10-12-2011 06:14 AM - edited 03-11-2019 02:36 PM
Hi!
i´m trying to make a traditional port forward (http to http) on our new asa5510. Previous releases off 5505 and software prior 8.3 was no problem. Could someone tell me how do it in new 8.4 version? I ám a rookie on the new ASA series!
My setup is as this (config not in full info):
interface Ethernet0/0
nameif outside
security-level 0
ip address 87.96.xxx.75 255.255.255.128
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.200.2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside-entry extended permit tcp any host 87.96.xxx.75 eq www
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit tcp any any eq www
nat (inside,sll) source dynamic obj_any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network SRV02
nat (outside,inside) static interface service tcp www www
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface inside
access-group sll_access_in in interface sll
route outside 0.0.0.0 0.0.0.0 87.96.xxx.1 1
If nothing makes sense in this configuration please give example on how to do it correct. The object on the inside is SRV02 wich is running a webserver on port 80. So i want to open upp for http on outside interface and forward that traffic to srv02 (inside webserver)
I aslo tried to use Public Server Wizard but i fail even there. Se attached image.
Solved! Go to Solution.
10-14-2011 01:17 AM
Fantastic....Check the route and default gateway on the server, it is responding correctly to its own subnet but not sending packets for internet ip's back to the ASA inside interface. Check what is the gateway on the server.
Hope that helps,
Varun
10-12-2011 06:19 AM
The line interface is the other way round:
object network SRV02
nat (outside,inside) static interface service tcp www www
should be:
object network SRV02
nat (inside,outside) static interface service tcp www www
10-12-2011 06:46 AM
Hi!
In all my tries i reversed it....sorry. This does not help. Could it be that i cannot use my outside interface ipaddress for my purpose? Do i need another ipadress "attached" to my outside interface to make rules like NAT? I wonder why even the public server wizard doesn´t work? Is there a know bug that the wizard doesn´t work? Thanks for your quick and good reply!
10-12-2011 07:14 AM
Hi,
access-list outside_access_in extended permit tcp any interface outside eq www
In newest code you must use the private address not the public natted address so you must change your ACL like this:
access-list outside_access_in extended permit tcp any
Regards.
Alain.
10-13-2011 12:11 AM
I tried your suggestion access-list outside_access_in extended permit tcp any
but it didn´t work. Just for information a had to specify mask after
10-13-2011 12:40 AM
It looks like the traffic flow and rules are correct but it still doesn´t work.
-
-
10-13-2011 07:03 AM
Hi,
object network SRV02
nat (outside,inside) static interface service tcp www www
Isn't there something missing here like the ip address of SRV02 ?
object network SRV02
host x.x.x.x where x.x.x.x is private address of SRV02
nat (inside,outside) static interface service tcp www www
Alain.
10-13-2011 06:55 AM
I did a factory default reset and tried some. Please have a look and see if i missed out something. I changed to forward smtp service instead of http.
ASA Version 8.4(1)
!
hostname ciscoasa
enable password 2IDkypgMdFNeCGP1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 87.96.xxx.75 255.255.255.128
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.200.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 87.96.222.1
host 87.96.222.1
object network srv02
host 192.168.200.51
access-list outside_access_in extended permit tcp any host 192.168.200.51 eq smtp
access-list outside_access_in_1 extended permit tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network srv02
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 87.96.XXX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 management
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpn-addr-assign local reuse-delay 5
dhcpd address 192.168.0.2-192.168.0.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e36b774ee17e4905da70de245a3dea85
: end
ciscoasa(config)#
10-13-2011 07:07 AM
Hi Fredrick,
Can you use this particular nat instead:
object service tcp_25
service tcp destination eq 25
nat (outside,inside) source static any any destination static interface srv02 service tcp_25 tcp_25
If it still does not work.
take captures and paste here:
access-list cap permit tcp any host 87.96.xxx.75 eq 25
access-list cap permit tcp host 87.96.xxx.75 any eq 25
access-list cap permit tcp host 192.168.200.51 any eq 25
access-list cap permit tcp any host 192.168.200.51 eq 25
cap capin access-list cap interface inside
cap capo access-list cap interface outside
Initiate some traffic after that and chcek "show cap capin" and "show cap capo"
Thanks,
Varun
10-13-2011 11:48 PM
Here is the capture:
1: 06:43:02.344876 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192
2: 06:43:05.327802 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192
3: 06:43:11.327787 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192
4: 06:43:27.957454 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192
5: 06:43:30.953472 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192
6: 06:43:36.953930 77.53.145.76.63020 > 192.168.200.51.25: S 3468433346:3468433346(0) win 8192
6 packets shown
6 packets captured
1: 06:43:02.344617 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192
2: 06:43:05.327726 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192
3: 06:43:11.327726 77.53.145.76.63019 > 87.96.xxx.75.25: S 1367597125:1367597125(0) win 8192
4: 06:43:27.957195 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192
5: 06:43:30.953411 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192
6: 06:43:36.953869 77.53.145.76.63020 > 87.96.xxx.75.25: S 3341476113:3341476113(0) win 8192
6 packets shown
Thanks!
10-13-2011 11:56 PM
Hi Fredrik,
I guess we now have the picture a bit more clear:
If you see in the captures, there is no replies from the server for the request, like for a pibg you get request timeout, similarly for tcp, you get SYN timeout and thats what happening.
The client is sending a request to the server but not getting any reply back:
1: 06:43:02.344876 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192
2: 06:43:05.327802 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192
3: 06:43:11.327787 77.53.145.76.63019 > 192.168.200.51.25: S 2068699776:2068699776(0) win 8192
Next step woudl be to troubleshoot on the server end, check if any firewall on the server is blocking the conection or why is it not responding back to the requests.
Hope that helps,
Thanks,
Varun
10-14-2011 12:12 AM
Thanks for your quick reply! As far as i can check there is no trouble accessing smtp service from inside network. I tried creating the rule in our production Astaro fw and that is work perfectly. Could there be a bug? I think i should try either downgrade or reinstall the running firmware. Any other suggestion i could try?
10-14-2011 12:51 AM
Can you try this natting:
nat (outside,inside) 1 source dynamic any interface destination static interface srv02 service tcp_25 tcp_25
I dont see this to be a issue with the firewall, beacuse firewall is forwarding the packets but no receiving any replies.
Can you test this and let me know.
Varun
10-14-2011 01:09 AM
This is working! Can you explain why?
10-14-2011 01:17 AM
Fantastic....Check the route and default gateway on the server, it is responding correctly to its own subnet but not sending packets for internet ip's back to the ASA inside interface. Check what is the gateway on the server.
Hope that helps,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide