ASA5505, NAT and ADSL

matias8a.arg · ‎11-23-2015

Hi,

I am having some issues with my ASA5505, and an ADSL connection.

I make the setup without problems, configure the ADSL settings, nat for browsing, etc.

All is working exept for the port NAT from the outside ( ADSL with dynamic ip interface), to a server in the LAN in port tcp/443 and tcp/1190

here is my config, and a packet tracert.

ciscoasa# sh running-config
: Saved
:
: Serial Number: JMX1843403G
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname ciscoasa
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif dmz
security-level 100
ip address 10.0.0.111 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group arnet
ip address pppoe setroute
!
boot system disk0:/asa923-k8.bin
ftp mode passive
clock timezone ART -3
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service tcp_1190
service tcp destination eq 1190
object service tcp_443
service tcp destination eq https
object network pfsese_dmz
object network pfsense_dmz_link
object network PFSENSE_DMZ
host 10.0.0.33
access-list dmz_access_in extended permit ip 10.0.0.0 255.255.255.0 any4
access-list dmz_access_in extended permit icmp 10.0.0.0 255.255.255.0 any
access-list acl_outside extended permit tcp any any eq https
pager lines 24
logging enable
logging asdm informational
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (dmz,outside) source dynamic any interface
!
object network PFSENSE_DMZ
nat (dmz,outside) static interface service tcp https https
access-group dmz_access_in in interface dmz
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 dmz
http 192.168.0.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=10.0.0.111,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate c3423456
308201c9 30820132 a0030201 020204c3 42345630 0d06092a 864886f7 0d010105
05003029 3111300f 06035504 03130863 6973636f 61736131 14301206 03550403
130b3139 322e3136 382e312e 31301e17 0d313531 30333130 35343835 345a170d
32353130 32383035 34383534 5a302931 11300f06 03550403 13086369 73636f61
73613114 30120603 55040313 0b313932 2e313638 2e312e31 30819f30 0d06092a
864886f7 0d010101 05000381 8d003081 89028181 00cb92b9 836e942a f0dd2c69
80ef23d1 0ee5eb22 4f7d3c91 eab6b43f fc92db01 a87719ee 41bbeef1 2093ca18
25faf580 2b42a95b 7d5568ca bca1bba2 8f13a7c1 eec6a10f c2dbf93f f0f2a4fd
c4776afa 739cf153 8c07aeb6 1a9a17f1 0b887bc9 5beb5a72 e93b1827 d5a800a6
1615f699 c5ef2816 7553834f 5e4dff42 506f89af 97020301 0001300d 06092a86
4886f70d 01010505 00038181 00ac3a40 cc483f83 28c7317f 73bc7fb2 47aaeb07
95be16be 9faf206d 3de81755 d0f1c16e 9fa4d868 3e5d22e0 f032c653 1d92ae5e
6f9c1fce b33619e8 919fa03f ab95d0e2 72c94021 623ab677 2a4896d7 df91aea9
e25c30cc f64c373f 9fb6c41a 6a561534 9e4477f8 fb009a78 f438c3bb 9c441eea
6143b836 5b42c494 e0a344b3 c2
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 89643456
308201c7 30820130 a0030201 02020489 64345630 0d06092a 864886f7 0d010105
05003028 3111300f 06035504 03130863 6973636f 61736131 13301106 03550403
130a3130 2e302e30 2e313131 301e170d 31353130 33313036 35323134 5a170d32
35313032 38303635 3231345a 30283111 300f0603 55040313 08636973 636f6173
61311330 11060355 0403130a 31302e30 2e302e31 31313081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100cb 92b9836e 942af0dd 2c6980ef
23d10ee5 eb224f7d 3c91eab6 b43ffc92 db01a877 19ee41bb eef12093 ca1825fa
f5802b42 a95b7d55 68cabca1 bba28f13 a7c1eec6 a10fc2db f93ff0f2 a4fdc477
6afa739c f1538c07 aeb61a9a 17f10b88 7bc95beb 5a72e93b 1827d5a8 00a61615
f699c5ef 28167553 834f5e4d ff42506f 89af9702 03010001 300d0609 2a864886
f70d0101 05050003 8181004d 461b2dec 10d4bef2 9b1f2269 cf983f38 d650c42f
577b4ace 9bf5b8b4 967df16a f859b990 4883a917 33471a92 5bba9fbe 5e71cdae
8cf254c6 ce56bb4f ce61f6d6 520f1f5b 14829060 266b41cf 76c3b8b6 d8949dc1
ff29a05b e06ec008 bbb3c7e0 43f79cd0 c699ed3e 732314b4 9596de4a a7373d13
99913609 c1a56eba dd9b55
quit
telnet 192.168.0.0 255.255.255.0 dmz
telnet 10.0.0.0 255.255.255.0 dmz
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 dmz
ssh 192.168.0.0 255.255.255.0 dmz
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group arnet request dialout pppoe
vpdn group arnet localname 251812@arnet-cordoba-apb
vpdn group arnet ppp authentication pap
vpdn username 251812@arnet-cordoba-apb password ***** store-local

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 dmz
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 dmz vpnlb-ip
username mochoa password 2GuhNbkntmInPuCn encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:095f2e72bab6ea1db63cf9c8ff62baeb
: end
ciscoasa#

anyone have any clue about what can be wrong in my config?

thanks !!

Shivapramod M · ‎11-23-2015

Hi Matias,

I belive the dynamic PAT is overriding the static object NAT. Since the traffic is not getting translated it is being dropped in the ACL.

If you have seperate IP then you can use it for this specific NAT.

You can also try the below configuration which should resolve the issue.

no nat (DMZ,outside) source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface

P.S. Please rate helpful posts.

Thanks,

Shivapramod M

matias8a.arg · ‎11-24-2015

thanks ! i will try it in some days !