Solved: ASA and NAT

mahellma · ‎10-09-2008

Having some problems natting with my new ASA5505.

The firewall is protecting my home net and I have a personal web/mail server I like to give public access to.

I have dynamic natting configured for the desktops and one static nat for the server. Also I have a Access rule for https and smtp traffic. Still nothing passes to the server.

Also when I nat the server I get packet drops when clients are trying to access it. Even if they are all in the LAN and connected to the same switch so there should be no routing or going through the ASA. The NAT and ACL rules are as follows:

NAT policies on Interface outside:

match tcp outside host XX.XXX.XX.35 eq 443 inside any

static translation to 10.10.10.2/443

translate_hits = 0, untranslate_hits = 0

NAT policies on Interface inside:

match ip inside any outside any

dynamic translation to pool 1 (XX.XXX.XX.34 [Interface PAT])

translate_hits = 8, untranslate_hits = 0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside any _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

access-list OWA line 1 extended permit tcp any host XX.XX.XX.35 eq https (hitcnt=0) 0x342768d2

access-list OWA line 1 extended permit tcp any host XX.XXX.XX.35 eq smtp (hitcnt=0) 0xe2c18426

Collin Clark · ‎10-09-2008

The server in the static statement should be your internal IP. Since your interface IP is .34 and you want your services on .35, your statics would look like this (assume your server IP is 192.168.1.10):

static (inside,outside) tcp X.X.X.35 25 192.168.1.10 25 netmask 255.255.255.255

static (inside,outside) tcp X.X.X.35 80 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp X.X.X.35 443 192.168.1.10 443 netmask 255.255.255.255

The above is actually called port translation. If you want to (since you're going to one server), you can NAT the public IP to a private IP, all ports and protocols.

static (inside,outside) X.X.X.35 192.168.1.10 netmask 255.255.255.255

View solution in original post

Collin Clark · ‎10-09-2008

Mats-

Can you post the results from the following commands?

show run global

show run nat

mahellma · ‎10-09-2008

I got it working a little now. Apparently I can't have a dynamic nat and a static nat from the same subnet/interface.

So now I can access the external network with my admin machine and mail etc is dropping in to the server. Also I made a static outside,inside and inside,outside nat for the server.

Here is some info,

NAT policies on Interface inside:

match ip inside host 10.10.10.120 outside any

static translation to XX.XXX.XX.34

match ip inside host 10.10.10.2 outside any

static translation to XX.XXX.XX.35

NAT policies on Interface outside:

match ip outside host XX.XXX.XX.35 inside any

static translation to 10.10.10.2

===============================================

The Access lists

access-list outside_access_in line 1 extended permit tcp any host XX.XXX.XX.35 eq www

access-list outside_access_in line 1 extended permit tcp any host XX.XXX.XX.35 eq https

access-list outside_access_in line 1 extended permit tcp any host XX.XXX.XX.35 eq smtp

Now the problem is how do I get the rest of the 25-bit subnet to get out on the outside without adding a static route for each host?

And the info you asked for:

global (outside) 1 interface

cisco# show run nat

cisco#

Collin Clark · ‎10-09-2008

I'm confused by your NAT statements. Are you using MPF for NAT?

Here are some statements that should accomplish what you want-

nat 1 (inside) 0 0

static (inside,outside) tcp interface 25 [email server ip] 25 netmask 255.255.255.255

static (inside,outside) tcp interface 80 [web server ip] 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 [web server ip] 443 netmask 255.255.255.255

mahellma · ‎10-09-2008

Thanks I'll try that.

To be clear, my Cisco has an external IP XX.XXX.XX.34 and the external mail ip is XX.XXX.XX.35.

In your list is the IP part external or internal ips? And if external where do I define to which internal ip the traffic goes?

Also all http,https,smtp services are on the same internal server.

Collin Clark · ‎10-09-2008

The server in the static statement should be your internal IP. Since your interface IP is .34 and you want your services on .35, your statics would look like this (assume your server IP is 192.168.1.10):

static (inside,outside) tcp X.X.X.35 25 192.168.1.10 25 netmask 255.255.255.255

static (inside,outside) tcp X.X.X.35 80 192.168.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp X.X.X.35 443 192.168.1.10 443 netmask 255.255.255.255

The above is actually called port translation. If you want to (since you're going to one server), you can NAT the public IP to a private IP, all ports and protocols.

static (inside,outside) X.X.X.35 192.168.1.10 netmask 255.255.255.255

mahellma · ‎10-09-2008

Thank you!

Now that I see the commands and the diagrams in ASDM I also see what I did wrong.

Cisco has a different logic to it than Watchguard or Juniper and I'm used to them.

Thanks again for clarifying this.