cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1646
Views
0
Helpful
11
Replies
Highlighted
Beginner

ASA PAT issue

Hello, Can someone point me in the right direction on this issue.  Basically I have an ASA 5506 and I want to allow access to a web server on the inside.

Wan IP 172.16.5.1

Inside Server IP 72.16.4.10

Ports Below

I cant seem to get the Nat working right. 

object service TEST
service tcp source eq 8080 destination eq 8080

access-list outside_access_in extended permit object TEST any object NAS log debugging

object network NAS
host 172.16.4.10

nat (outside,inside) source dynamic any interface destination static NAS NAS service TEST TEST

When I run packet tracer it says all is passing through ok but I get no response from the server.

Thanks for looking

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Dave

I used 172.16.5.1 in my suggestion because that was the address specified in your original post. Later you clarified that this address is the router address and that the ASA interface address is 172.16.5.2. So that is the address that should be used in the translate statement

nat (inside,outside) static 172.16.5.2 service tcp 8080 8080

HTH

Rick

HTH

Rick

View solution in original post

11 REPLIES 11
Highlighted
Hall of Fame Guru

If you want to allow devices from outside/Internet to initiate traffic to a server on the inside of your network then you need a static translation and not the dynamic translation what you show here. It might look something like

object network NAS
host 172.16.4.10
 nat (inside,outside) static 172.16.5.1 service tcp 8080 8080

HTH

Rick

HTH

Rick
Highlighted

Thanks for the assist Richard and Akshay,

I'm running Cisco Adaptive Security Appliance Software Version 9.5(1), Device Manager Version 7.5(1)

The syntax is different which is throwing.

Currently I have Nat as per attached image in the ASDM and CLI.  I have checked the packet tracer and I get green lights across the board.  It should work but I get something strange.  Image of my setup attached.

nat (outside,inside) source static any interface destination static NAS NAS service TEST TEST no-proxy-arp

Basically when I'm on the 172.16.5.0/24 network testing the NAT I cannot see on the logs nor do I get a successful packet  hit on port 8080 when using IP address 172.16.5.2 the ASA WAN interface.  However I do get successful access to http://172.16.4.10:8080 but I'm on the 172.16.5.0 network. I cant quite work out what is going on and I suspect something is re-writing the IP or the Router having a static-route is causing this.

Waiting for my smartnet contract to be finalised so going round in circles trying to work it out which is proving painful. 

Kindest Regards

David

Highlighted

Dave

I am not clear what syntax difference you are talking about. The example that I posted is based on an ASA running 9.5(1). So it ought to work for you.

I notice that your packet tracer is using 8080 as both source and destination port. That works fine in packet tracer but a packet from a real PC is almost certainly not going to use 8080 as the source port. If you have not yet changed service object TEST the way that we recommended then this is almost certainly part of your problem.

I can not tell which of our suggestions you may have followed and which you have not. Please post the current config (at least the relevant parts of it) so we can see what you are dealing with.

HTH

Rick

HTH

Rick
Highlighted

Hi Richard,

Ah I miss interpreted the location of the Nat.  When doing through the ASDM it creates a Nat in the general config an not under the object.

I tried to apply the config recommendation under the NAS object and I get an error.

Firewall(config-network-object)# nat (inside,outside) static 172.16.5.2 servic$
ERROR: Address 172.16.5.2 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Firewall(config-network-object)#

The WAN port (Outside) is 172.16.5.2 not 172.16.5.1 (172.16.5.1 is the next hop to the internet)

Config attached

Thanks for looking.


Dave

Highlighted

Dave

I sympathize that the config approach is quite different in ASDM from what it is in CLI. But it should be possible to get the same result whichever way you approach it. I do have a couple of comments which I hope may be helpful.

I am glad to see that you have changed the service object TEST so that it now specifies only the destination port. I also see another service object configured that has multiple protocol ports but has specified the same value as source port and destination port. There are a couple of protocols that do use the same value for source port and destination port (NTP is the one that comes to mind) but very few other protocols do. So you might want to change that other service object.

I see that you are using 8080 as a protocol port in both TEST and the other service object. I can not tell how you intend to use the other service object. But I am concerned about 8080 appearing in both service objects. Especially if you will use 8080 as a static address translation it would not work for two hosts.

Also I see only the single address translation to PAT any inside address going out. I do not see any address translation for traffic from outside coming in which is what you need to be able to access this server from the outside.

HTH

Rick

HTH

Rick
Highlighted

Thanks Richard,

You are correct the other object has ports allocation as this is the Service Object I want to apply in the end however the TEST object is just to get it going.

The Nat is not present as I keep getting the error when trying to apply the suggested Nat as it keeps saying the rule overlaps with the outside interface address which is the outside address I want to actually use?

Firewall(config-network-object)# nat (inside,outside) static 172.16.5.1 service tcp 8080 8080


ERROR: Address 172.16.5.2 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Firewall(config-network-object)#

Regards

Dave

Highlighted

OK so I've made a small breakthrough.  I had a static route on my router that had 172.16.4.0 via 172.16.5.2 (the ASA Wan port).  so when I was on the 172.16.5.0 network testing I was able to get to the 172.16.4.10 address via routing.  I remvoed the route from the router and I was no longer able to access the 172.16.4.10 server using the IP.

So from what I determine the ACL was allowing port 8080 and as there was no NAT the routing kicked in and allowed the traffic to 172.16.4.10. This was confusing he situation as I thought I was getting some sort of packet re-write of the IP.

Now that I have the route removed I now know that if I get Nat right I should have server access.  The ACL works as this was allowing the roouted traffic.  I still cannot get to teh server using the ASA Wan port 172.16.5.2:8080.

Highlighted

RESULT!

Well Richard you and Ashkay put me on the right path.  The config that works is:

object network NAS
host 172.16.4.10

object network NAS
nat (inside,outside) static interface net-to-net no-proxy-arp service tcp 8080 8080

Thanks as really helped me out.

Regards

David

Highlighted

Dave

I used 172.16.5.1 in my suggestion because that was the address specified in your original post. Later you clarified that this address is the router address and that the ASA interface address is 172.16.5.2. So that is the address that should be used in the translate statement

nat (inside,outside) static 172.16.5.2 service tcp 8080 8080

HTH

Rick

HTH

Rick

View solution in original post

Highlighted
Cisco Employee

Hi Dave,

Addition to what Richard had mentioned, change the Service Object test to use only as destination eq 8080. Or else ASA would drop the packet in access-list phase.

object service TEST
service tcp destination eq 8080

hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Highlighted

I agree with Akshay that the Service Object needs to be changed. I thought about that in my original response but decided to focus on the problem with the address translation. In retrospect I should have mentioned both as issues since either one of them will prevent this implementation from working.

HTH

Rick

HTH

Rick
Content for Community-Ad