06-24-2013 03:45 AM - edited 03-11-2019 07:02 PM
Hi,
I am using ASA5505 with version a 8.3(2) and having problem with the nat configuration.
inside ip - 192.168.1.1/255.255.255.0
outside ip - 10.127.225.10/255.255.255.0
we have TCP10042 as service port thru' which we are passing data from inside network to outside network.
We have Client_server as 10.127.226.21/24
our DataServer as 192.168.1.3/ 24
we want to send the data from dataServer to Client server thru' port no. 10042.
We did following settings in the ASA thru' ASDM but facing problem that no any nating actually takes place.
Object network Client_Server
host 10.127.226.21
Object network DataServer
host 192.168.1.3
Object service TCP_10042
Service tcp source range 1 65535 destination eq 10042
Object network Firewall_Outside
host 10.127.225.10
object network DataServer(192.168.1.3)
nat (inside, outside) static interface service tcp 10042 10042
object network Firewall_outside (10.l27.225.10)
nat (outside, inside) static DataServer(192.168.1.3) service tcp 10042 10042
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit ip any any
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group global_access global
but still we are getting problem for NAT rules.
Also when we tried with Packet Transfer check point and found that "Access List - denied due to “Implicit rule”
Please help how we have to transfer data thru' Firewall.
Solved! Go to Solution.
06-24-2013 04:30 AM
Hi,
Can you post your interface configurations using "show run interface" command.
If I understood you correctly then there is a server on the "inside" that is initiating a connection to a server on "outside" with the destination port TCP/10042? Is this correct?
If this is true, then we dont really need all the NAT configurations you have done. A Dynamic PAT configuration might be all that is needed.
Naturally if you want to give an own address to the server on the "inside" then you would configure Static NAT.
If the server on the "outside" needed to access the server on the "inside" then you might need Static NAT or Static PAT (Port Forward)
Is this firewall located inside some LAN network or is it at the edge of LAN and WAN?
Lets clear up these few things and then we can look at what is required to correct the situation.
- Jouni
06-24-2013 04:30 AM
Hi,
Can you post your interface configurations using "show run interface" command.
If I understood you correctly then there is a server on the "inside" that is initiating a connection to a server on "outside" with the destination port TCP/10042? Is this correct?
If this is true, then we dont really need all the NAT configurations you have done. A Dynamic PAT configuration might be all that is needed.
Naturally if you want to give an own address to the server on the "inside" then you would configure Static NAT.
If the server on the "outside" needed to access the server on the "inside" then you might need Static NAT or Static PAT (Port Forward)
Is this firewall located inside some LAN network or is it at the edge of LAN and WAN?
Lets clear up these few things and then we can look at what is required to correct the situation.
- Jouni
06-24-2013 05:30 AM
Hi Jouni,
Thank you for the prompt reply.
Please find the details of the complete details of the configuration.
: Saved
: Written by enable_15 at 12:54:21.049 IST Mon Jun 24 2013
!
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.127.225.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone IST 5 30
object network IP21_Server
host 10.127.226.21
description IP21_Server
object network Tank_OPC_Server
host 192.168.1.2
description Tank_OPC_Server
object network CIMIO_TestPC
host 10.127.230.35
description CIMIO_TestPC
object service TCP_10041
service tcp source range 1 65535 destination eq 10041
description TCP-10041
object service TCP_10042
service tcp source range 1 65535 destination eq 10042
description TCP-10042
object service TCP_135
service tcp source range 1 65535 destination eq 135
description TCP_135
object service TCP_47625
service tcp source range 1 65535 destination eq 47625
description TCP-47625
object service TCP_7777
service tcp source range 1 65535 destination eq 7777
description TCP_7777
object service tcp_all
service tcp source range 1 65535 destination range 1024 65535
description tcp-all
object network Firewall_Outside
host 10.127.225.10
object service Ping
service icmp echo-reply
description Ping
object network Rule_2
subnet 10.127.0.0 255.255.255.0
description Web Access
object network OPCIP
host 10.0.0.0
object-group network Firewall_Inside_Sys description Firewall_Inside_Sys
network-object object Tank_OPC_Server
object-group network Firewall_Outside_OPC_Sys
description Firewall_Outside_OPC_Sys
network-object object CIMIO_TestPC
network-object object IP21_Server
object-group service DM_INLINE_TCP_1 tcp
port-object eq 49153
port-object eq 49154
port-object eq 49155
port-object eq 49156
port-object eq 49157
port-object eq 49158
port-object eq 49160
port-object eq 49161
port-object eq 49162
port-object eq 49163
port-object eq 49164
port-object eq 49165
object-group service DM_INLINE_TCP_2 tcp
port-object eq 135
port-object eq 1433
port-object eq 3389
port-object eq 445
port-object eq 49152
port-object eq 49153
port-object eq 49154
port-object eq 49155
port-object eq 49156
port-object eq 49157
port-object eq 49158
port-object eq 49159
port-object eq 49160
port-object eq 49161
port-object eq 49162
port-object eq 5357
object-group service DM_INLINE_TCP_3 tcp
port-object eq 135
port-object eq 3389
port-object eq www
port-object eq lpd
port-object eq netbios-ssn
object-group service DM_INLINE_TCP_4 tcp
port-object eq 135
port-object eq 1433
port-object eq 445
port-object eq 49152
port-object eq 49153
port-object eq 49154
port-object eq 49155
port-object eq 49156
port-object eq 49157
port-object eq 49158
port-object eq 49159
port-object eq 49160
port-object eq 49161
port-object eq 49162
port-object eq 5357
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq lpd
port-object eq netbios-ssn
object-group service OPC tcp
port-object eq 445
object-group service OPCM tcp
port-object eq 1433
object-group service OPCMS tcp
port-object eq 3389
object-group service OPCTCP tcp
port-object eq 135
object-group service OPCTCPU tcp
port-object eq 5357
object-group service TEST tcp
port-object eq 49152
port-object eq 49153
port-object eq 49154
port-object eq 49155
port-object eq 49156
port-object eq 49157
port-object eq 49158
port-object eq 49159
port-object eq 49160
port-object eq 49161
port-object eq 49162
port-object eq 49163
port-object eq 49164
port-object eq 49165
port-object eq 49166
port-object eq 49167
port-object eq 49168
port-object eq 49169
port-object eq 49170
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq 135
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq netbios-ssn
access-list inside_access_in extended permit ip object OPCIP object OPCIP
access-list inside_access_in extended permit tcp any any eq 445
access-list inside_access_in extended permit tcp any any eq lpd
access-list inside_access_in extended permit tcp any any eq 1433
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit tcp any any eq 5357
access-list inside_access_in extended permit tcp any any eq 49152
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_out extended permit icmp any any
access-list inside_access_out remark IP21 Server to PTD DeltaV OPC Inside
access-list inside_access_out extended permit tcp object IP21_Server range 1 65535 object Tank_OPC_Server eq 10042
access-list inside_access_out remark Test PC to Tank OPC Server
access-list inside_access_out extended permit tcp object CIMIO_TestPC range 1 65535 object Tank_OPC_Server eq 10042
access-list inside_access_out remark Any Intranet to TFMS Web Server
access-list inside_access_out extended permit tcp any object Tank_OPC_Server eq www
access-list inside_access_out remark Report Access
access-list inside_access_out extended permit udp any eq netbios-ns object Tank_OPC_Server eq netbios-ns
access-list inside_access_out remark Report Access
access-list inside_access_out extended permit tcp any eq netbios-ssn object Tank_OPC_Server eq netbios-ssn
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp object IP21_Server range 1 65535 object Firewall_Outside eq 10042
access-list outside_access_in remark Test PC to TFMS OPC Server
access-list outside_access_in extended permit tcp object CIMIO_TestPC range 1 65535 object Firewall_Outside eq 10042
access-list outside_access_in remark Any-Intranet to TFMS Web Server
access-list outside_access_in extended permit tcp any object Firewall_Outside eq www
access-list outside_access_in remark Report Access
access-list outside_access_in extended permit udp any eq netbios-ns object Firewall_Outside eq netbios-ns
access-list outside_access_in remark Report Access
access-list outside_access_in extended permit tcp any eq netbios-ssn object Firewall_Outside eq netbios-ssn
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_3
access-list global_access extended permit ip object OPCIP object OPCIP
access-list global_access extended permit tcp any any object-group DM_INLINE_TCP_4
access-list global_access extended permit tcp any any object-group DM_INLINE_TCP_5
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network Tank_OPC_Server
nat (inside,outside) static interface service tcp 10042 10042
object network Firewall_Outside
nat (outside,inside) static Tank_OPC_Server service tcp 10042 10042
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.127.225.1 1
route outside 10.127.226.0 255.255.255.0 10.127.229.1 1
route outside 10.127.230.0 255.255.255.0 10.127.229.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username krish password ZDpDPiLx3Glgwqc. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:83aa589d0b77930b72fb3d2faffb127b
You are correct that Server is inside the network and it is initiating the connection to outside network. This firewall is located inside the LAN network.
06-24-2013 05:51 AM
Hi,
I would suggest simplifying the configuration a bit.
For example I would suggest that you only configure ACLs / access-list in the "in" direction to the "inside" or "outside" interfaces. You dont generally need to use the "out" direction with typical firewall scenarios.
So I would remove the following first (I presume that this is just in implementation phase and wont cause any problems with anything in production.
no access-group inside_access_out out interface inside
no access-group outside_access_in in interface outside
no access-group global_access global
You should then use the "inside_access_in" ACL to allow the traffic you need from the "inside" server to the "outside" server.
Add this configuration line to that ACL
access-list inside_access_in permit tcp host 192.168.1.3 host 10.127.226.21 eq 10042
Also you could REMOVE the NAT configuration you have currently (shown below)
object network Tank_OPC_Server
host 192.168.1.2
description Tank_OPC_Server
nat (inside,outside) static interface service tcp 10042 10042
object network Firewall_Outside
host 10.127.225.10
nat (outside,inside) static Tank_OPC_Server service tcp 10042 10042
Instead you could configure basic Dynamic PAT which should enable the "inside" server to connect to "outside" server.
object-group network INSIDE-PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
nat (inside,outside) after-auto source dynamic INSIDE-PAT-SOURCE interface
What we have to notice with the above Dynamic PAT configuration is that this only enables the hosts and server behind "inside" to connect to hosts/server behind "outside". If the "outside" server needs to open/initiate connections towards the "inside" server THEN we need a Static NAT configuration. Let me know if this is needed.
Also it seems that these "route" commands are incorrect. Remove them and leave the default route
no route outside 10.127.226.0 255.255.255.0 10.127.229.1 1
no route outside 10.127.230.0 255.255.255.0 10.127.229.1 1
interface Vlan2
nameif outside
security-level 0
ip address 10.127.225.10 255.255.255.0
This is because the gateway IP address of 10.127.229.1 IS NOT part of the "outside" interfaces connected network of 10.127.225.0/24 so the routes cannot be correct.
After you have made the required configuration changes, test the firewall rules with the "packet-tracer" command
Use this command on the CLI of the ASA
packet-tracer input inside tcp 192.168.1.3 12345 10.127.226.21 10042
This will print an output what would happen to this connection your are attempting. Share the output with us here on the forums so we can have a look at what is causing the problems (if any after this)
Hope this helps
- Jouni
06-30-2013 08:08 PM
Hi Jouni,
Thank you for the support.
We have not connected any host at outside network and tried the below command.
Result of the command: "packet-tracer input inside tcp 192.168.1.3 12345 10.127.226.21 10042"
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Then we have connected host with ip address as 10.127.225.21/24 and run the below commands,
Result of the command: "packet-tracer input inside tcp 192.168.1.3 12345 10.127.225.21 10042"
access-list inside_access_in permit tcp host 192.168.1.3 host 10.127.225.21 eq 10042
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.127.225.0 255.255.255.0 outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: mgmt-deny-all
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Please suggest forward path.
07-01-2013 12:30 AM
Hi,
Can you share the current configuration.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide