ASA5505 (8.4.2) NAT Outside --> Inside

Hans KRISTIAN LARSEN · ‎10-26-2011

Anyone

I'm realy confused now. Trying to do somthing I beleived was simple enough.

Scenario:

Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987

Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:

[OK] object network SBS-HTTPS

object network SBS-HTTPS

[ERROR] nat (inside,outside) static interface service tcp https https

NAT unable to reserve ports.

also configured access rules for the mentioned ports, again using the asdm.

Please could anyone point me in the right direction here.

I AM STUCK

Attached the asa config file

br

hkl

varrao · ‎10-26-2011

Hi Kristian,

Can you try these nats.

Erase all those nats and acl's addeed for the servers and add these:

object network SBS-SMTP

host 192.168.10.9

object service RDP

service tcp destination eq 3389

object service SMTP

service tcp destination eq smtp

object service 987

service tcp destination eq 987

object service HTTPS

service tcp destination eq 443

object network SBS-RDP

host 192.168.10.9

object network SBS-HTTPS

host 192.168.10.9

object network SBS-987

host 192.168.10.9

nat (outside,inside) source static any any destination static interface SBS-SMTP service SMTP SMTP

nat (outside,inside) source static any any destination static interface SBS-RDP service RDP RDP

nat (outside,inside) source static any any destination static interface SBS-HTTPS service HTTPS HTTPS

nat (outside,inside) source static any any destination static interface SBS-987 service 987 987

and use these ACL's:

access-list outside_access_in extended permit tcp any object SBS-SMTP eq smtp

access-list outside_access_in extended permit any object SBS-RDP eq 3389

access-list outside_access_in extended permit tcp any object SBS-HTTPS eq https

access-list outside_access_in extended permit any object SBS-HTTPS eq 987

It shoudl definitely work, use the object services that are provided above.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Hans KRISTIAN LARSEN · ‎10-26-2011

Thanks for your response Varun

I delted all nat's access list, network objects and service object and after a bit fiddeling I got SMTP and RDP to work, havent tested the 987, but assumes that works to.

The challange now is that is still get the error msg when I try to add the NAT statement for https < nat="" unable="" to="" reserve="" ports="">

Again I can not telnet inside and out on port 25, that does not make any sence to me, any ideas?

hkl

Hans KRISTIAN LARSEN · ‎10-26-2011

Ok

I hate my ISP, they block port 25, that explained the smtp problem.

Now it's just the https issue left.

hkl

Hans KRISTIAN LARSEN · ‎10-27-2011

SOLVED

The issue with https turned out to be because ASDM access was enabled on the outside interface, thus occuping port 443. The solution is to either turn it of or change the asdm access port to something else than 443.

Thanks for the help folks.

hkl

varrao · ‎10-27-2011

ohhhhh ok, thats good. But I could not see any ASDM enabled on the outside:

http server enable

http 192.168.10.0 255.255.255.0 inside

Thanks,

Varun

Thanks,
Varun Rao