Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
6
Replies

Novice problem with static NAT rule

Dr.Debate
Level 1
Level 1

‎05-28-2015 03:56 PM - edited ‎03-11-2019 11:00 PM

I have a very basic configuration...

 

ASA 5505 running 9.2(3)

Firewall mode:  Routed

Inside network is 192.168.253.0/24 (ASA is 192.168.253.1)

Outside network is 1.1.1.32/29 (ASA is 1.1.1.34)

Web server is 192.168.253.70 and I want that NAT'd to 1.1.1.35 with only port 80 open

Proxy ARP is disabled on inside but enabled on outside

 

This isn't working and even the debugging log doesn't show a reason.  I've got very minimal experience configuring ASA devices and I'm thinking I must have missed something very simple.  Any ideas out there?  Below are the relevant parts of my configuration:

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.253.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.34 255.255.255.248
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Cable-02
 host 1.1.1.35
object network Cable-Network
 subnet 1.1.1.32 255.255.255.248
object network Svr-HTTP
 host 192.168.253.70
object-group service wwwServiceGroup
 service-object tcp destination eq www
access-list outside_access_in extended permit object-group wwwServiceGroup any object Cable-02
no arp permit-nonconnected
object network obj_any
 nat (inside,outside) dynamic interface
object network Svr-HTTP
 nat (inside,outside) static Cable-02
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.33 1
sysopt noproxyarp inside

 

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎05-28-2015 04:51 PM

The main issue is you are referencing the public IP in your acl but with 8.3 onwards you use the private IP in your acl ie. replace Cable-02 with Svr-HTTP.

That should fix the problem.

In addition your NAT statements could be modified but you don't need to for it to work ie. you have used a static NAT statement where you could have used a static PAT for just port 80 as this is the only one you want to allow and you have two NAT entries to translate your internal user IPs.

Like I say the main problem is the acl so don't worry too much about the rest but here is a link to a really helpful document which covers all this and gives some recommendations as to what to use and where -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

0 Helpful

Dr.Debate
Level 1
Level 1
In response to Jon Marshall

‎05-28-2015 05:00 PM

Thank you for the quick response and the helpful information.  Unfortunately, this did not solve my problem.  Does this syntax look correct?

 

access-list outside_access_in extended permit object-group wwwServiceGroup any object Svr-HTTP

 

Is it possible I need to change the interface to inside?  That doesn't make sense to me but, again, novice.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Dr.Debate

‎05-28-2015 05:42 PM

You just caught me before logging off.

I must admit I never use that syntax ie. I usually do -

access-list outside_access_in permit tcp any object Svr-HTTP eq <port number>

although I'm not saying your syntax won't work.

You need the acl applied to the outside interface so you have it correctly applied.

Like I say I have to go now but if the above makes no difference can you run this on the ASA and then post the results and someone else may be able to help or i'll check in tomorrow -

"packet-tracer input outside tcp 8.8.8.8 12345 1.1.1.35 http"

Jon

0 Helpful

Dr.Debate
Level 1
Level 1
In response to Jon Marshall

‎05-28-2015 05:42 PM

Again, thank you.  I changed the ACL syntax to what you're familiar with and it still doesn't work.  Is it possible my site-to-site IPSec VPN is getting in the way?  Here's the output from the command you requested:

 

# packet-tracer input outside tcp 8.8.8.8 12345 1.1.1.35 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Svr-HTTP
 nat (inside,outside) static Cable-02
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.35/80 to 192.168.253.70/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Svr-HTTP eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect waas
service-policy global_policy global
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Svr-HTTP
 nat (inside,outside) static Cable-02
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1214, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Dr.Debate

‎05-29-2015 05:36 AM

The packet tracer output shows that your configuration is working.

Can't comment on the VPN because you haven't included that.

Does the web server have it's default gateway set to the ASA ?

Can you connect to the web server successfully from inside ?

Jon

0 Helpful

Dr.Debate
Level 1
Level 1
In response to Jon Marshall

‎06-02-2015 06:59 PM

Sorry for the delayed response.  Yes, the ASA is the one and only gateway on all inside hosts.  No inside hosts have a problem getting to the internet.  There are actually three servers with NAT rules, an Exchange server, FTP server and this web server.  All have the same problem.

Would it be possible for me to privately send you a copy of my entire configuration and see if something jumps out at you?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card