Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2583
Views
5
Helpful
7
Replies

Static NAT problem ASA 5525

Go to solution
szczyrk80
Level 1
Level 1

ā€Ž03-31-2016 12:45 PM - edited ā€Ž03-12-2019 12:33 AM

Hi All,

I have a problem with setting up static mapping on 5525 with the latest software,

Configuration attached.

Briefly, that has been implemented on ASA5525 object network sqldr host 192.168.10.205 access-list acl_out extended permit tcp any object sqldr eq 1433 object network sqldr nat (inside,outside) static 158.69.20.23 access-group acl_out in interface outside When checking access-list acl_out I can see some hits when trying telneting that server from outside: access-list acl_out line 4 extended permit tcp any object sqldr eq 1433 (hitcnt=3) 0x6b735618 access-list acl_out line 4 extended permit tcp any host 192.168.10.205 eq 1433 (hitcnt=3) 0x6b735618


Checking what's my IP on server .10.205 still showing global outside address 158.69.20.20 instead of 158.69.20.23

Also can not telnet that server from any external IP on port 1433

Any advice much appreciated

Thank you,

Kind regards,

Sebastian

Labels:
Preview file
8 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to szczyrk80

ā€Ž04-01-2016 02:21 AM

You can use packet-tracer to find the reason:

packet-tracer input outside tcp 1.2.3.4 1234 158.69.20.23 1433

And test the port from the firewall:

ping tcp 192.168.10.205 1433

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to szczyrk80

ā€Ž04-01-2016 02:47 AM

That's what is expected. The ASA would handle the connection as needed. You need to continue troubleshooting on the server.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž03-31-2016 01:58 PM

The main-problem is that your NAT-order is wrong. The dynamic PAT always has to go to the end. You can correct it the following way:

no nat (inside,outside) source dynamic Generic_All interface
nat (inside,outside) after-auto source dynamic Generic_All interface

Go to solution
szczyrk80
Level 1
Level 1
In response to Karsten Iwen

ā€Ž04-01-2016 02:20 AM

Hi Karsten,

That works like a charm,

Server now is getting public it as wanted,

However, telnet connection from outside on port 1433 is still failing,

As before I can see hits in access-list, 

access-list acl_out extended permit tcp any object sqldr eq 1433

object network sqldr
nat (inside,outside) static 158.69.20.23

nat (inside,outside) after-auto source dynamic Generic_All interface
access-group acl_out in interface outside

I have checked that port externally and internally and it is still blocked despite heaving access-list in place

Obviously, firewall on that server etc. all disabled

Is there anything to do with access list?

Thank you,

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to szczyrk80

ā€Ž04-01-2016 02:21 AM

You can use packet-tracer to find the reason:

packet-tracer input outside tcp 1.2.3.4 1234 158.69.20.23 1433

And test the port from the firewall:

ping tcp 192.168.10.205 1433
0 Helpful

Go to solution
szczyrk80
Level 1
Level 1
In response to Karsten Iwen

ā€Ž04-01-2016 02:46 AM

Hi Karsten,

Thank you for that, my results below:

I used my external ip: 119.158.174.195 (laptop at home)

FW-DR# packet-tracer input outside tcp 119.158.174.195 1433 158.69.20.23 1433

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network sqldr
nat (inside,outside) static 158.69.20.23
Additional Information:
NAT divert to egress interface inside
Untranslate 158.69.20.23/1433 to 192.168.10.205/1433

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_out in interface outside
access-list acl_out extended permit tcp any object sqldr eq 1433
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network sqldr
nat (inside,outside) static 158.69.20.23
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 737, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Do you think that can be a problem:

NAT divert to egress interface inside
Untranslate 158.69.20.23/1433 to 192.168.10.205/1433

For interall server IP: 192.168.10.205 results below:

FW-DR# packet-tracer input outside tcp 192.168.10.205 1433 158.69.20.23 1433

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network sqldr
nat (inside,outside) static 158.69.20.23
Additional Information:
NAT divert to egress interface inside
Untranslate 158.69.20.23/1433 to 192.168.10.205/1433

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_out in interface outside
access-list acl_out extended permit tcp any object sqldr eq 1433
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network sqldr
nat (inside,outside) static 158.69.20.23
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Thank you

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to szczyrk80

ā€Ž04-01-2016 02:47 AM

That's what is expected. The ASA would handle the connection as needed. You need to continue troubleshooting on the server.

0 Helpful

Go to solution
szczyrk80
Level 1
Level 1
In response to Karsten Iwen

ā€Ž04-01-2016 03:09 AM

Great, thank you

All working as expected, there is no response on port 1433 because nothing is using it

Creating allow access list for rdp 3389 works like a charm

Thank you for your help !!!

0 Helpful

Go to solution
szczyrk80
Level 1
Level 1
In response to szczyrk80

ā€Ž04-01-2016 02:56 AM

Lates results from ASDM packet tracer

Preview file
77 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card