Solved: Cisco ASA - Can't get through NAT

raresz · ‎03-21-2021

Hi. I have cisco ASA with 4 vlans (DMZ, inside, outside, WiFi - unused). I have also NextCloud server in my DMZ vlan which i want to be accessible from outside. I managed that on Cisco Router but i'm fresh with Cisco ASA. I tried to do it how official Cisco documentation says:

Cisco documentation

and i checked lot of other pages. And it just doesn't work.
NextCloud is 192.168.2.3

First i tried with command :

Czernobyl(config)# object network nextcloud_public
Czernobyl(config-network-object)# host A.B.C.D(my hidden public IP)
Czernobyl(config-network-object)# exit

Czernobyl(config)# object network nextcloud_private
Czernobyl(config-network-object)# host 192.168.2.3
Czernobyl(config-network-object)# nat (DMZ,outside) static nextcloud_public service tcp 443 443
ERROR: Address A.B.C.D overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

So i have used "interface" keyword to workaround that - it has accepted the command, i applied some ACL and finally still doesn't work. Here are my outputs:

#show version

Spoiler

Device Manager Version 7.9(2)152

Compiled on Wed 13-Mar-13 07:45 by builders
System image file is "disk0:/asa911-4-k8.bin"
Config file at boot was "startup-config"

Czernobyl up 42 mins 53 secs

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB

Device Manager Version 7.9(2)152Compiled on Wed 13-Mar-13 07:45 by buildersSystem image file is "disk0:/asa911-4-k8.bin"Config file at boot was "startup-config"Czernobyl up 42 mins 53 secsHardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,Internal ATA Compact Flash, 128MB

# show nat

Spoiler

Czernobyl# show nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic obj_any interface
translate_hits = 24, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static nextcloud interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 811, untranslate_hits = 3

Czernobyl# show natManual NAT Policies (Section 1)1 (DMZ) to (outside) source dynamic obj_any interfacetranslate_hits = 24, untranslate_hits = 0Auto NAT Policies (Section 2)1 (DMZ) to (outside) source static nextcloud interface service tcp https httpstranslate_hits = 0, untranslate_hits = 02 (inside) to (outside) source dynamic obj_any interfacetranslate_hits = 811, untranslate_hits = 3

#show running-config

Spoiler

ASA Version 9.1(1)4
!
hostname Czernobyl
domain-name raresz.local
enable password qguZBuP5aUM4/9xH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1,20
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
switchport access vlan 4
!
interface Ethernet0/7
switchport access vlan 4
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan4
nameif WiFi
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Vlan12
nameif DMZ
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name raresz.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network nextcloud_public
host A.B.C.D
object network nextcloud_private
host 192.168.2.3
object network nextcloud
host 192.168.2.3
access-list outside_acl extended permit tcp any object nextcloud eq https
access-list outside_acl2 extended permit tcp any host A.B.C.D eq https
pager lines 24
logging enable
logging timestamp
logging buffer-size 16762
logging monitor warnings
logging trap notifications
logging asdm errors
logging facility 23
logging host DMZ 192.168.2.4 6/1470
logging flash-bufferwrap
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu WiFi 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DMZ,outside) source dynamic obj_any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network nextcloud
nat (DMZ,outside) static interface service tcp https https
access-group outside_acl2 in interface outside
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
network 192.168.2.0 255.255.255.0 area 0
network 192.168.4.0 255.255.255.0 area 0
area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8443
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd option 43 ip 10.20.0.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 95.216.71.38 source outside prefer
ssl encryption 3des-sha1 aes128-sha1
webvpn
anyconnect-essentials
@@@@@@@@@@@@@@@@@@@@@@@@@@
!
class-map inspection_default
match default-inspection-traffic

ASA Version 9.1(1)4!hostname Czernobyldomain-name raresz.localenable password qguZBuP5aUM4/9xH encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2switchport trunk allowed vlan 1,20!interface Ethernet0/3!interface Ethernet0/4switchport access vlan 12!interface Ethernet0/5switchport access vlan 12interface Ethernet0/6switchport access vlan 4!interface Ethernet0/7switchport access vlan 4!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute!interface Vlan4nameif WiFisecurity-level 100ip address 192.168.4.1 255.255.255.0!interface Vlan12nameif DMZip address 192.168.2.1 255.255.255.0!ftp mode passiveclock timezone EEST 2clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00dns server-group DefaultDNSdomain-name raresz.localsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject network obj_anysubnet 0.0.0.0 0.0.0.0object network nextcloud_publichost A.B.C.Dobject network nextcloud_privatehost 192.168.2.3object network nextcloudhost 192.168.2.3access-list outside_acl extended permit tcp any object nextcloud eq httpsaccess-list outside_acl2 extended permit tcp any host A.B.C.D eq httpspager lines 24logging enablelogging timestamplogging buffer-size 16762logging monitor warningslogging trap notificationslogging asdm errorslogging facility 23logging host DMZ 192.168.2.4 6/1470logging flash-bufferwraplogging permit-hostdownmtu inside 1500mtu outside 1500mtu WiFi 1500mtu DMZ 1500no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectednat (DMZ,outside) source dynamic obj_any interface!object network obj_anynat (inside,outside) dynamic interfaceobject network nextcloudnat (DMZ,outside) static interface service tcp https httpsaccess-group outside_acl2 in interface outsiderouter ospf 1network 192.168.1.0 255.255.255.0 area 0network 192.168.2.0 255.255.255.0 area 0network 192.168.4.0 255.255.255.0 area 0area 0log-adj-changes!timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication ssh console LOCALhttp server enable 8443http 192.168.1.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ca trustpool policytelnet timeout 5ssh 192.168.1.0 255.255.255.0 insidessh timeout 5console timeout 0dhcpd auto_config outside!dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd option 43 ip 10.20.0.2 interface insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server 95.216.71.38 source outside preferssl encryption 3des-sha1 aes128-sha1webvpnanyconnect-essentials@@@@@@@@@@@@@@@@@@@@@@@@@@!class-map inspection_defaultmatch default-inspection-traffic

Anybody has any ideas?

paul driver · ‎03-21-2021

Hello

lol apologies i posted the wrong nat statement is was meant to state
no nat (DMZ,outside) source dynamic obj_any interface

object network nextcloud
nat (DMZ,outside) static interface service tcp https https (already applied)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎03-21-2021

Hello
try making the following changes:

No nat (inside,outside) dynamic interface object network nextcloud
nat (inside,outside) dynamic interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

raresz · ‎03-21-2021

I don't get it. There is nowhere mentioned about DMZ. I mean "inside" is my local vlan where i keep private devices. Nextcloud is in DMZ vlan.

paul driver · ‎03-21-2021

Hello

lol apologies i posted the wrong nat statement is was meant to state
no nat (DMZ,outside) source dynamic obj_any interface

object network nextcloud
nat (DMZ,outside) static interface service tcp https https (already applied)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

raresz · ‎03-21-2021

Ok. works. But... Does that mean now - rest of clients in DMZ will have no internet access, yes? Can i get something what would make it both work?

I don't know why i always have a problems with NAT...On the c2800 i had also problem with that : or it was working static PAT only or only overload. It took me about 3 days to manage it and finally i have no idea what was wrong because it has fixed by itself after some hour of doing nothing (please dont ask i really dont know how it happened :D)

If i now apply there statement of dynamic nat somehow it will combine together and will work overload and static PAT?

paul driver · ‎03-21-2021

Hello
You can be more specific

object network web-public
host <public ip address>

object network nextcloud
nat (DMZ,outside) static web-public service tcp https https

object network dmz-lan
range 192.168.2.4 192,168.2.254 (note: static dmz host not included)
nat (DMZ,outside) dynamic interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Asemmoqbel · ‎03-22-2021

Dear Raresz,

Allow me to explain a little about Nat rules priorities on ASA.

There are three nat types:

1- Manual Nat.

it's first prioritized and preferred over other nat rules. It's displayed under Section 1 on "Show nat"

2- Auto Nat

it's second prioritized and preferred after Manual. these nat rules are created within Objects and it's displayed under Section 2 on "Show nat"

3- Manual Nat with "after-auto" keyword

it's last prioritized. it's displayed under Section 3 on "Show nat"

Also, in Auto-Nat rules there are prioritization as following:

- Static is prioritized and preferred over Dynamic.

- more specific real IP

In your configurations, you can apply two auto-nat rules

1- auto-nat for static PAT for nextcloud server

Object Network Nextcloud-PAT

host 192.168.2.3

Nat(dmz,outisde) static interface service tcp https https

2- Auto-nat for dynamic PAT for DMZ subnet

Object Network DMZ-Pat

subnet 192.168.2.0 255.255.255.0

Nat (Dmz,outside) dynamic interface

with the above rules, the static rule will be prioritized first and then the dynmaic will take effect. you can confirm this by issuing "show Nat" and you will see the static rule is placed before dynamic one..

Best Regards

Asem ..

raresz · ‎03-22-2021

Ok thanks guys for a proper answers. Will be fighting with that soon. I wish only Cisco ASA had same cli like IOS on routers...the thing is i don't really want to learn ASA logic too much because i'm preparing for CCNA exam so that would really harm my mind. I just want to focus on router/switch IOS for now. Anyway thanks a lot!