Re: STATIC NAT ON ASA 5510

roppong77 · ‎12-20-2010

Hi Guys

I urgently need help.

I have the below configuration but no http traffic is coming in into my server on the internal interface.

Please someone help

ZEPASA(config)# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ZEPASA
domain-name zep-re.com
enable password UF9SYkZdBRjBresV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xx.xx.49.36 255.255.255.248
!
interface Ethernet0/1
description LAN
nameif Inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EAT 3
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name zep-re.com
same-security-traffic permit inter-interface
access-list OUTSIDE_IN extended permit tcp any eq https host 41.206.49.38 eq https
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any echo-reply Outside
icmp permit any echo Outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 xx.xx.49.37 netmask 255.255.255.255
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xx.49.38 https 192.168.0.250 https netmask 255.255.255.255
access-group OUTSIDE_IN in interface Outside
route Outside 0.0.0.0 0.0.0.0 xx.xx.49.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 3
telnet 0.0.0.0 0.0.0.0 Outside
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xxxx password gbRIHmn1dUfWvHUp encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:1007d7779cf0da2cacb755be21f5dc54
: end
ZEPASA(config)#

packet tracer ouput

ZEPASA(config)# packet-tracer input outside tcp 4.2.2.2 https xx.xx.49.38 https

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside) tcp 41.206.49.38 https 192.168.0.250 https netmask 255.255.255.255
match tcp Inside host 192.168.0.250 eq 443 Outside any
static translation to 41.206.49.38/443
translate_hits = 0, untranslate_hits = 126
Additional Information:
NAT divert to egress interface Inside
Untranslate 41.206.49.38/443 to 192.168.0.250/443 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_IN in interface Outside
access-list OUTSIDE_IN extended permit tcp any eq https host 41.206.49.38 eq https
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Outside) tcp 41.206.49.38 https 192.168.0.250 https netmask 255.255.255.255
match tcp Inside host 192.168.0.250 eq 443 Outside any
static translation to 41.206.49.38/443
translate_hits = 0, untranslate_hits = 126
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Outside) tcp 41.206.49.38 https 192.168.0.250 https netmask 255.255.255.255
match tcp Inside host 192.168.0.250 eq 443 Outside any
static translation to 41.206.49.38/443
translate_hits = 0, untranslate_hits = 126
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8135, packet dispatched to next module

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.250 using egress ifc Inside
adjacency Active
next-hop mac address 0015.5d0a.0409 hits 0

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

manish arora · ‎12-20-2010

Your Nat & access list is for HTTPS , that is why no HTTP traffic is allowed.

For HTTPS not working , check your web server if it is listening on port 443 or not.

Manish

roppong77 · ‎12-20-2010

I meant https port 443

manish arora · ‎12-20-2010

are you able to connect 192.168.0.250 at port 443 internally ?

Manish

roppong77 · ‎12-20-2010

Manish,

Yes am able to telnet to port 443 internally.

I have tried an access-list with 3389 (RDP) and 80 without sucess

manish arora · ‎12-20-2010

try :-

access_list inside_out ext per ip any any

access-group inside_out in int inside

Manish

manish arora · ‎12-20-2010

did that worked buddy ?

manish

roppong77 · ‎12-20-2010

Manish,

Its working but i haven't made any changes.

Anyway Thanks for your help but I just can't figure out wht the issue was