Hi,
I have an issue with my CISCO ASA. I need to publish some ports to one server in my DMZ subnet (80, 555 and two range ports (TCP 20100-21999 and UDP 20100-21999) I dont know what I´m doing wrong with the range ports but NAT is not working. For 80 and 555 ports I have used Network Object NAT and it works perfectly. However, I cant do the same with the range ports, so I have to use 'standard NAT' rules, and its not working. I have even tried to remove network object nat rules and use 'standard NAT' for 80 and 555 tcp ports as well. But if do this, 80 and 555 stop working.
Any clues?
Many, many thanks in advance.
: Serial Number: JAD19220344
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
hostname ciscoasa
enable password WmlxhdtfAnw9XbcA encrypted
passwd ta.qizy4R//ChqQH encrypted
names
ip local pool Pool_139 139.16.1.50-139.16.1.80 mask 255.255.255.0
ip local pool Pool_172 172.16.1.100-172.16.1.130 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 139.16.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 11.11.11.11 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-subnet
subnet 139.16.1.0 255.255.255.0
object network dmz-subnet
subnet 172.16.1.0 255.255.255.0
object network wialon-server-external-ip
host 192.168.1.132
object network wialon-server
host 172.16.1.69
object service Wialon-services-TCP
service tcp source range 20100 21999 destination range 20100 21999
object service Wialon-services-UDP
service udp source range 20100 21999 destination range 20100 21999
object network NETWORK_OBJ_139.16.1.0_25
subnet 139.16.1.0 255.255.255.128
object network wialon-server-ssl
host 172.16.1.69
object service wialon-ssl
service tcp source range 1 65535 destination eq 555
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object udp destination eq domain
service-object tcp destination eq https
access-list outside_acl extended permit tcp any object wialon-server eq www
access-list outside_acl extended permit object Wialon-services-TCP any object wialon-server
access-list outside_acl extended permit object Wialon-services-UDP any object wialon-server
access-list outside_acl extended permit object wialon-ssl any object wialon-server
access-list DMZ_access_in extended permit ip object wialon-server 139.16.1.0 255.255.255.0
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DMZ,outside) source static any any destination static NETWORK_OBJ_139.16.1.0_25 NETWORK_OBJ_139.16.1.0_25 route-lookup
nat (DMZ,outside) source static wialon-server wialon-server-external-ip service Wialon-services-TCP Wialon-services-TCP
!
object network obj_any
nat (any,outside) dynamic interface
object network inside-subnet
nat (inside,outside) dynamic interface
object network wialon-server
nat (DMZ,outside) static wialon-server-external-ip service tcp www www
object network wialon-server-ssl
nat (DMZ,outside) static wialon-server-external-ip service tcp 555 555
access-group outside_acl in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 11.11.11.0 255.255.255.0 management
http 139.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa.xxxxxx.null
email xxxx@gmail.com
subject-name CN=xxxxxx
serial-number
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=139.16.1.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 09836256
30820381 30820269 a0030201 02020409 83625630 0d06092a 864886f7 0d010105
05003050 31123010 06035504 03130973 72646f6e 6761746f 313a3012 06035504
05130b4a 41443139 32323033 34343024 06092a86 4886f70d 01090216 17636973
636f6173 612e7372 646f6e67 61746f2e 6e756c6c 301e170d 31353132 30353036
33333535 5a170d32 35313230 32303633 3335355a 30503112 30100603 55040313
09737264 6f6e6761 746f313a 30120603 55040513 0b4a4144 31393232 30333434
30240609 2a864886 f70d0109 02161763 6973636f 6173612e 7372646f 6e676174
6f2e6e75 6c6c3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082
010a0282 010100d2 295e679c 153e8b6a d3f6131d 8ea646e3 aa0a5fa9 20e49259
ca895563 7e818047 033a4e8f 57f619e9 fa93bfd5 6c44141f b0abf2c0 8b86334e
bac63f41 99e6d676 c689dcf7 080f2715 038a8e1b 694a00de 7124565e a1948f09
8dbeffab c7c8a028 741c5b10 d0ede5e9 599f38fe 5b88f678 4decdc4b 353b6708
cfa2fbce f58be06e 18feba56 4b2b04a1 77773ec6 5c58d2ed d7ca4f17 980f0353
138bfe65 1b1165e6 7b6f94bb ab4d4286 e900178c 147a6dba 2427f38e e225030f
0a66d1eb 5075c57e 6d77e5bb 247f5bc3 8d3530f0 49dedf2d 21a24b5f daa08d98
690183cf e82a6b8d 5e489956 c5eecdbc 7fc2365c b629a52b 126b51e2 18590ed5
c9da8503 a639f102 03010001 a3633061 300f0603 551d1301 01ff0405 30030101
ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80143468
dec79103 0a91b530 1ada7e47 7e27b16d 4186301d 0603551d 0e041604 143468de
c791030a 91b5301a da7e477e 27b16d41 86300d06 092a8648 86f70d01 01050500
03820101 003cdb04 8ef5ed31 c05c684b ad2b0062 96bfd39a ecb0a3fe 547aebe5
14b753e7 89f55827 3d4e0aa8 b8674e45 80d4c023 8e99a7b4 0907d347 060a2fe4
fa6e0c2f 3b9cd708 a539c09f 7022d2ee fb6e2cf6 82b0e861 a2839a71 1512b3ec
e28664e9 732270c9 d1c679d9 1eaf2ad5 007b5699 31c3ff97 09aae869 88677a3d
ecb3032e 2dd0f74f 81f9a8fb 79f30809 723bbdbf dfef4154 5ad6b012 a8f37093
481fa678 23390036 b44b0290 042828f3 5eefdc43 78934455 ebe52d26 9b4234a9
bfeebc43 731c4146 166e5adc b431f12f 8d0fbf16 46306228 34d76984 d2e6ebbc
96838694 88ca120a d4f32884 963e7385 987ec6b0 dfa28d49 05ba5fa8 641bcfc7
ff92ac3c 52
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 0a836256
308202cc 308201b4 a0030201 0202040a 83625630 0d06092a 864886f7 0d010105
05003028 3111300f 06035504 03130863 6973636f 61736131 13301106 03550403
130a3133 392e3136 2e312e31 301e170d 31353132 30353036 35363236 5a170d32
35313230 32303635 3632365a 30283111 300f0603 55040313 08636973 636f6173
61311330 11060355 0403130a 3133392e 31362e31 2e313082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100e7 a5c16e86 16c15a10
e018b868 bac7271a 30f1a3f8 ecb9c6b8 3ed4b1ad c9468f5e 287f2a7a 644f1496
c43a061e da927d09 a755b53e ed7c6a66 f2f1fb1e f944345c 86e08ce0 891c99b3
13101ab3 04963fad f91f987f 99f22a89 cd1e8c5a 5e4c026d 2cadd7b7 6620bbd1
b4a5135b 24ec886f fa061a06 dd536e96 1e483730 756c4101 23f83a8d 944a7fbe
93c51d56 32ac0d17 ceb75f63 0ae24f07 f2c54e83 5b84ff00 16b0b899 c925c737
1765b066 23b54645 bc419684 d09dd130 c1479949 68b0a779 df39b078 6fb0deb9
758b14c3 f0801faf f0ad60e1 a018ffba d769f867 3fe8e5fc 88ccc5b2 2319f5d4
617a78c4 74e7a64b 5c68276c 06ea57c1 d0ffce4b 358c4d02 03010001 300d0609
2a864886 f70d0101 05050003 82010100 dff97c9f 4256fd47 8eb661fd d22ecea4
589eff09 958e01f1 a435a20e 5ed1cf19 af42e54d d61fc0ab cb2ee7ac 7fcb4513
1a44cc86 1e020d72 3a3f78d2 4d225177 857093d9 f5fcf3c7 6e656d2b 54a0c522
f636b8cf 33c5ae34 ea340f32 85dff4c1 50165e7a e94de10b ced15752 0b3a76c1
20291106 2a50777b a1a8a214 8a003716 680c15d4 ac3f7cc7 378f8f5f 38e3403f
f958c095 e549c8ed 4baf8cc5 bdcd230e 260754ea 953c3a4c eb01fef5 62b97e01
9f82ce6b f479dbdd 000c45af 8758b35f b4a958ee 32c4db3f 2ddc7385 dc05b0e3
78b609ba a9280841 2433ae87 5dd7a7c2 d5691068 1dc0eddc c23f99c5 3df8b1a5
aadbd82a 423f4ba8 563142bf 742771c3
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 139.16.1.0 255.255.255.0 inside
telnet 11.11.11.0 255.255.255.0 management
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.1.69-172.16.1.69 DMZ
dhcpd dns 87.216.1.65 87.216.1.66 interface DMZ
dhcpd option 3 ip 172.16.1.1 interface DMZ
dhcpd enable DMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
enable outside
enable inside
enable DMZ
anyconnect image disk0:/anyconnect-win-3.1.12020-k9.pkg 1
anyconnect profiles Wialon_client_profile disk0:/Wialon_client_profile.xml
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy GroupPolicy_Wialon internal
group-policy GroupPolicy_Wialon attributes
wins-server none
dns-server value 192.168.1.1
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain none
webvpn
anyconnect profiles value Wialon_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username wialon_1 password Wy2aFpAQTXQavfJD encrypted
service-type remote-access
tunnel-group Wialon type remote-access
tunnel-group Wialon general-attributes
address-pool Pool_139
default-group-policy GroupPolicy_Wialon
tunnel-group Wialon webvpn-attributes
group-alias Wialon enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0cc4df99103b3939601f2604ddda8585
: end
