03-19-2015 08:14 AM - edited 03-11-2019 10:39 PM
Hi all
I can't quit hit the nail on the head with this one. Any help would be very much appreciated please :)
Cisco ASA 5505
Running 8.4(1)
Example of what I am trying to do (I've basically ran out of public IPs and need to direct access to certain hosts and services inside but for complicated reasons I won't go in to as it won't help here/just complicate it more for no reason, they can't be on the 'general usage' IP so I need to share some of these other public IPs).
Public IP range: 12.34.56.1 - 12.34.56.5
Internal IP range: 192.168.1.1 - 192.168.1.254
12.34.56.5:
'General usage' IP. So by default everything goes in and out on this IP.
12.34.56.1:
Port 443 goes to 192.168.1.2
Port 80 goes to 192.168.1.3
Traffic from 192.168.1.2 and 192.168.1.3 to the internet comes from 12.34.56.1
12.34.56.2/.3/.4:
These are all dedicated to certain servers and work fine.
Bits of the config I think are relevant (please say if I've missed something):
interface Vlan2 nameif outside security-level 0 ip address 12.34.56.5 255.255.255.248 object network LAN subnet 192.168.1.0 255.255.255.0 object network NAT-IP-1 host 12.34.56.1 object network server-2 host 192.168.1.2 object network server-3 host 192.168.1.3 object-group network SOURCE-ADDRESSES-2 network-object host 192.168.1.2 network-object host 192.168.1.3 access-list outside_access extended permit tcp any object server-2 eq https access-list outside_access extended permit tcp any object server-3 eq www nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1 object network LAN nat (inside,outside) dynamic interface object network server-2 nat (inside,outside) static NAT-IP-1 service tcp https https
Traffic for server-2 and server-3 goes out on 12.34.56.1 instead of 12.34.56.5, that's fine. The port forwarding isn't happening though.
This results in this in the log:
4 Mar 19 2015 15:00:45 106023 5.6.7.8 53966 12.34.56.1 443 Deny tcp src outside:5.6.7.8/53966 dst outside:5.6.7.8/443 by access-group "outside_access" [0x0, 0x0]
If I do a packet trace it's just not showing the NAT entries expected (and the log above doesn't show the destination as the LAN IP either as expected):
Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 12.34.56.1 255.255.255.248 outside Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
What am I messing up with the NATing/port forwarding please?
Thank you!
Edit: Sorry John. Typo - corrected!
Solved! Go to Solution.
03-20-2015 06:09 AM
Am I missing something that will have broken here?
As long as your specific port translations are higher up in the order you should be okay.
The only thing I would say, and it is just a suggestion, is that with your static statements for the whole IPs ie. the last two you are in effect opening up every port to server-2 (but not server-3 because of what I explained earlier).
Obviously you have an acl to control access but you could if you wanted remove the last two statements and replace it with your original dynamic NAT statement.
As long as it still came after the more specific static port translations in the same section then it should work fine.
That way you are not opening up any ports that may accidentally be allowed in your acl.
So it would basically be the first option I suggested in a previous post.
But it is entirely up to you.
Jon
 
					
				
		
03-19-2015 09:44 AM
In the config you provided I do not see what NAT-IP-2 is referencing in the following line:
"object network server-2 nat (inside,outside) static NAT-IP-2 service tcp https https"
03-19-2015 09:58 AM
Corrected it, sorry.
I daftly changed the example IPs around after writing the post so they related better (well that was the aim) to what I'm actually dealing with but messed up :(
03-19-2015 09:55 AM
Can you post a "sh nat" ?
Jon
03-19-2015 09:55 AM
Jon:
Saw your original reply on the notification email. Was my typo sorry. Corrected it in the original post now. I believe that nat line is correct.
# sh nat
Manual NAT Policies (Section 1)
1 <vpn stuff>
2 <vpn stuff>
3 <port translation for general IP>
4 <another port translation for general IP>
5 <another>
6 (inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
    translate_hits = 10828, untranslate_hits = 9773
(I'm not if this count is for when I got it working for just one server at one point.. not worked out again how I did that)
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static server-4 12.34.56.2
    translate_hits = 11406622, untranslate_hits = 576964
2 (inside) to (outside) source static server-2 NAT-IP-1 service tcp https https
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static server-5 12.34.56.3
    translate_hits = 97036, untranslate_hits = 1149482
4 (inside) to (outside) source static server-6 12.34.56.4
    translate_hits = 65, untranslate_hits = 174
5 <vpn stuff>
6 (inside) to (outside) source dynamic LAN interface
    translate_hits = 63479715, untranslate_hits = 53493227
					
				
			
			
				
			
			
				
			
			
			
			
			
			
		03-19-2015 09:59 AM
This is your problem ie, you have in section 1 -
(inside) to (outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
and then in section 2
(inside) to (outside) source static server-2 NAT-IP-1 service tcp https https
the first rule is matching the inbound traffic so it never gets to your section 2 port mappings.
What do you actually want to do in terms of the outbound traffic from those servers ?
Jon
 
03-19-2015 10:27 AM
Everything except the specified stuff goes out and in on 12.34.56.5.
I need these 2 internal servers to share the public IP '12.34.56.1' both in and out basically.
Edit: And 12.34.56.2/.3/.4 are all dedicated to specific internal IPs. This works fine.
03-19-2015 10:43 AM
Can you post a full "sh nat" without editing anything out ?
Jon
03-19-2015 10:55 AM
Hello,
Please find below mentioned your requirement and confirmed.
1. Server 192.168.1.2 and 192.168.1.3 will use ip 12.34.65.1 for traffic 443 and 80
2. Rest of the network will use 12.35.56.5 for coummunication
Jeevak,
03-19-2015 11:02 AM
Public IP.. LAN IP..
12.34.56.1 192.168.1.2 (port 443) and 192.168.1.3 (port 80)
12.34.56.2 192.168.1.4 (various ports)
12.34.56.3 192.168.1.10 (various ports)
12.34.56.4 192.168.1.50 (various ports)
12.34.56.5 Any 192.168.1.* IP not mentioned above
Thanks
 
					
				
		
03-19-2015 12:01 PM
You can try doing the following
no nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
nat (inside,outside) after-auto source dynamic SOURCE-ADDRESSES-2 NAT-IP-1
03-19-2015 12:08 PM
I don't think it would ever get there because there is a general dynamic rule in section 2 for all LAN IPs.
Jon
03-19-2015 12:22 PM
Sorry Jon, I did not see your comment from earlier and yes you are correct.
03-19-2015 12:26 PM
No problem, we are all just trying to help and post 8.3 NAT isn't the easiest thing to work with.
I get confused by it all the time :-)
Jon
03-20-2015 04:34 AM
Thank you every one. Very much appreciated.
I've read replies, I'm going to through them again but to clarify what I am trying to do:
Public IP 12.34.56.1
192.168.1.2 and 192.168.1.3 should use (share) 12.34.56.1 for all their out going connections. I also need to map ports such as 443 to 192.168.1.2 and port 80 to 192.168.1.3 from the public IP 12.34.56.1.
With the config posted in my original post the outgoing IP bit works fine but not the incoming port forwarding.
Public IP 12.34.56.2    
192.168.1.4 only should use 12.34.56.2 for all of the out going traffic. Various ports are mapped to it also from 12.34.56.2. This all works fine.
Public IP 12.34.56.3
192.168.1.10 only should use 12.34.56.3 for all of the out going traffic. Various ports are mapped to it also from 12.34.56.3. This all works fine.
Public IP 12.34.56.4
192.168.1.50 only should use 12.34.56.4 for all of the out going traffic. Various ports are mapped to it also from 12.34.56.4. This all works fine.
Public IP 12.34.56.5
Any other internal hosts (so anything 192.168.1.* that is not 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.10, or 192.168.1.50) should use 12.34.56.5 for their out going IP. Works fine.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide