Solved: Re: NATing issue on CIsco ASA 5505 running 9.2

LovejitSingh1313 · ‎09-14-2020

Hello Guys @balaji.bandi @Rob Ingram @Richard Burts @Marvin Rhoads

Internal web server (WIIFI interface): 192.168.2.200

Public IP (Also WAN interface on ASA) : 99.250.21.105

I want to map port 443 of internal server to WAN IP of ASA and tried following commands.

object network HTTPS_IN
host 192.168.2.200

object network HTTPS_IN
nat (WIFI,outside) static interface service tcp https https

Its not working and got following infio

5505# sh nat

Auto NAT Policies (Section 2)
1 (WIFI) to (outside) source static HTTPS_IN interface service tcp https https
translate_hits = 0, untranslate_hits = 40
2 (WIFI) to (outside) source dynamic obj_any interface
translate_hits = 6057, untranslate_hits = 198

5505# packet-tracer input outside tcp 8.8.8.8 https 192.168.2.200 https

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 WIFI

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: WIFI
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

5505# packet-tracer input outside tcp 8.8.8.8 https 99.250.21.105 https

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network HTTPS_IN
nat (WIFI,outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface WIFI
Untranslate 99.250.21.105/443 to 192.168.2.200/443

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: WIFI
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

5505#

Please let me know if you need anything else?

Thanks

balaji.bandi · ‎09-15-2020

it should be the same way as another post of yours :

The difference is you need to have an ACL Rule also to allow that traffic to Wifi, where is this Wifi device connected in the network.

you need a static route back to the wifi device from ASA,, you may have an outgoing default route.

the suggestion made based on the requirements, your topology, and full config we do not have visibility.

https://community.cisco.com/t5/network-security/cisco-asa-opening-port-80-443-but-limit-it-to-specific-public-ip/m-p/4148079#M1073700

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎09-15-2020

Hi @LovejitSingh1313

Is that the full configuration? I don't see the "access-group OUT2in in interface outside" command defined anywhere, therefore that ACL is not in use.

View solution in original post

balaji.bandi · ‎09-15-2020

it should be the same way as another post of yours :

The difference is you need to have an ACL Rule also to allow that traffic to Wifi, where is this Wifi device connected in the network.

you need a static route back to the wifi device from ASA,, you may have an outgoing default route.

the suggestion made based on the requirements, your topology, and full config we do not have visibility.

https://community.cisco.com/t5/network-security/cisco-asa-opening-port-80-443-but-limit-it-to-specific-public-ip/m-p/4148079#M1073700

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

LovejitSingh1313 · ‎09-15-2020

Hello @balaji.bandi

Access-list was already there.

access-list OUT2in extended permit tcp any host 192.168.2.200 eq https

C 99.250.20.0 255.255.254.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, WIFI
d* 0.0.0.0 0.0.0.0 [1/0] via 99.250.20.1, outside

Thanks

LovejitSingh1313 · ‎09-15-2020

@balaji.bandi @Rob Ingram

Here is the config

5505(config)# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname 5505
enable password pmUE.Vrp.6w6gHcX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
switchport access vlan 50
!
interface Ethernet0/4
switchport access vlan 50
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan5
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan50
nameif WIFI
security-level 100
ip address 192.168.2.1 255.255.255.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network HTTPS_IN
host 192.168.2.200
object network WEB-SERVER
host 192.168.2.200
object network WEB-SERVER_PUBLIC
host 99.250.21.105
object service TCP25
service tcp source eq smtp
access-list OUT2in extended permit tcp any host 192.168.2.200 eq https
access-list OUT2in extended permit tcp any host 192.168.2.200 eq smtp
access-list out2in1 extended permit tcp any host 192.168.2.200 eq https
pager lines 24
mtu WIFI 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WIFI
icmp permit any outside
asdm image disk0:/asdm-7141-48.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (WIFI,outside) source static WEB-SERVER interface service TCP25 TCP25
!
object network obj_any
nat (WIFI,outside) dynamic interface
object network HTTPS_IN
nat (WIFI,outside) static interface service tcp https https
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 WIFI
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 WIFI
ssh 192.168.2.0 255.255.255.0 WIFI
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
dhcpd lease 28800
dhcpd domain en
!
dhcpd address 192.168.2.100-192.168.2.130 WIFI
dhcpd enable WIFI
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username lsingh password SvQK35AQbGEfqr.k encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e7cf15f33559d9acaee969c1dc2eeb85
: end
5505(config)#

Rob Ingram · ‎09-15-2020

Hi @LovejitSingh1313

Is that the full configuration? I don't see the "access-group OUT2in in interface outside" command defined anywhere, therefore that ACL is not in use.

LovejitSingh1313 · ‎09-15-2020

@Rob Ingram @balaji.bandi

OH **bleep** I cant beleive that I forget to apply access-list after defining it. Thanks alot guys.

balaji.bandi · ‎09-15-2020

Glad all working as expected, sure some time big config we miss some lines, but always to verify in our environment is good practice.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help