Solved: ASA5505 NAT issue

robin99 · ‎12-07-2012

I have ASA5505 and am having issue with port forwarding NAT which I hope someone could enlighten me where my issue at. Thanks

Outside int = 213.12.137.13 (ADSL permanent IP)

Inside IP = 192.168.1.1 /24

I would like to have incoming traffic from internet to 213.12.137.13 at port 65500 to be forwarded to inside host 192.168.1.40 at port 22 (SSH)

I tried few things but the forwarding still fail unfortunately (SSH to the mapped host 192.168.1.40 fail).

No issue with static NAT or internet access from inside so far.

my related config are:

================================================================

object network SSH-Forwarding

host 192.168.1.40

!

object network SSH-Forwarding

nat (inside,outside) static interface service tcp ssh 65500

!

access-list outside_access_in extended permit tcp any interface outside eq 65500

===============================================================

The packet tracer is shown below.

packet-tracer input outside tcp 123.243.148.75 ssh 213.12.137.13 65500 detail

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9ebcfd8, priority=1, domain=permit, deny=false

hits=3357128, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network SSH-Forwarding

nat (inside,outside) static interface service tcp ssh 65500

Additional Information:

NAT divert to egress interface inside

Untranslate 213.12.137.13/65500 to 192.168.1.40/22

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9f74998, priority=11, domain=permit, deny=true

hits=16654, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

julomban · ‎12-07-2012

Robin,

You are right, having "ip" is not the best solution. Lately I have seen this problem with some other clients using port forwarding and port combination, can we try adding ssh on the ACL.

access-list outside_access_in extended permit tcp any host 192.168.1.40 eq 22

Let me know.

Juan Lombana

Please rate helpful posts.

View solution in original post

cadet alain · ‎12-07-2012

Hi,

I think you forgot to attach the ACL to the outside interface: access-list outside_access_in in interface outside

Regards.

Alain

Don't forget to rate helpful posts.

julomban · ‎12-07-2012

Robin,

Starting in version 8.3 the access list needs to configure using the private real IP instead of the mapped IP.

The ACL should be like this:

access-list outside_access_in extended permit tcp any host 192.168.1.40 eq 65500

Please try and let me know how it goes.

Regards,

Juan Lombana

Please rate helpful posts.

cadet alain · ‎12-07-2012

Hi,

good catch

Regards.

Alain

Don't forget to rate helpful posts.

robin99 · ‎12-07-2012

Hi Juan, thanks for your reply. Unfortunately it still did not work.the packet tracer shows the same thing.

I already have the ACL applied to outside interface anyway. Is there any other place I should check for? Thanks

julomban · ‎12-07-2012

Robin,

If you open "ip" it works (just fro troubleshooting purpose)?

access-list outside_access_in extended permit ip any host 192.168.1.40

Thanks,

Juan Lombana

Please rate helpful posts.

robin99 · ‎12-07-2012

Hi Juan,

you are awesome. It worked after putting that ACL so I need to narrow down the ACL scope instead of using IP now. Do you have any idea how the ACL should be? Thanks

julomban · ‎12-07-2012

Robin,

You are right, having "ip" is not the best solution. Lately I have seen this problem with some other clients using port forwarding and port combination, can we try adding ssh on the ACL.

access-list outside_access_in extended permit tcp any host 192.168.1.40 eq 22

Let me know.

Juan Lombana

Please rate helpful posts.

robin99 · ‎12-07-2012

Thanks Juan, now I understand this change from ASA 8.3

julomban · ‎12-07-2012

Robin,

Perfect. I saw this problem on the latest IOS version 9.0, most likely a bug will be created as the ACL needs to point to

65500 and not ssh, that’s how the ACL should be configure.

Regards,

Juan Lombana

Please rate helpful posts.

Jouni Forss · ‎12-07-2012

Hi,

Atleast in my own ASAs configurations everything is working with same kind of NAT configurations

When I test connections from some random source IP the packet-tracer Phase3 output for me is hitting the ACL rule on my outside interface

In my own case I have opened the traffic with

access-list WAN-IN permit tcp any object eq

And everything is working fine. Do you have any other similiar setups where someone connects to your servers/hosts from outside which are working? Since you have attached the ACL to your outside interface, are you sure its the correct ACL (if you happen to have used many while testing something). Is the ACL attached in the direction "in" ?

Which in my case would be

access-group WAN-IN in interface WAN

- Jouni

robin99 · ‎12-07-2012

Jouni,

My ACL has been applied correctly but the ACL statement was wrong.

The correct one should be

access-list outside_access_in extended permit tcp any interface outside eq 22

Thanks for your reply anyway.