Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

ASA port translation (PAT) Issue

Go to solution
gopakumarmk
Beginner
Beginner

‎03-29-2010 12:56 AM - edited ‎03-11-2019 10:26 AM

Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).

We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.

"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Also I enabled the access-list in outside interface

"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"

This time the website is not accessing from outside, showing error " The IE cannot display the webpage"

When I ADD the following configuration to ASA, it is working.

"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)

Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"

ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"

Now the website can access from outside.But can see the translated port on the address bar.

What I understand from the troubleshooting is the packets are going to webserver without any translation.

How can I resolve this issue, Please advice.

Thanks
GK

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-17-2010 03:40 AM

Don't use port 90 to test. Use port 8080.

View solution in original post

0 Helpful
40 REPLIES 40

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-29-2010 01:12 AM

1) Is 125.145.215.185 the ASA outside interface ip address, or a different ip address to the ASA outside IP?

2) Also, did you perform a "clear xlate local 172.16.20.8" or "clear xlate" in general after configuring the port address translation?

0 Helpful

Go to solution
gopakumarmk
Beginner
Beginner
In response to Jennifer Halim

‎03-29-2010 01:47 AM

Hi,

Thank you for the message.

Answer for,

Q 1. The concern IP -125.145.215.185 is not an interface IP. It is a different ip address in our public ip address range and never used for our any other translation.

Q2. Clear Xlate command has been issued so many times whenever I do this configuration changes.

Thanks

GK

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to gopakumarmk

‎03-29-2010 01:56 AM

Thanks GK.

When the following translation is used:

"static (DMZ,outside) tcp  125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Do you see any increase in hitcount on your ACL when you tried to initiate the connection multiple times:

access-list outside_access_in  extended permit tcp any host 125.145.215.185 eq www

0 Helpful

Go to solution
gopakumarmk
Beginner
Beginner
In response to Jennifer Halim

‎03-29-2010 02:26 AM

Hi,

Thank you for the response.

Yes I saw the hitcount on the following access list BEFORE I do the configuration changes.

access-list outside_access_in  extended permit tcp any host 12