Solved: PAT/NAT Overload on 5510

leoruben2308 · ‎05-20-2011

There is a new office which is going to be on a seperate internal subnet (192.168.254.x), and need this to be port address translated to one public address (212.23.51.108). Ive given it a go on the ASA5510, but not sure if Im doing this right, any help would be appreciated

3 of the internal addresses need port redirection:

192.168.254.10 - public port 33510 - private port 3389

192.168.254.11 - public port 9940 - private port 443

192.168.254.173 - public port 3390 - private port 3389

port 80 and 443 opened for 192.168.254.10

I have a test pc setup and connected to the internal 192.168.254.0 network (gave it static of 192.168.254.10), it is reaching the internet, and its public IP is seen as 212.23.51.108, however how the hell do I test to see if port 80 or 443 is open for this ip?

Tried using the cli but gave up and looked at doing int in ASDM, however cant see the option in ASDM for NAT overload, so ive tried configuring this with Dynamic NAT which looks about right, but I have no idea really, its a bit confusing...

This is the relevant config so far as far as I can see.

global (outside) 2 212.23.51.108

nat (inside) 2 192.168.254.0 255.255.255.0

nat (inside) 2 access-list inside_nat_outbound

access-list in_inside extended permit tcp any host 192.168.254.10 eq https

access-list in_inside extended permit tcp any host 192.168.254.10 eq www

access-list inside_nat_outbound extended permit ip 192.168.254.0 255.255.255.0 any

Anything look blatantly wrong here? How to I test to see if my PC on 192.168.254.10 is actually reachable on www/https ports from public?? Where in ASDM does it show the current translation table showing Internal IP <--> Public IP:port ?

varrao · ‎05-20-2011

Hi Leo,

If you just wanted to test whether you have the translations created for the internal server with the public ip on the port, you can use the follwoing commands from CLI:

show xlate | in 192.168.254.10

this will give you all thee translations.

also you can run a packet tracer and check the output:

packet-tracer input outside tcp 1.1.1.1 2345 80 detailed

it would give you sort of a virtual packet traversal through the firewall for port 80, similarly try for port 443 as well.

I am not sure if you have done this already, but to access the servers from outside you would need the following statics:

static (inside,outside) tcp 80 192.168.254.10 80

static (inside,outside) tcp 443 192.168.254.10 443

simialrly for other servers as well.

I'll give you a doc for the port translation as well.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-20-2011

chcek in the config if you have this ACL:

access-list IN extended permit tcp any host 212.23.51.108 eq www

access-group IN in interafce outside

this could be the cause, it is definitely an ACL issue.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-23-2011

Hi Leo,

Let me explain you the purpose for these statements:

access-list in_outside extended permit tcp any host 212.23.51.108 eq www

all requests from outside would only permitted for port 80 only.

although you can open other ports as well like:

access-list in_outside extended permit tcp any host 212.23.51.108 eq 3389

requests for only this ip and port would be accepted,. rest rejected.

Now:

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

what this means is, if a request for 212.23.51.108 comes on port 80, translate it to 192.168.254.10 on port 80 itself.

Now you also had this requirement:

To make it more clear, here is how you would configure for it:

192.168.254.173 - public port 3390 - private port 3389

access-list in_outside extended permit tcp any host 212.23.51.108 eq 3390

static (inside,outside) tcp 212.23.51.108 3390 192.168.254.10 3389

Hope this clear out things for you.

Regards,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-20-2011

Hi Leo,

If you just wanted to test whether you have the translations created for the internal server with the public ip on the port, you can use the follwoing commands from CLI:

show xlate | in 192.168.254.10

this will give you all thee translations.

also you can run a packet tracer and check the output:

packet-tracer input outside tcp 1.1.1.1 2345 80 detailed

it would give you sort of a virtual packet traversal through the firewall for port 80, similarly try for port 443 as well.

I am not sure if you have done this already, but to access the servers from outside you would need the following statics:

static (inside,outside) tcp 80 192.168.254.10 80

static (inside,outside) tcp 443 192.168.254.10 443

simialrly for other servers as well.

I'll give you a doc for the port translation as well.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎05-20-2011

Here is the doc:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

the nat statements that you have is only for internet access, for users to access these servers from internet you would require the static statements.

Regards,

Varun

Thanks,
Varun Rao

leoruben2308 · ‎05-20-2011

Hey thanks alot for the fast response

Yeah I had already added these statics (forgot to mention in first post):

static (inside,outside) tcp 212.23.51.108 9940 192.168.254.11 443 netmask 255.255.255.255

static (inside,outside) tcp 212.23.51.108 3390 192.168.254.173 3389 netmask 255.255.255.255

static (inside,outside) tcp 212.23.51.108 33510 192.168.254.10 3389 netmask 255.255.255.255

However I did'nt have these: (thanks!)

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

static (inside,outside) tcp 212.23.51.108 https 192.168.254.10 https netmask 255.255.255.255

I did a "show xlate | in 192.168.254.10" and it came up with:

PAT Global 212.23.51.108(33510) Local 192.168.254.10(3389)

PAT Global 212.23.51.108(80) Local 192.168.254.10(80)

PAT Global 212.23.51.108(443) Local 192.168.254.10(443)

PAT Global 212.23.51.108(20862) Local 192.168.254.10(1239)

PAT Global 212.23.51.108(3520) Local 192.168.254.10(1238)

PAT Global 212.23.51.108(45500) Local 192.168.254.10(1235)

PAT Global 212.23.51.108(26706) Local 192.168.254.10(1234)

PAT Global 212.23.51.108(27802) Local 192.168.254.10(1233)

PAT Global 212.23.51.108(29864) Local 192.168.254.10(1232)

PAT Global 212.23.51.108(26799) Local 192.168.254.10(1231)

PAT Global 212.23.51.108(47213) Local 192.168.254.10(1230)

PAT Global 212.23.51.108(57643) Local 192.168.254.10(1229)

PAT Global 212.23.51.108(12169) Local 192.168.254.10(1228)

PAT Global 212.23.51.108(52118) Local 192.168.254.10(1227)

PAT Global 212.23.51.108(60605) Local 192.168.254.10(1226)

PAT Global 212.23.51.108(9772) Local 192.168.254.10(1225)

PAT Global 212.23.51.108(51956) Local 192.168.254.10(1224)

PAT Global 212.23.51.108(26863) Local 192.168.254.10(1215)

PAT Global 212.23.51.108(6389) Local 192.168.254.10(1213)

PAT Global 212.23.51.108(13144) Local 192.168.254.10(1212)

PAT Global 212.23.51.108(47275) Local 192.168.254.10(1209)

PAT Global 212.23.51.108(53397) Local 192.168.254.10(1198)

This looks about right?

Thanks!

varrao · ‎05-20-2011

Hi Leo,

Yup this looks good to me...this is all you'll need to verify the setup. You can also run the packet tracer if you want. Glad it worked out for you.

Thanks,

Varun

Thanks,
Varun Rao

leoruben2308 · ‎05-20-2011

Hey, I tried the packet tracer, and it dropped the packet ??

ATN-TELE-ASA5510-01# packet-tracer input outside tcp 1.1.1.1 2345 212.23.51.108 80 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

match tcp inside host 192.168.254.10 eq 80 outside any

static translation to 212.23.51.108/80

translate_hits = 0, untranslate_hits = 7

Additional Information:

NAT divert to egress interface inside

Untranslate 212.23.51.108/80 to 192.168.254.10/80 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7f8bec8, priority=11, domain=permit, deny=true

hits=9765153, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I also tried from an external public port check, 212.23.51.108:80 port is closed

Am I missing an ACL somewhere??

Thanks

varrao · ‎05-20-2011

chcek in the config if you have this ACL:

access-list IN extended permit tcp any host 212.23.51.108 eq www

access-group IN in interafce outside

this could be the cause, it is definitely an ACL issue.

Thanks,

Varun

Thanks,
Varun Rao

leoruben2308 · ‎05-20-2011

Hey,

yeah the access-group was already setup,

access-group in_outside in interface outside

and I added:

access-list in_outside extended permit tcp any host 212.23.51.108 eq www

(would this rule not just allow any host that gets PAT to 212.23.51.108 though? the idea was to limit it to just the 192.168.254.10?)

And packet tracer shows it appears to be open now:

ATN-TELE-ASA5510-01# packet-tracer input outside tcp 1.1.1.1 2345 212.23.51.108 80 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

match tcp inside host 192.168.254.10 eq 80 outside any

static translation to 212.23.51.108/80

translate_hits = 0, untranslate_hits = 20

Additional Information:

NAT divert to egress interface inside

Untranslate 212.23.51.108/80 to 192.168.254.10/80 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group in_outside in interface outside

access-list in_outside extended permit tcp any host 212.23.51.108 eq www

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7f23fe0, priority=12, domain=permit, deny=false

hits=7, user_data=0xd68d2cc0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=212.23.51.108, mask=255.255.255.255, port=80, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7cc2a70, priority=0, domain=inspect-ip-options, deny=true

hits=72025047, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd853bbf8, priority=70, domain=inspect-http, deny=false

hits=365392, user_data=0xd853b9f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd84efd48, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=23704077, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

match tcp inside host 192.168.254.10 eq 80 outside any

static translation to 212.23.51.108/80

translate_hits = 0, untranslate_hits = 20

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd8c40f68, priority=5, domain=nat-reverse, deny=false

hits=8, user_data=0xd8a81778, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=192.168.254.10, mask=255.255.255.255, port=80, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 212.23.51.108 33520 192.168.254.10 3389 netmask 255.255.255.255

match tcp inside host 192.168.254.10 eq 3389 outside any

static translation to 212.23.51.108/33520

translate_hits = 0, untranslate_hits = 1

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xd883c030, priority=5, domain=host, deny=false

hits=123, user_data=0xd7f325d0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.254.10, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xd7d11080, priority=0, domain=inspect-ip-options, deny=true

hits=67868757, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 80362622, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

varrao · ‎05-20-2011

Hi Leo,

Whenever a packet falls on the firewall outside interface, the destination of that packet would be your public ip, hence we need to allow access to that public ip, moreover you are not allowing access to the whole public ip but only for port 80 on that particular public ip:

access-list in_outside extended permit tcp any host 212.23.51.108 eq www

So this is exactly the correct ACL that yo would need, don't worry about it

I am glad it worked for you. Let me know if you have any other concerns.

Regards,

Varun

Thanks,
Varun Rao

leoruben2308 · ‎05-23-2011

Hi Varun,

Thanks I understood that part of it However I am uncertain about this... If every host in the 192.168.254.0 network is seen from public side as 212.23.51.108 (with a unique port number to identify specific hosts), If we were to just allow any public host WWW access to 212.23.51.108 with:

access-list in_outside extended permit tcp any host 212.23.51.108 eq www

Does that not mean that WWW is open to every host within our network that uses 212.23.51.108 as its global address? Or is this somehow just limited to 192.168.254.10 because of this:

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

??

Thanks

varrao · ‎05-23-2011

Hi Leo,

Let me explain you the purpose for these statements:

access-list in_outside extended permit tcp any host 212.23.51.108 eq www

all requests from outside would only permitted for port 80 only.

although you can open other ports as well like:

access-list in_outside extended permit tcp any host 212.23.51.108 eq 3389

requests for only this ip and port would be accepted,. rest rejected.

Now:

static (inside,outside) tcp 212.23.51.108 www 192.168.254.10 www netmask 255.255.255.255

what this means is, if a request for 212.23.51.108 comes on port 80, translate it to 192.168.254.10 on port 80 itself.

Now you also had this requirement:

To make it more clear, here is how you would configure for it:

192.168.254.173 - public port 3390 - private port 3389

access-list in_outside extended permit tcp any host 212.23.51.108 eq 3390

static (inside,outside) tcp 212.23.51.108 3390 192.168.254.10 3389

Hope this clear out things for you.

Regards,

Varun

Thanks,
Varun Rao

leoruben2308 · ‎05-23-2011

Ok this is what I was suspecting Thanks for explaining!