03-29-2010 12:56 AM - edited 03-11-2019 10:26 AM
Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).
We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.
"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"
Also I enabled the access-list in outside interface
"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"
This time the website is not accessing from outside, showing error " The IE cannot display the webpage"
When I ADD the following configuration to ASA, it is working.
"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)
Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"
ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"
Now the website can access from outside.But can see the translated port on the address bar.
What I understand from the troubleshooting is the packets are going to webserver without any translation.
How can I resolve this issue, Please advice.
Thanks
GK
Solved! Go to Solution.
04-17-2010 03:40 AM
Don't use port 90 to test. Use port 8080.
03-29-2010 01:12 AM
1) Is 125.145.215.185 the ASA outside interface ip address, or a different ip address to the ASA outside IP?
2) Also, did you perform a "clear xlate local 172.16.20.8" or "clear xlate" in general after configuring the port address translation?
03-29-2010 01:47 AM
Hi,
Thank you for the message.
Answer for,
Q 1. The concern IP -125.145.215.185 is not an interface IP. It is a different ip address in our public ip address range and never used for our any other translation.
Q2. Clear Xlate command has been issued so many times whenever I do this configuration changes.
Thanks
GK
03-29-2010 01:56 AM
Thanks GK.
When the following translation is used:
"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"
Do you see any increase in hitcount on your ACL when you tried to initiate the connection multiple times:
access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www
03-29-2010 02:26 AM
Hi,
Thank you for the response.
Yes I saw the hitcount on the following access list BEFORE I do the configuration changes.
access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www.
But now I can't see any hitcount on the above access list, instead I can see the hitcount on following access list.
access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90 (hitcnt=15)
Thanks
GK
03-29-2010 02:34 AM
Not sure whether it's working. I just tested to browse to http://125.145.215.185:90, but it's not connecting at all.
03-29-2010 05:41 AM
Hi,
Sorry Halijenn,
I forget to tell you the public IP which I posted in this discussions is not real one, because some security reasons I can't explore the IP. It is a military web site and it is not yet published so far. SO please excuse me.
I am sure that the web site is working from outside and getting the hit count to access list which is equal to tcp 90.
Do you think any other issue is still existing?
Please advice.
Thank you
GK
03-29-2010 07:58 AM
The warning that you ignored may be causing this to fail. Remove this line (port 80 to 90) and add it again and copy and paste the message that you get when you do this.
Need the output of
sh run static | i 125.145.215.185
sh run global
-KS
03-29-2010 09:09 PM
Hi,
Here is the warning message when I create additional static nat translation.
ASA5540(config)#static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255
WARNING: mapped-address conflict with existing static
TCP dmz:172.16.20.8/90 to outside:125.145.215.185/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP dmz:172.16.20.8/90 to outside:125.145.215.185/80 netmask 255.255.255.255
Please note that, there was already a PAT when I execute the above command.
" static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255 "
Output of show run static | in 125.145.215.185
static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255
Output of sh run global
global (outside) 1 interface
global (outside) 3 125.145.215.182
global (outside) 2 125.145.215.183
global (outside) 4 125.145.215.184
Thanks & Regards
GK
03-30-2010 12:51 AM
Are you really sure you've activated port 90 just for the service ? I made a test on my rack configured as what you minded of the first half part . And it work so well.
03-30-2010 02:21 AM
Hi,
Thank you Mr. Lun,
The server is listening on port 90. and the user can access by typing (http://
The port translation is NOT working in ASA.
The strange thing is I have another port translation and it is working fine.
"ASA(config)# static (inside,outside) tcp 125.145.215.182 9130 192.168.10.2 80 netmask 255.255.255.255
ASA(config)# global (outside) interface (Note : interface IP)
The above config is working properly. The users accessing to web server on port 9130 and the translation is working.
Thanks & Regards
GK
03-30-2010 03:02 AM
When you configure just the following:
static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
and test to access it, can you please gather the syslog messages to see why it's not allowing the connection.
Also, "clear asp drop", and test the connection again, and grab the output of "show asp drop"
03-30-2010 05:55 AM
Gopal,
static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255 --------------------------------> you already have this line
so, you cannot add the first line. You have 1-1 NAT already configured.
You may want to remove static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255 line and then add
static PAT lines instead.
-KS
03-30-2010 08:50 PM
Hi Sankar,
Thank you for the message.
The issue is the port translation not working when I do the PAT as I mentioned earlier. But when I add 1-1 nat, then it work!.
Do I need to configure "inspect http" in global inspection?
Also I am preparing the syslog and will post it later.
Thanks
GK
03-31-2010 06:02 AM
So, you remove the 1-1 NAT and only leave the port 80 to port 90 static PAT, allowed permission via acl applied on the outside and you did a clear xlate x.x.x.x for this host and it does not work?
That is strange. Need syslogs.
Are you sure this host 172.16.20.8 listens on port 90? Does it work internally when you try to load the page?
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide