cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

201
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA5505 9.2(3) BASE -- Port Forwarding / NAT Not Working -- Need Insight Please!

Hello All!

I am struggling to figure out why my NAT / Port Forwarding is failing. Here's what I know about the site I'm configuring up.

1. The site is turning up a new DVR system.

2. The site has a Cable Modem as their ISP with two Static IP's (that I know of).

3. From the cable modem there is an ASA5505 BASE license 9.2(3) software and also a VOIP Router. (One IP belongs to the VOIP Router while the other the ASA).

4. The DVR System sits behind a switch connected to the ASA. 

5. I am trying to port forward the ASA's public IP address to an internal LAN IP belonging to the new DVR. 

Now... Here are my dummy downed configs:

nat (inside,outside)  source static CAMERA_DVR interface service CAMERA_DVR_HTTP CAMERA_DVR_HTTP
nat (inside,outside) source static CAMERA_DVR interface service CAMERA_DVR_RSTP CAMERA_DVR_RSTP
nat (inside,outside) source static CAMERA_DVR interface service CAMERA_DVR_8000 CAMERA_DVR_8000
nat (inside,outside)  source static LAN LAN destination static STS_VPN STS_VPN no-proxy-arp
nat (inside,outside)  source static LAN LAN destination static VPN_Pool VPN_Pool no-proxy-arp
nat (inside,outside) after-auto source dynamic any interface

object network CAMERA_DVR
host 192.168.xx.xx

object service CAMERA_DVR_HTTP
service tcp source eq www

access-list OUTSIDE-IN extended permit ip any object CAMERA_DVR
access-list OUTSIDE-IN extended permit ip any any (I know kind of redundant but was troubleshooting this issue)

access-group OUTSIDE-IN in interface outside

interface Vlan2
nameif outside
security-level 0
ip address 70.xx.xx.xx 255.255.255.xxx

ASA# sh xlate
59 in use, 957 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside:192.168.xx.xx 80-80 to outside:70.xx.xx.xx 80-80
flags srT idle 0:07:37 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 0:07:37 timeout 0:00:00
TCP PAT from inside:192.168.xx.xx 554-554 to outside:70.xx.x.xx 554-554
flags srT idle 2:54:54 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 2:54:54 timeout 0:00:00
TCP PAT from inside:192.168.xx.xx 8000-8000 to outside:70.xx.xx.xx 8000-8000
flags srT idle 2:54:53 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 2:54:53 timeout 0:00:00
NAT from inside:192.168.xx.xx/24 to outside:192.168.xx.xx/24
flags sIT idle 0:00:00 timeout 0:00:00
NAT from outside:192.168.xx.xx/24 to inside:192.168.xx.xx/24
flags sIT idle 0:00:00 timeout 0:00:00
NAT from inside:192.168.xx.xx/24 to outside:192.168.xx.xx24
flags sIT idle 0:00:26 timeout 0:00:00
NAT from outside:192.168.xx.xx/31, 192.168.xx.xx/30, 192.168.xx.xx/30,
192.168.xx.xx to inside:192.168.xx.xx/31, 192.168.xx.xx/30,
192.168.xx.xx/30, 192.168.xx.xx
flags sIT idle 0:00:26 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 6:23:53 timeout 0:00:00

ASA# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static CAMERA_DVR interface service CAMERA_DVR_HTTP CAMERA_DVR_HTTP
translate_hits = 11, untranslate_hits = 11
Source - Origin: 192.168.xx.xx/32, Translated: 70.xx.xx.xx/29
Service - Origin: tcp source eq www , Translated: tcp source eq www

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 35088, untranslate_hits = 3079
Source - Origin: 0.0.0.0/0, Translated: 70.xx.xx.xx/29

What logs are showing when I try to browse to the Public IP:

%ASA-6-302014: Teardown TCP connection 56656 for outside:73.XXX.XXX.XXX/64329 to inside:192.168.xx.xx/80 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-302014: Teardown TCP connection 56658 for outside:73.XXX.XXX.XXX/64330 to inside:192.168.xx.xx/80 duration 0:00:30 bytes 0 SYN Timeout

------------------------

My biggest question is: why am I getting translate hits but not able to browse to the system? I can browse to it via LAN IP but not Public IP yet. I see a SYN Timeout -- but what would cause this? Is the dynamic NAT Necessary? Am I trying to take from the ASA's Public IPv4 address and it's not letting me? I do have the Access List permitting this traffic. Not sure what else to do other than look outside the ASA (perhapse the VOIP Router is causing some issue -- doubt it but I'm not leaving anything out at this point). 

Any help would be greately appreciated!

1 REPLY 1
Highlighted
Beginner

Guess I stumped the community

Guess I stumped the community on this one? I don't think I've done anything wrong in terms of how I coded it out (at least I don't think so). I might end up needing to purchase a support contract for it and call TAC unless someone has a suggestion.