Cisco Community
English
Register
Welcome Cisco Designated VIP 2021 Class in the 10th Year Anniversary of the Program -- CHECK THE LIST
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1552
Views
5
Helpful
22
Replies
Highlighted
s.be00001
Beginner
Beginner
‎07-26-2016 09:12 AM
‎07-26-2016 09:12 AM

Strange NAT behavior ASA 5505

Hi,

We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254

I have added one object network in this way:

Object network Viostor

   host 192.168.11.54

   description QNAP_Viostor

nat rule:

    nat (inside,outside) static interface service tcp 80 55055

Firewall rule:

   access-list outside_access_in line 8 remark Viostor

   access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055

When i try to connect with the Android app Vmobile i see this notify on ASA log:

TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

The ASA does not have UDP server that services the UDP request

I don't understand why UDP instead of TCP.

Please help me!

Thanks

Labels:
0 Helpful
Reply
22 REPLIES 22
Highlighted
s.be00001
Beginner
Beginner
In response to Sergio Ceron Ramirez
‎08-05-2016 08:59 AM
‎08-05-2016 08:59 AM

The traffic is TCP.

I need to connect to my QNAP Viostor with the android/iOS app.

So the traffic is only TCP.

That's why i'm a little confused about the message The ASA does not have UDP server that services the UDP request

0 Helpful
Reply
Highlighted
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to s.be00001
‎08-05-2016 09:05 AM
‎08-05-2016 09:05 AM

Please share the complete syslog message.

0 Helpful
Reply
Highlighted
s.be00001
Beginner
Beginner
In response to Sergio Ceron Ramirez
‎08-07-2016 11:56 PM
‎08-07-2016 11:56 PM

Can you give me the correct way to do this?

0 Helpful
Reply
Highlighted
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to s.be00001
‎08-09-2016 09:43 AM
‎08-09-2016 09:43 AM

Hello,

Before proceeding to a different step, I have a catch again. Checking on the first messages of this thread, you confirmed that the host is 192.168.11.254 not 192.168.11.54, and the packet-tracer results shows (in phase 2 and phase 9) it is translating to the IP 192.168.11.54 instead; so please make sure the host value for that object is correct. Once corrected, please go ahead and try your connection again and let me know the results.

Reply
Highlighted
s.be00001
Beginner
Beginner
In response to Sergio Ceron Ramirez
‎08-10-2016 03:47 AM
‎08-10-2016 03:47 AM

Man you are the greatest supermaxihero of the universe!

My mistake, the network-object was wrong..

Fixed with the correct IP and everything works!

Thank you!!

0 Helpful
Reply
Highlighted
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to s.be00001
‎08-10-2016 10:21 AM
‎08-10-2016 10:21 AM

Hey! I am so glad it is now working as you expect! Anytime you need assistance, feel free to open a thread here :)

Please rate and endorse the answers :)

Thanks and enjoy!

0 Helpful
Reply
Highlighted
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to ahmedshoaib
‎08-02-2016 10:46 AM
‎08-02-2016 10:46 AM

Ahmed,

The packet-flow on versions 8.2 and earlier does check the ACL first and then the NAT statement. ASA version 8.3 and later, NAT is checked first, then the ACL; this is the reason why on the 8.3 and later versions, we use now the real IP and Port on the ACLs.

Take a look at this post to review this, it is very helpful: https://supportforums.cisco.com/document/48646/asa-83-upgrade-what-you-need-know

0 Helpful
Reply
Highlighted
s.be00001
Beginner
Beginner
‎08-10-2016 03:46 AM
‎08-10-2016 03:46 AM

semi-cleaned conf

0 Helpful
Reply
Latest Contents
AMP for Endpoints: Get started with SecureX Orchestration!
Created by deaguo on 01-23-2021 11:27 PM
0
10
0
10
What is SecureX? Cisco SecureX is included with all Secure Endpoint (formerly AMP for Endpoints) subscriptions. SecureX is a cloud-native platform that aggregates capabilities across your security environment. It’s designed to simplify your environment, ... view more
ISE Secure Wired Access Prescriptive Deployment Guide
Created by hariholla on 01-21-2021 12:41 PM
13
155
13
155
  Cisco ISE Secure Wired Access Prescriptive Deployment Guide   Authors: Hariprasad Holla (until June 2018), Mahesh Nagireddy (until Dec 2018)   For an offline or printed copy of this document, simply choose ⋮ Options > Printer ... view more
SecureX and the Evolution of Security Orchestration Automati...
Created by ciscomoderator on 01-20-2021 02:50 PM
0
0
0
0
Meet the Authors Slides- SecureX and the Evolution of Security Orchestration Automation and Response (Live event – Wednesday, 20th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris) This event had place on Wednesday 20th, January 202... view more
Cisco Endpoint Security Analytics (CESA) dashboard overview ...
Created by Jason Kunst on 01-19-2021 12:35 PM
0
0
0
0
The following guide goes over the in and out of the Cisco Endpoints Security Analytics Dashboard as an overview and faq page For more information on the product offering, licensing, support, and how to solution (TAC) guide links and more please visit the... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
Content for Community-Ad