Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4923
Views
0
Helpful
6
Replies

Trouble with NAT rules on ASA 5505 9.1x

Go to solution
kohlerjn81
Level 1
Level 1

‎01-16-2013 06:09 PM - edited ‎03-11-2019 05:48 PM

Hello everyone!

What I thought would be a pretty simple setup has been giving me a lot of problems. I am hopeful that I can get some help here and learn a couple things in the process where I went wrong.

Here is my environment:

DSL Modem - ASA 5505 - switch

Inside network (192.168.2.0/24)

What I have sucessfully done:

- Modem online and passing on DHCP requests from the ASA to my ISP (ASA does get an internet address on the outside interface)

- ASA assigning DHCP to internal network

- All internal clients can access the internet

What I am getting stuck on is getting NAT rules set up for simple port forwarding. What I would like:

ANY internet address be able to access a server on the inside network address (192.168.2.x) over tcp/22

I set up what I believe to be the correct NAT rule and Access Rule, but the packet tracer fails.

Here is my config. Any help would be much appreciated!

ASA Version 9.1(1)

!

hostname xxxxxx

domain-name ugh

enable password xxxxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxxxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.99 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group Internet

ip address dhcp setroute

!

boot system disk0:/asa911-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ugh

object network inside-network

subnet 192.168.2.0 255.255.255.0

description 192.168.2.0/24

object network ftp-server

host 192.168.2.98

description kobane-backup ftp server

object network sftp-server

host 192.168.2.98

object network test1

host 192.168.2.98

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 any

access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any object sftp-server eq ssh log

access-list outside_access_in extended permit icmp any4 any4

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1454

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network inside-network

nat (inside,outside) dynamic interface

object network sftp-server

nat (inside,outside) static interface service tcp ssh ssh

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 173.202.244.1 1

route outside 192.168.1.0 255.255.255.0 192.168.1.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group Internet request dialout pppoe

vpdn group Internet localname xxxxxx

vpdn group Internet ppp authentication pap

vpdn username xxxxxx password ***** store-local

dhcp-client client-id interface outside

dhcpd address 192.168.2.100-192.168.2.150 inside

dhcpd dns 8.8.8.8 8.8.8.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password xxxxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect http

  inspect icmp

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-16-2013 07:46 PM

The configuration seems to be correct.

Can you pls share the output of the packet tracer, and also what you have input for source and destination?

Destination should be the public ip of the ASA outside interface.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-16-2013 07:46 PM

The configuration seems to be correct.

Can you pls share the output of the packet tracer, and also what you have input for source and destination?

Destination should be the public ip of the ASA outside interface.

0 Helpful

Go to solution
kohlerjn81
Level 1
Level 1
In response to Jennifer Halim

‎01-16-2013 08:09 PM

Here is the packet tracer from the ASDM.

Could it be because I have a double NAT? The DSL modem in front of the ASA has no way to go into true "bridge" mode. However it does have a "DMZ Plus" mode where it forwards the ISP DHCP to a MAC address (in this case the MAC of my ASA) and allows all ports to forward to it. I know this is a bit out of the realm of this forum, but my Cisco/Linksys router worked fine in this configuration when it came to forwarding ports from the outside to inside addresses.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kohlerjn81

‎01-17-2013 12:31 AM

As advised earlier, the packet tracer destination IP should be the public ip address of the ASA outside interface since that is how the user should be connecting with.

Your test is using the private ip address as the destination which is incorrect.

0 Helpful

Go to solution
kohlerjn81
Level 1
Level 1
In response to Jennifer Halim

‎01-17-2013 06:43 AM

Okay, I will test that this evening and report back. Thank you for your help so far!

0 Helpful

Go to solution
kohlerjn81
Level 1
Level 1
In response to kohlerjn81

‎01-17-2013 08:22 PM

Success! Turns out the Packet Tracer in the ASDM was returning some sort of false positive. When I ran it from the CLI it returned successful and I was then able to connect. Thanks again for your help!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kohlerjn81

‎01-17-2013 11:25 PM

Excellent, great to hear it's all good now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card