02-10-2015 02:18 AM - edited 03-11-2019 10:28 PM
Hey all,
I recently upgraded this firewall to 9.01. Last week I tried to setup a port forwarding for a customers server. Done this before, did not expect any problems, but they appeared regardless of my expectations.
The server is unable to access the internet and reaching it through the available ports does not work either.
Attached is the config I used and the output from the packet-tracer I used to troubleshoot the problem.
To my surprise, the ASA decides to NAT the outgoing traffic twice. Once to the public IP address I reserved for the server and a second time, using the IP address I reserved for the entire customers network.
I tried a differnet setup where I specified each port needed in turn, but the problem remained.
Searched the internet for any other occasions of this problem, but was unable to find anything similar.
Hope somebody is able to shed some lioght on this problem.
Solved! Go to Solution.
02-10-2015 05:33 AM
Hi,
Again the output seems correct.
Your output does seem to show CONN-SETTINGS and QOS Phases which to my understanding should refer to a configuration you have done regarding bandwidth. I have not used those setting on the ASA myself (we handle them on Routers) so I am not sure what kind of output to expect in a normal situation. I might be able to check this when I am at home with my ASA.
In your output we can see that your ASA can ping the TCP port but an external host can not see a SYN ACK reply to the SYN it sent. This would seem to point that the servers default gateway is configured wrong. This would explain that it replies from a directly connected subnet (ASA will use the interface IP address to my understanding if no actual source address is not defined in the "ping tcp" command) but not from an external network.
Can you check the server network interface cards configuration or have it checked that its using the ASA interface IP address as the default gateway.
- Jouni
02-10-2015 03:00 AM
Hi,
The "packet-tracer" output seems normal. If you mean the other Dynamic translation showing up in the output then that is normal. I am not sure why the ASA shows it even though its not applied.
I am not sure if the "packet-tracer" command is the one which output we are looking at. I mean that it mentions the port as TCP/8000 while that was not used in the actual "packet-tracer" command as the source.
In the Phase with the Static NAT you can see that its applied. In the Phase where it mentions the Dynamic PAT translation you should also see a message that clearly indicates if an actual translation is performed.
Static NAT Applied
Phase: 5 Type: NAT Subtype: Result: ALLOW Config: object network DOOGLE1 nat (DOOGLE,outside) static PUB-IP-2 Additional Information: Static translate 10.6.9.50/8000 to PUB-IP-2/8000
Dynamic PAT mentioned but not applied (no information after the "Additional Information" section)
Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (DOOGLE,outside) after-auto source dynamic DOOGLE WAN-IP-DOOGLE Additional Information:
So considering the above the traffic seems to be matching the correct NAT when going to the external network
I would however been interested in seeing the output of the "packet-tracer" from "outside" to "DOOGLE" also to confirm that that direction also matches this same Static NAT rule.
It would seem to me that the problem might be somewhere else. I would look at the following things.
If I have not missed something the configurations you posted seem fine so I am not sure if the problem is on the ASA itself. I am not sure where the object "WAN-IP-DOOGLE1" is used though.
Hope this helps :)
- Jouni
02-10-2015 05:00 AM
02-10-2015 05:03 AM
The 8000 port is probably a mix up. I must have performed an earlier packet-tracer with that port. Performing the same packet-tracer with the 9000 ports yields port 9000 in the results.
02-10-2015 05:06 AM
Another thing I'm missing in the output, the bandwidth limit I impose is not checked.
I checked another 1-on-1 port mapping on another 5510 using 8.6(1)2, I get significantly different order and items in the result of a comparable packet-tracer.
02-10-2015 05:33 AM
Hi,
Again the output seems correct.
Your output does seem to show CONN-SETTINGS and QOS Phases which to my understanding should refer to a configuration you have done regarding bandwidth. I have not used those setting on the ASA myself (we handle them on Routers) so I am not sure what kind of output to expect in a normal situation. I might be able to check this when I am at home with my ASA.
In your output we can see that your ASA can ping the TCP port but an external host can not see a SYN ACK reply to the SYN it sent. This would seem to point that the servers default gateway is configured wrong. This would explain that it replies from a directly connected subnet (ASA will use the interface IP address to my understanding if no actual source address is not defined in the "ping tcp" command) but not from an external network.
Can you check the server network interface cards configuration or have it checked that its using the ASA interface IP address as the default gateway.
- Jouni
02-10-2015 06:27 AM
Well, what can I say. Besides the excellent deduction on your part, I am once again baffled by the incompetance of the person managing the server.
And finally, I should really stop making assumptions...
Many thanks Jouni!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide