cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1557
Views
5
Helpful
22
Replies
Highlighted
Beginner

Strange NAT behavior ASA 5505

Hi,

We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254

I have added one object network in this way:

Object network Viostor

   host 192.168.11.54

   description QNAP_Viostor

nat rule:

    nat (inside,outside) static interface service tcp 80 55055

Firewall rule:

   access-list outside_access_in line 8 remark Viostor

   access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055

When i try to connect with the Android app Vmobile i see this notify on ASA log:

TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

The ASA does not have UDP server that services the UDP request

I don't understand why UDP instead of TCP.

Please help me!

Thanks

22 REPLIES 22
Highlighted

The traffic is TCP.

I need to connect to my QNAP Viostor with the android/iOS app.

So the traffic is only TCP.

That's why i'm a little confused about the message The ASA does not have UDP server that services the UDP request

Highlighted

Please share the complete syslog message.

Highlighted

Can you give me the correct way to do this?

Highlighted

Hello,

Before proceeding to a different step, I have a catch again. Checking on the first messages of this thread, you confirmed that the host is 192.168.11.254 not 192.168.11.54, and the packet-tracer results shows (in phase 2 and phase 9) it is translating to the IP 192.168.11.54 instead; so please make sure the host value for that object is correct. Once corrected, please go ahead and try your connection again and let me know the results.

Highlighted

Man you are the greatest supermaxihero of the universe!

My mistake, the network-object was wrong..

Fixed with the correct IP and everything works!

Thank you!!

Highlighted

Hey! I am so glad it is now working as you expect! Anytime you need assistance, feel free to open a thread here :)

Please rate and endorse the answers :)

Thanks and enjoy!

Highlighted

Ahmed,

The packet-flow on versions 8.2 and earlier does check the ACL first and then the NAT statement. ASA version 8.3 and later, NAT is checked first, then the ACL; this is the reason why on the 8.3 and later versions, we use now the real IP and Port on the ACLs.

Take a look at this post to review this, it is very helpful: https://supportforums.cisco.com/document/48646/asa-83-upgrade-what-you-need-know

Highlighted
Beginner

semi-cleaned conf

Content for Community-Ad