Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3018
Views
5
Helpful
22
Replies

Strange NAT behavior ASA 5505

Go to solution
s.be00001
Level 1
Level 1

‎07-26-2016 09:12 AM - edited ‎03-12-2019 01:03 AM

Hi,

We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254

I have added one object network in this way:

Object network Viostor

   host 192.168.11.54

   description QNAP_Viostor

nat rule:

    nat (inside,outside) static interface service tcp 80 55055

Firewall rule:

   access-list outside_access_in line 8 remark Viostor

   access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055

When i try to connect with the Android app Vmobile i see this notify on ASA log:

TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

The ASA does not have UDP server that services the UDP request

I don't understand why UDP instead of TCP.

Please help me!

Thanks

Labels:
0 Helpful
22 Replies 22

Go to solution
s.be00001
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎08-05-2016 08:59 AM

The traffic is TCP.

I need to connect to my QNAP Viostor with the android/iOS app.

So the traffic is only TCP.

That's why i'm a little confused about the message The ASA does not have UDP server that services the UDP request

0 Helpful

Go to solution
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to s.be00001

‎08-05-2016 09:05 AM

Please share the complete syslog message.

0 Helpful

Go to solution
s.be00001
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎08-07-2016 11:56 PM

Can you give me the correct way to do this?

0 Helpful

Go to solution
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to s.be00001

‎08-09-2016 09:43 AM

Hello,

Before proceeding to a different step, I have a catch again. Checking on the first messages of this thread, you confirmed that the host is 192.168.11.254 not 192.168.11.54, and the packet-tracer results shows (in phase 2 and phase 9) it is translating to the IP 192.168.11.54 instead; so please make sure the host value for that object is correct. Once corrected, please go ahead and try your connection again and let me know the results.

Go to solution
s.be00001
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎08-10-2016 03:47 AM

Man you are the greatest supermaxihero of the universe!

My mistake, the network-object was wrong..

Fixed with the correct IP and everything works!

Thank you!!

0 Helpful

Go to solution
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to s.be00001

‎08-10-2016 10:21 AM

Hey! I am so glad it is now working as you expect! Anytime you need assistance, feel free to open a thread here :)

Please rate and endorse the answers :)

Thanks and enjoy!

0 Helpful

Go to solution
Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to ahmedshoaib

‎08-02-2016 10:46 AM

Ahmed,

The packet-flow on versions 8.2 and earlier does check the ACL first and then the NAT statement. ASA version 8.3 and later, NAT is checked first, then the ACL; this is the reason why on the 8.3 and later versions, we use now the real IP and Port on the ACLs.

Take a look at this post to review this, it is very helpful: https://supportforums.cisco.com/document/48646/asa-83-upgrade-what-you-need-know

0 Helpful

Go to solution
s.be00001
Level 1
Level 1

‎08-10-2016 03:46 AM

semi-cleaned conf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card