Solved: Re: ASA port translation (PAT) Issue - Page 3

gopakumarmk · ‎03-29-2010

Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).

We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.

"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Also I enabled the access-list in outside interface

"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"

This time the website is not accessing from outside, showing error " The IE cannot display the webpage"

When I ADD the following configuration to ASA, it is working.

"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)

Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"

ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"

Now the website can access from outside.But can see the translated port on the address bar.

What I understand from the troubleshooting is the packets are going to webserver without any translation.

How can I resolve this issue, Please advice.

Thanks
GK

Jennifer Halim · ‎04-17-2010

No, please look closely at the syslog again:

04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN on interface outside

The SYN packet is going towards the public ip address 125.145.215.185 on port 90

Can you plug a PC directly to the outside interface VLAN, and try to connect?

Kureli Sankar · ‎04-17-2010

GK,

Is this IP address 125.145.215.185 the outside interface IP address?

If so, on your static pls. replace the IP address with the keyword "interface".

Give it a shot.

-KS

gopakumarmk · ‎04-17-2010

No Sankar,

It's not an interface IP.

Thanks

GK

Kureli Sankar · ‎04-17-2010

Pls. paste the output of

sh xlate debug | i 172.16.20.8

sh run static | i 172.16.20.8

Certainly the x-late is not there so, the firewall denies these packets.

Make sure to try this from an outside computer browser: http://125.145.215.185:8080

Requests are coming to port 90 that is incorrect. Also from the client on the outside you can also try this "telnet 125.145.215.185 8080"

-KS

gopakumarmk · ‎04-17-2010

Hi sankar,

Sorry, I have removed the port 8080 from outside and replace port 80. Here is the output.

sh xlate debug | i 172.16.20.8

TCP PAT from dmz:172.16.20.8/90 to outside:125.145.215.185/80 flags sr idle 0:01:14 timeout 0:00:00
sh run static | i 172.16.20.8

static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255

Thanks

GK

Kureli Sankar · ‎04-17-2010

Make sure to try this from an outside computer browser: http://125.145.215.185

Requests are coming to port 90 that is incorrect. Also from the client on the outside you can also try this "telnet 125.145.215.185 80"

while someone is doing the test, get the syslog.

sh logg | i 125.145.215.185

-KS

gopakumarmk · ‎04-17-2010

Sankar,

Tried http://125.145.215.185 no hope and

telnet 125.145.215.185 80 (working listening on port 80)

Thanks GK

Kureli Sankar · ‎04-17-2010

Kumar,

You are making it very hard to help you.

1. Pls. do not keep changing the port in the statics. Just leave one port until you get it working.

2. Pls. finish all the steps that we ask you to do. Where are the syslogs when it worked for the "telnet ip_address 80" ? You got a blank black screen with a blinking cursor?

-KS

gopakumarmk · ‎04-17-2010

Hi sankar,

Here is the syslog when I connect telneted to the server.

04-17-2010 18:51:48 Local4.Info 192.9.1.100 Apr 17 2010 18:51:48: %ASA-6-302013: Built inbound TCP connection 7544564 for outside:78.101.224.135/52839 (78.101.224.135/52839) to dmz:172.16.20.8/90 (125.145.215.185/80)

Yes I got a black blank screen with cursor.

Thanks

GK

Kureli Sankar · ‎04-17-2010

The config on the firewall is correct. The connection is built perfectly.

I think there is something wrong with the webserver.

Try to telnet to this http://172.16.20.8:90 from a computer in the 172.16.20.0/24 subnet and make sure the page loads.

-KS

uxmalkns · ‎10-08-2021

So, you remove the 1-1 NAT and only leave the port 80 to port 90 static PAT, allowed permission via acl applied on the outside and you did a clear xlate x.x.x.x for this host and it does not work?

That is strange. Need syslogs.

Are you sure this host 172.16.20.8 listens on port 90? Does it work internally when you try to load the page?