlan 252
 nameif inside_vlan252
 security-level 100
 ip address 192.168.252.254 255.255.255.0
!
interface GigabitEthernet0/1.253
 description Test
 vlan 253
 nameif inside_vlan253
 security-level 100
 ip address 192.168.253.254 255.255.255.0
!
interface GigabitEthernet0/1.254
 description Guest
 vlan 254
 nameif inside_vlan254
 security-level 100
 ip address 192.168.254.254 255.255.255.0
!
interface GigabitEthernet0/1.255
 description Production
 vlan 255
 nameif inside_vlan255
 security-level 100
 ip address 192.168.255.254 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa944-16-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name hoekstra.local
object network inside_vlan255
 subnet 192.168.255.0 255.255.255.0
object network inside_vlan254
 subnet 192.168.254.0 255.255.255.0
object network inside_vlan253
 subnet 192.168.253.0 255.255.255.0
object network inside_vlan252
 subnet 192.168.252.0 255.255.255.0
object network inside_vlan251
 subnet 192.168.251.0 255.255.255.0
object network inside_vlan250
 subnet 192.168.250.0 255.255.255.0
object network DS509_TCP_8080-80
 host 172.16.0.1
object network DS509-external-ip
 host **2nd Public IP**
object network inside_vlan3
 subnet 172.16.0.0 255.255.255.0
object network DS509_TCP_eq_5001
 host 172.16.0.1
object network DS509
 host 172.16.0.1
object service 5001
 service tcp source eq 5001 destination eq 5001
object-group network RFC_1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group user VPN-Client
 description Use of Cisco VPN Clinet
 user LOCAL\user1
access-list outside_in extended permit tcp any object DS509_TCP_8080-80 eq 8080
access-list outside_in extended permit tcp any object DS509_TCP_eq_5001 eq 5001
access-list VPN-Clients_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 16
mtu outside 1500
mtu inside_vlan3 1500
mtu inside_vlan250 1500
mtu inside_vlan251 1500
mtu inside_vlan252 1500
mtu inside_vlan253 1500
mtu inside_vlan254 1500
mtu inside_vlan255 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside_vlan255
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside_vlan255
 nat (inside_vlan255,outside) dynamic interface
object network inside_vlan254
 nat (inside_vlan254,outside) dynamic interface
object network inside_vlan253
 nat (inside_vlan253,outside) dynamic interface
object network DS509_TCP_8080-80
 nat (inside_vlan3,outside) static DS509-external-ip service tcp 8080 www
object network inside_vlan3
 nat (inside_vlan3,outside) dynamic **2nd Public IP**
object network DS509_TCP_eq_5001
 nat (inside_vlan3,outside) static DS509-external-ip service tcp 5001 5001
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 **ISP Gateway** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http server idle-timeout 60
http 192.168.255.0 255.255.255.0 inside_vlan255
http 192.168.253.0 255.255.255.0 inside_vlan253
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A                                                                             ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A                                                                             ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.253.0 255.255.255.0 inside_vlan253
ssh 192.168.255.0 255.255.255.0 inside_vlan255
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
dhcpd address 172.16.0.100-172.16.0.102 inside_vlan3
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan3
dhcpd option 3 ip 172.16.0.254 interface inside_vlan3
dhcpd enable inside_vlan3
!
dhcpd address 192.168.253.100-192.168.253.150 inside_vlan253
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan253
dhcpd option 3 ip 192.168.253.254 interface inside_vlan253
dhcpd enable inside_vlan253
!
dhcpd address 192.168.254.100-192.168.254.150 inside_vlan254
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan254
dhcpd option 3 ip 192.168.254.254 interface inside_vlan254
!
dhcpd address 192.168.255.100-192.168.255.150 inside_vlan255
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan255
dhcpd option 3 ip 192.168.255.254 interface inside_vlan255
dhcpd enable inside_vlan255
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 ssl-client
group-policy VPN-Clients internal
group-policy VPN-Clients attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-Clients_splitTunnelAcl
 default-domain value hoekstra.local
dynamic-access-policy-record DfltAccessPolicy
username user1 password xxxxxxx encrypted
username user1 attributes
 service-type remote-access
username xxxxxxx password xxxxxxx encrypted privilege 15
tunnel-group VPN-Clients type remote-access
tunnel-group VPN-Clients general-attributes
 address-pool VPN-Clients
 default-group-policy VPN-Clients
tunnel-group VPN-Clients ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map dcerpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 16
  subscribe-to-alert-group configuration periodic monthly 16
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1bbb66e29a8ee4a88fa0cab3345bb827
: end
ASA-5515#

 

I set this up in my home lab and got it working with the following config:

 

object network DS509
host 172.16.0.1
object network PUBLIC-IP
host 62.1.1.1
object service TCP_5001
service tcp source eq 5001
access-list outside-in extended permit tcp any host 172.16.0.1 eq 5001

 

nat (Inside,Outside) source static DS509 PUBLIC-IP service TCP_5001 TCP_5001
access-group outside-in in interface Outside

 

ASA# show conn
1 in use, 1 most used
TCP Outside 192.1.20.2:62709 Inside 172.16.0.1:5001, idle 0:00:05, bytes 4036, flags UIOB

--
Please remember to select a correct answer and rate helpful posts

HI Marius,

The config you show me is a config from the DMZ zone.

That was already working :)

I was looking for a solution to get the port 5001 & 2222 to the inside IP 192.168.253.2 working.

That has to link to the 1st Public IP address. (is also the outside interface)

 

So I did the following:

 

object network Server2

host 192.168.253.2

 

object network Server2_external_ip

host **1st Public IP**

 

object service TCP_5001

service tcp source eq 5001

 

access-list outside_in extended permit tcp any host 192.168.253.2 eq 5001

At this point everything looks fine.

 

nat (inside-vlan253,outside) source static Server2 **1st Public IP** service TCP_5001 TCP_5001

ERROR: Address **1st Public IP** overlaps with outside interface address.

ERROR: NAT Policy is not downloaded.

 

So here it goes wrong.

 

S.O.

 

This is a typical error you would get if you are using an object that is configured with the ASA interface IP you are trying to NAT to.  Use the interface keyword instead of the object.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Hi Marius,

 

nat (inside_vlan253,outside) source static Server2 interface service TCP_5001 TCP_5001

and

object service TCP_5001
 service tcp source eq 5001

 

Did the trick :)

 

I was working with the service object:

 

object service 5001
 service tcp source eq 5001 destination eq 5001

 

That was'n working. I don't know why. Most likely not enough knowledge from my side.

 

Now I will try myself, to get a second port to open. (2222)

Thanks for the help so far :)

 S.O.

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad