01-28-2011 01:23 AM - edited 03-11-2019 12:41 PM
Hello
I want to publish servers on the outside interface of an ASA 5510 with 8.3(2). I does not work for me! I can put them on a own ip but not the interface. The logs say "Denied by ACL" but no ACLs are incremented and show nat does not show any hits.
Working code (lab-code) with servers not on the interface IP:
/////////////////////////////////////////////////////////////////////////////////////////////////
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.3.99 255.255.255.0
no shut
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.10.1.254 255.255.255.0
no shut
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 1.1.1.92 255.255.255.192
no shut
!
object network mySSL
host 10.10.1.1
nat (dmz,outside) static 1.1.1.93 service tcp 443 443
object network myWeb
host 10.10.1.1
nat (dmz,outside) static 1.1.1.93 service tcp 80 80
access-list outside-access extended permit tcp any object mySSL eq 443 log
access-list outside-access extended permit tcp any object myWeb eq 80 log
access-group outside-access in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.126 1
object-group network my-inside-net
network 192.168.3.0 255.255.255.0
nat (inside,outside) source dynamic my-inside-net interface
/////////////////////////////////////////////////////////////////////////////////////////////////
When I want to put the servers on the outside interface the only differences are:
object network mySSL
host 10.10.1.1
nat (dmz,outside) static interface service tcp 443 443
object network myWeb
host 10.10.1.1
nat (dmz,outside) static interface service tcp 80 80
/////////////////////////////////////////////////////////////////////////////////////////////////
Can somebody please explain what I have missed!!!
Regards, //Kling
Solved! Go to Solution.
02-05-2011 12:59 PM
Hi,
This is the one that I wanted you to put as after auto:
nat (inside,outside) source dynamic my-inside-net interface
Please do the following
no nat (inside,outside) source dynamic my-inside-net interface
nat (inside,outside) after source dynamic my-inside-net interface
Let me know how it goes.
Thanks.
Mike
01-29-2011 08:32 PM
Hello,
Seems like an overlaping translation. To confirm that, would you please send us the output from packet tracer? What we need to do s to play with the translations that you have. If you like, please try to put the dynamic nat as after auto, to rule out any problems with overlaping.
The packet tracer would be like
packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 80
Paste the output, Ill help you out.
Cheers
Mike
02-01-2011 12:53 AM
Thank you!
I will test it as as I get access to the lab
Regards, Kling
02-05-2011 12:18 PM
Hello
Packet-tracer of server on the outside interface
ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 1.1.1.92 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.1.1.92 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
-----------------------------------------------------------------------------------
Packet-tracer of server on a separate IP
ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 1.1.1.93 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network myWeb
nat (dmz,outside) static 1.1.1.93 service tcp www www
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.1.1.93/80 to 10.10.1.1/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-access in interface outside
access-list outside-access extended permit tcp any object myWeb eq www log
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network myWeb
nat (dmz,outside) static 1.1.1.93 service tcp www www
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)#
Can someone se why it becomes this way?
Thank you in advance //Kling
02-05-2011 12:25 PM
Hi,
Are you using the dynamic PAT for regular internet access to the outside IP as after auto as suggested? Would you please the output of show run NAT?
Cheers
Mike
02-05-2011 12:51 PM
Hello
ciscoasa(config)# sh run nat
nat (inside,outside) source dynamic my-inside-net interface
!
object network mySSL
nat (dmz,outside) static interface service tcp https https
object network myWeb
nat (dmz,outside) static interface service tcp www www
Regards, //kling
02-05-2011 12:59 PM
Hi,
This is the one that I wanted you to put as after auto:
nat (inside,outside) source dynamic my-inside-net interface
Please do the following
no nat (inside,outside) source dynamic my-inside-net interface
nat (inside,outside) after source dynamic my-inside-net interface
Let me know how it goes.
Thanks.
Mike
02-05-2011 01:20 PM
Works Great!!!
Thank you
Regards //Kling
02-05-2011 05:06 PM
Hi,
No problem.
Cheers
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide