01-16-2013 06:09 PM - edited 03-11-2019 05:48 PM
Hello everyone!
What I thought would be a pretty simple setup has been giving me a lot of problems. I am hopeful that I can get some help here and learn a couple things in the process where I went wrong.
Here is my environment:
DSL Modem - ASA 5505 - switch
Inside network (192.168.2.0/24)
What I have sucessfully done:
- Modem online and passing on DHCP requests from the ASA to my ISP (ASA does get an internet address on the outside interface)
- ASA assigning DHCP to internal network
- All internal clients can access the internet
What I am getting stuck on is getting NAT rules set up for simple port forwarding. What I would like:
ANY internet address be able to access a server on the inside network address (192.168.2.x) over tcp/22
I set up what I believe to be the correct NAT rule and Access Rule, but the packet tracer fails.
Here is my config. Any help would be much appreciated!
ASA Version 9.1(1)
!
hostname xxxxxx
domain-name ugh
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.99 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Internet
ip address dhcp setroute
!
boot system disk0:/asa911-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ugh
object network inside-network
subnet 192.168.2.0 255.255.255.0
description 192.168.2.0/24
object network ftp-server
host 192.168.2.98
description kobane-backup ftp server
object network sftp-server
host 192.168.2.98
object network test1
host 192.168.2.98
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any object sftp-server eq ssh log
access-list outside_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1454
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-network
nat (inside,outside) dynamic interface
object network sftp-server
nat (inside,outside) static interface service tcp ssh ssh
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.202.244.1 1
route outside 192.168.1.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group Internet request dialout pppoe
vpdn group Internet localname xxxxxx
vpdn group Internet ppp authentication pap
vpdn username xxxxxx password ***** store-local
dhcp-client client-id interface outside
dhcpd address 192.168.2.100-192.168.2.150 inside
dhcpd dns 8.8.8.8 8.8.8.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password xxxxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect http
inspect icmp
!
Solved! Go to Solution.
01-16-2013 07:46 PM
The configuration seems to be correct.
Can you pls share the output of the packet tracer, and also what you have input for source and destination?
Destination should be the public ip of the ASA outside interface.
01-16-2013 07:46 PM
The configuration seems to be correct.
Can you pls share the output of the packet tracer, and also what you have input for source and destination?
Destination should be the public ip of the ASA outside interface.
01-16-2013 08:09 PM
Here is the packet tracer from the ASDM.
Could it be because I have a double NAT? The DSL modem in front of the ASA has no way to go into true "bridge" mode. However it does have a "DMZ Plus" mode where it forwards the ISP DHCP to a MAC address (in this case the MAC of my ASA) and allows all ports to forward to it. I know this is a bit out of the realm of this forum, but my Cisco/Linksys router worked fine in this configuration when it came to forwarding ports from the outside to inside addresses.
01-17-2013 12:31 AM
As advised earlier, the packet tracer destination IP should be the public ip address of the ASA outside interface since that is how the user should be connecting with.
Your test is using the private ip address as the destination which is incorrect.
01-17-2013 06:43 AM
Okay, I will test that this evening and report back. Thank you for your help so far!
01-17-2013 08:22 PM
Success! Turns out the Packet Tracer in the ASDM was returning some sort of false positive. When I ran it from the CLI it returned successful and I was then able to connect. Thanks again for your help!
01-17-2013 11:25 PM
Excellent, great to hear it's all good now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide