12-17-2011 09:35 AM - edited 03-11-2019 03:03 PM
I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.
After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I have no idea why. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.
Does anyone have any ideas what I'm missing?
One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.
Thanks,
Matt James
12-17-2011 10:23 AM
Hello Mjames,
I will be more than glad to help on this,
Error numer one:
nat (outside) 0 access-list outside_nat0_outbound
This is the no nat rule for the VPN, please change it to :
nat (inside) 0 access-list outside_nat0_outbound
Error number two:
Now regarding the Port forwarding rules for example check this ones:
static (inside,outside) tcp interface ftp-data 192.168.2.7 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.2.7 ftp netmask 255.255.255.255
The interface IP address is
ip address a.b.c.178
And now check the Access-list
access-list outside_access_in extended permit tcp any a.b.c.176 255.255.255.240 eq ftp-data
access-list outside_access_in extended permit tcp any a.b.c.176 255.255.255.240 eq ftp
Why are they pointing to a.b.c.176?? They should be pointing to a.b.c.178.
I do see all the access-list pointing to 176 they should be pointing to the global ip address on the static statement (please change that and that should do it)
Please rate helpful posts
Regards
Julio
12-18-2011 08:52 AM
Julio -
As seen in the other thread, the VPN answer took care of it - thanks!
On the NAT side, however, I don't think that's what I'm looking for. In the end, I want to be able to NAT any traffic sent to .177 through .189 - such as this:
static (inside,outside) tcp 173.167.162.188 www 192.168.2.42 www netmask 255.255.255.255
The access-list is set up as it is so that any traffic to those IPs will be allowed to be considered for NAT-ing. I've tried setting the access list rules up where I had one per IP per protocol, but didn't have any luck. Once I set it to "outside-network" (in ASDM), that at least got 3 of the IPs running. I would have expected either method to work (by IP with the mask at 255.255.255.255 or the whole outside network with the mask at 255.255.255.240), but neither is getting it all the way there.
Anything else that you can think of?
Thanks,
Matt
12-18-2011 06:55 PM
Hello Matt,
The nat configuration is the same for those that are working and the ones that are not working.
I would like to run a packet tracer to see the rules the ASA uses for this packets:
packet-tracer input outside tcp 4.2.2.2 1025 a.b.c.183 80
packet-tracer input outside tcp 4.2.2.2 1025 interface_ip_address 21
packet-tracer input outside tcp 4.2.2.2 1025 a.b.c.183 80
Please provide the output of those packet tracers.
Regards,
Julio
12-19-2011 05:01 AM
12-19-2011 11:12 AM
Hello,
So the ASA seems to be taken the right path regarding those packets, next thing would be to do captures:
access-list capin permit tcp host xxxxx host 192.168.2.115 eq 80
access-list capin permit tcp host 192.168.2.115 eq 80 host xxxx
access-list capout permit tcp host a.b.c.183 80 host xxxxxx
access-list capout permit tcp host xxxxxx host a.b.c.183 80
capture capin access-list capin interface inside
capture capout access-list capout interface dmz
The xxxx is the host trying to connect to the server on the inside.
So I will need you to start sending traffic from that host and then provide the following outputs:
-sh capture capin
-sh capture capout
Please rate helpful posts.
Regards,
Julio
12-22-2011 05:23 AM
After much investigation and a few long days, we've determined that this issue was caused by factors outside the ASA. The configuration is correct, and we are up and running.
Thanks to everyone for their help.
Matt
12-22-2011 09:33 AM
Hello,
Great to hear that, the captures were going to let us know that as well.
Please mark the question as answered for future references.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide