Re: Help diagnosing ASA 5512 static nat problem. 8.6 config insi

paperwise · ‎02-06-2013

I need to NAT several internal IP's to external IPs we have from the ISP. To test this I have a machine on the inside of a CISCO ASA 5512 that I want to be able to contact using an external IP address. The machine is at 192.168.70.6 internally and I want it to use the external IP of 77.119.29.139. I have entered:

object network obj-192.168.70.6

host 192.168.70.6

nat (inside,outside) static 77.119.29.139

access-list outside_access_in permit tcp any host 77.119.29.139

object network obj-192.168.70.6

host 192.168.70.6

nat (inside,outside) static 77.119.29.139 service tcp www www

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

However I'm still unable to reach this machine through http or ping. When I try by http I get entries in the ASDM syslog that say:

"Built inbount TCP connection 20088 for Outside: 77.119.11.206/64991) to Inside: 192.168.70.6/80 (77.119.29.139/80)"

"Teardown TCP connection for Outside:77.119.11.206/64989 to Inside: 192.168.70.6/80 duration 0:00:30 bytes 0 SYN Timeout"

When I try by ping the syslog shows "Deny icmp src Outside:77.119.1.206 dst Outside 77.119.29.139 (type 8, code 0) by access-group "Outside_access_in""

Running a traceroute packet trace from 80 to 80 within ASDM came back all green checks. I can't figure out where the problem is. I have attached a copy of my config. The public IPs in this example and in my config have all been changed to protect the innocent.

Abzal · ‎02-06-2013

HI,

You need to fix this one:

no access-list Outside_access_in extended permit tcp any object 192.168.70.6 eq www

access-list Outside_access_in extended permit tcp any object 77.119.29.139 eq www

access-list Outside_access_in extended permit icmp any object 77.119.29.139 echo

static (inside,outside) 77.119.29.139 192.168.70.6 netmask 255.255.255.255

access-group Outside_access_in in interface Outside

And add this to config, because I didn't see it:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

paperwise · ‎02-07-2013

Unfortunately making the suggested changes didn't help. I am still unable to contact the machine. When i try to ping it or hit its IIS http page I can see the access rule counter hits increase but I still get no reply and the same entries in the syslog as before.

John Blakley · ‎02-07-2013

Try adding these lines and see if they help...

policy-map global_policy

class inspection_default

inspect http

inspect icmp

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jouni Forss · ‎02-08-2013

Hi,

Configuring a Static NAT should usually be a pretty simple configuration and you seem to have the correct configuration but some odd ones too.

Basicly you would want the following configuration

object network STATIC

host 192.168.70.6

nat (inside,outside) static 77.119.29.139

access-list Outside_access_in permit tcp any object STATIC eq www

access-list Outside_access_in permit icmp any object STATIC

You dont need any Port Forward configurations since you already have the above Static NAT configuration.

Some other things I noticed

What is this route command: route Outside 77.119.29.128 255.255.255.240 77.119.29.142 1
- Its for a network that contains your used Static NAT IP address
In the logs messages you posted we can see that the connection from "outside" comes correctly through the firewall but there is no response to the TCP SYN from the LAN server. Are you sure your server has been configured with the correct gateway IP address (192.168.70.2)? Is there http service enabled there?

- Jouni

Help diagnosing ASA 5512 static nat problem. 8.6 config inside.