cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA port translation (PAT) Issue

gopakumarmk
Beginner
Beginner

Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).

We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.

"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Also I enabled the access-list in outside interface

"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"

This time the website is not accessing from outside, showing error " The IE cannot display the webpage"

When I ADD the following configuration to ASA, it is working.

"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)

Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"

ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"

Now the website can access from outside.But can see the translated port on the address bar.

What I understand from the troubleshooting is the packets are going to webserver without any translation.

How can I resolve this issue, Please advice.

Thanks
GK

1 ACCEPTED SOLUTION

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Don't use port 90 to test. Use port 8080.

View solution in original post

40 REPLIES 40

Jennifer Halim
Cisco Employee
Cisco Employee

1) Is 125.145.215.185 the ASA outside interface ip address, or a different ip address to the ASA outside IP?

2) Also, did you perform a "clear xlate local 172.16.20.8" or "clear xlate" in general after configuring the port address translation?

Hi,

Thank you for the message.

Answer for,

Q 1. The concern IP -125.145.215.185 is not an interface IP. It is a different ip address in our public ip address range and never used for our any other translation.

Q2. Clear Xlate command has been issued so many times whenever I do this configuration changes.

Thanks

GK

Thanks GK.

When the following translation is used:

"static (DMZ,outside) tcp  125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Do you see any increase in hitcount on your ACL when you tried to initiate the connection multiple times:

access-list outside_access_in  extended permit tcp any host 125.145.215.185 eq www

Hi,

Thank you for the response.

Yes I saw the hitcount on the following access list BEFORE I do the configuration changes.

access-list outside_access_in  extended permit tcp any host 12