cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

351
Views
0
Helpful
11
Replies
Highlighted
Beginner

PAT issue on ASA 5520 with 1 public IPA

Hello,

I have never setup an ASA in an environment with a single public IPA. So when I needed to NAT different ports to different internal hosts, I had to do some research. Found plenty of good examples, but I am still having some bad luck making it work. Before I switched from the Comcast modem/router, the port forwarding worked fine, so it is something I am missing.

I am trying to forward tcp/8082 to server object server01 (hosting webserver). It works internally fine still.

object network server01
host 192.168.1.25

!

object service map-server01
service tcp source eq 8082

!

access-list outside_access_in extended permit tcp any object server01 eq 8082

!

nat (inside,outside) source static server01 interface service map-server01 map-server01

This is not teh entire config but the parts I have in place, for starters, does that appear right? Oh one more piece of info, I am able to port forward 443 and 9987 just fine, both tcp, but they both go to the same server, not server01.

Full NAT's:

nat (inside,outside) source static nas01 interface service teamspeak teamspeak
nat (inside,outside) source static nas01 interface service plex plex
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
nat (inside,outside) source static server01 interface service map-server01 map-server01

ACL:

access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object server01 eq 8082
access-list outside_access_in extended permit tcp any object nas01 eq https
access-list outside_access_in remark PLEX Media Server
access-list outside_access_in extended permit tcp any object nas01 eq 32400
access-list outside_access_in remark 7dtd Map
access-list outside_access_in extended permit tcp any object game02 object-group DM_INLINE_TCP_2
access-list outside_access_in remark TeamSpeak
access-list outside_access_in extended permit udp any object nas01 eq 9987
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any interface outside log

Any clues? Thanks in advance!

11 REPLIES 11
Highlighted
Hall of Fame Guru

It looks fine as far as I can

It looks fine as far as I can see.

Have you tried to run a packet tracer to test an outside connection the server ?

Only other thing is does the server use the ASA as it's default gateway ?

Jon

Highlighted
Beginner

Thanks Jon,

Thanks Jon,

Server does use teh ASA as its GW.

Packet tracer shows (on the working setups with udp 9987 and tcp 443) that the packet is dropped, but I assure you it works. So I am less confident in that. It shows dropped in the NAT area.

When I test on the tcp/8082, it shows the same thing but doesn't work.

Highlighted
Beginner

I just noticed my packet

I just noticed my packet tracer to the server with issues was wrong IP, I ran it again, no NAT failure, but the failure is in ACL, implicit one??

Highlighted
Hall of Fame Guru

Jeff

Jeff

Sorry, don't use ASDM but on the CLI the command should be -

"packet-tracer input outside tcp x.x.x.x 12345 <public IP of server> 8082"

where x.x.x.x can be any public IP.

Jon

Highlighted
Beginner

Better:

Better:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
NAT divert to egress interface inside
Untranslate externalIP/8082 to 192.168.1.26/8082

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server01 eq 8082
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
Static translate 55.44.33.43/12345 to 55.44.33.43/12345

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 815269, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

NOw, with the GUI packet tracer, I noticed (in screenshot) it was dropped by implicit deny..the only one I have well, the Global ACL has only a deny, I added a quick "ip any any" and it works now. WHy is it reading global first before the Outside ACL? Never used Global in teh years of ASA fiddling. Should I just use Global and not the OUtside rules?

Highlighted
Hall of Fame Guru

As far as I am aware global

As far as I am aware global acls are applied after interface acls so it should have worked.

Jon

Highlighted
Beginner

Ill confirm that if I copy

Ill confirm that if I copy the exact acl from the outside interface ACL, and move to Global, it works as I'd expect, for all my services. So I could do that as a fix, but now I'm stumped as to why it is not reading the outside ACL at all, well it is for some but not all.

Highlighted
Hall of Fame Guru

Can you just use the outside

Can you just use the outside interface acl without a global or don't permit in the global and then run -

a packet tracer to a server that is working and a packet tracer to this one that isn't and we'll see if we can spot the difference.

Jon

Highlighted
Beginner

WIthout the Global allows

WIthout the Global allows (still allowed in OUTSIDE), non-working then working entries:

asa# packet-tracer input outside tcp 55.44.33.43 12345 ExternalIP 8082

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
NAT divert to egress interface inside
Untranslate ExternalIP/8082 to 192.168.1.26/8082

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server01 eq 8082
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
Static translate 55.44.33.43/12345 to 55.44.33.43/12345

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 820631, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

asa#
asa#
asa#
asa#
asa#
asa#
asa#
asa#
asa# packet-tracer input outside tcp 55.44.33.43 12345 ExternalIP 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
Additional Information:
NAT divert to egress interface inside
Untranslate ExternalIP/443 to 192.168.1.15/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object nas01 eq https
access-list outside_access_in remark PLEX Media Server
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
Additional Information:
Static translate 55.44.33.43/12345 to 55.44.33.43/12345

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 820656, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Highlighted
Hall of Fame Guru

Sorry about delay in

Sorry about delay in responding.

They are both working according to your outputs ie. the ASA is allowing them both.

Not entirely sure what is happening here.

Can you post output of "sh nat" ?

Jon

Highlighted
Beginner

NP!

NP!

Here is the show nat:

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static nas01 interface service teamspeak teamspeak
translate_hits = 5, untranslate_hits = 14
2 (inside) to (outside) source static nas01 interface service plex plex
translate_hits = 91, untranslate_hits = 109
3 (inside) to (outside) source static nas01 interface service HTTPS HTTPS
translate_hits = 470, untranslate_hits = 533
4 (inside) to (outside) source static server01 interface service map-server01 map-server01
translate_hits = 19, untranslate_hits = 19

Auto NAT Policies (Section 2)
1 (outside) to (inside) source static google-dns interface service udp domain domain
translate_hits = 0, untranslate_hits = 294
2 (any) to (outside) source dynamic DynamicNAT interface
translate_hits = 820690, untranslate_hits = 379504

Here is the show access-list output with the global only using the implicit deny:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_access_in; 2 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip any any (hitcnt=901619) 0xa925365e
access-list inside_access_in line 2 extended permit icmp any any (hitcnt=0) 0xd6183fb5
access-list outside_access_in; 9 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any object server01 eq 8082 (hitcnt=0) 0xbc5416d5
access-list outside_access_in line 1 extended permit tcp any host 192.168.1.26 eq 8082 (hitcnt=14) 0xbc5416d5
access-list outside_access_in line 2 extended permit tcp any object nas01 eq https (hitcnt=0) 0x321e9a6e
access-list outside_access_in line 2 extended permit tcp any host 192.168.1.15 eq https (hitcnt=536) 0x321e9a6e
access-list outside_access_in line 3 remark PLEX Media Server
access-list outside_access_in line 4 extended permit tcp any object nas01 eq 32400 (hitcnt=0) 0x3fcc3cbb
access-list outside_access_in line 4 extended permit tcp any host 192.168.1.15 eq 32400 (hitcnt=109) 0x3fcc3cbb
access-list outside_access_in line 5 remark 7dtd Map
access-list outside_access_in line 6 extended permit tcp any object game02 object-group DM_INLINE_TCP_2 (hitcnt=0) 0x5daed978
access-list outside_access_in line 6 extended permit tcp any host 192.168.1.136 eq 9081 (hitcnt=0) 0x6e5306f6
access-list outside_access_in line 6 extended permit tcp any host 192.168.1.136 eq 9082 (hitcnt=0) 0x6f5a69d6
access-list outside_access_in line 6 extended permit tcp any host 192.168.1.136 eq 28900 (hitcnt=0) 0x440f518f
access-list outside_access_in line 7 remark TeamSpeak
access-list outside_access_in line 8 extended permit udp any object nas01 eq 9987 (hitcnt=0) 0xfd02c985
access-list outside_access_in line 8 extended permit udp any host 192.168.1.15 eq 9987 (hitcnt=7) 0xfd02c985
access-list outside_access_in line 9 extended permit icmp any any (hitcnt=25580) 0x71af81e1
access-list outside_access_in line 10 extended deny ip any interface outside log informational interval 300 (hitcnt=0) 0x5908dec3
access-list global_access; 2 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit tcp any object server01 eq 8082 inactive (hitcnt=0) (inactive) 0xfcd59970
access-list global_access line 1 extended permit tcp any host 192.168.1.26 eq 8082 inactive (hitcnt=0) (inactive) 0xfcd59970
access-list global_access line 2 extended permit tcp any object nas01 eq 32400 inactive (hitcnt=0) (inactive) 0xebf9585d
access-list global_access line 2 extended permit tcp any host 192.168.1.15 eq 32400 inactive (hitcnt=0) (inactive) 0xebf9585d

I did some more testing just now, I was going to output the show access-list when it is working and when it is not (not in global), however it is working as intended now. Global back to only the implicit deny, and my other rules in OUTSIDE are working.

No idea what happened. I banged my head on the wall since sunday on this. The only thing I did different today was added the allow rule to the global (which worked) then removed them and now it works like expected. I'm at a loss. But it is working at the least!

Thank you for all the assistance and looking this over with me.