Re: NAT/PAT Question

michealcard · ‎01-06-2011

I have an ASA 5510 running version 8.3 and am having trouble with NAT. Our ISP has given us a block of 5 IP addresses. 24.182.13.144/29. two weeks ago everything was working fine, then for no reason one of our NAT rules to IP address 24.182.13.147 stopped worked. If i change my nat rule from

nat (inside,outside) static 24.182.13.147 service tcp https https to

nat (inside,outside) static interface service tcp https 9997 i am able to connect to my device using https on the specified port. Would someone please look at my config and tell me what I am missing here.

I appreciate your time to even look at this.

ASA Version 8.3(1)

!

hostname CiscoASA

enable password V2weNZuR0xPieBxK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 24.182.13.146 255.255.255.248

no pim

no igmp

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 100.100.100.136 255.255.252.0

no pim

no igmp

ospf network point-to-point non-broadcast

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup outside

dns server-group BVCH

name-server 100.100.100.98

dns server-group DefaultDNS

name-server 68.190.192.35

name-server 71.9.127.107

name-server 4.2.2.3

dns-group BVCH

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object service PharmServerRD

service tcp destination eq 6257

object network obj-inside

subnet 100.100.100.0 255.255.252.0

object network obj-avreo

host 100.100.100.4

object network obj-avreord

host 100.100.100.4

object network obj-sqlrd

host 100.100.100.98

object network obj-adp

host 100.100.102.14

object network obj-Avreossl

host 100.100.100.4

object network NETWORK_OBJ_10.1.1.0_24

subnet 10.1.1.0 255.255.255.0

object network NETWORK_OBJ_100.100.100.0_22

subnet 100.100.100.0 255.255.252.0

object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

object network NETWORK_OBJ_100.100.100.0_24

subnet 100.100.100.0 255.255.255.0

object network 100.100.5.0

subnet 100.100.5.0 255.255.255.0

description Voice

object network 100.100.5.4

host 100.100.5.4

description Message Manager

object network obj-Webserver

host 100.100.100.6

object network obj-barracuda

host 100.100.100.97

description SSLVPN

object-group service RD tcp

description RD

port-object eq 6250

port-object eq 6251

port-object eq 6252

port-object eq 6257

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_in remark Permit Traffic to 100.100.100.6 - HTTP

access-list outside_in extended permit tcp any host 100.100.100.6 eq www

access-list outside_in remark Permit Traffic to 100.100.102.14 - RD

access-list outside_in extended permit tcp any host 100.100.102.14 eq 3389

access-list outside_in remark Permit Traffic to 100.100.100.98 - RD

access-list outside_in extended permit tcp any host 100.100.100.98 eq 6252

access-list outside_in remark Permit Traffic to 100.100.100.4 - HTTPS

access-list outside_in extended permit tcp any host 100.100.100.4 eq https

access-list outside_in remark Permit Traffic to 100.100.100.4 - RD

access-list outside_in extended permit tcp any host 100.100.100.4

access-list outside_in remark Permit Traffic to 100.100.100.20 - RD

access-list outside_in extended permit tcp any host 100.100.100.20

access-list outside_in extended permit tcp any host 100.100.100.97 eq https

access-list to100.5.4 extended permit ip any host 100.100.5.4

access-list rhccomp extended permit ip any 10.10.10.0 255.255.255.224

access-list rhcphone extended permit ip any 10.10.5.0 255.255.255.224

access-list outside_cryptomap extended permit ip 100.100.100.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list CAP extended permit icmp any any

access-list CAP extended permit icmp any 24.182.13.144 255.255.255.248

access-list CAP extended permit tcp any host 24.182.13.147 eq https

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0

nat (Inside,outside) source static NETWORK_OBJ_100.100.100.0_24 NETWORK_OBJ_100.100.100.0_24 destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24

!

object network obj-inside

nat (Inside,outside) dynamic interface

object network obj-avreo

nat (Inside,outside) static interface service tcp www www

object network obj-avreord

nat (Inside,outside) static interface service tcp 6256 6256

object network obj-sqlrd

nat (Inside,outside) static interface service tcp 6252 6252

object network obj-adp

nat (Inside,outside) static interface service tcp 3389 9999

object network obj-Avreossl

nat (Inside,outside) static interface service tcp https https

object network obj-barracuda

nat (Inside,outside) static 24.182.13.147 service tcp https https

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 24.182.13.145 1

route Inside 10.5.4.0 255.255.255.0 100.100.100.156 1

route Inside 10.5.5.0 255.255.255.0 100.100.100.156 1

route Inside 10.10.5.0 255.255.255.224 100.100.100.159 1

route Inside 10.10.10.0 255.255.255.224 100.100.100.159 1

route Inside 100.100.5.0 255.255.255.0 100.100.100.159 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 100.100.100.0 255.255.252.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp outside

sysopt noproxyarp Inside

sysopt noproxyarp management

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map1 1 match address outside_cryptomap

crypto map outside_map1 1 set pfs

crypto map outside_map1 1 set peer 65.115.125.41

crypto map outside_map1 1 set transform-set ESP-3DES-MD5

crypto map outside_map1 interface outside

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet 100.100.100.0 255.255.252.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access Inside

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc

username srogers password zI5NKeqdTq25lLxy encrypted privilege 15

username thagerman password PT28vZviqpU4QZ8k encrypted privilege 15

username mcard password l2OErQyeYqC72NG8 encrypted privilege 15

tunnel-group 65.115.125.41 type ipsec-l2l

tunnel-group 65.115.125.41 ipsec-attributes

pre-shared-key *****

!

class-map rhcphone

match access-list rhcphone

class-map test

match access-list to100.5.4

class-map inspection_default

match default-inspection-traffic

class-map rhc

match access-list rhccomp

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class test

set connection advanced-options tcp-state-bypass

class rhc

set connection advanced-options tcp-state-bypass

class rhcphone

set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8920b9b09e9bd3cf874a84368a66911f

: end

manish arora · ‎01-06-2011

nat (inside,outside) static 24.182.13.147 service tcp https https to

nat (inside,outside) static interface service tcp https 9997

Can you try :-

nat (inside,outside) static 24.182.13.147 service tcp https 9997

seems like your internal server is listening on 9997 ( mapped port ).

Manish

michealcard · ‎01-06-2011

The internal server is listening on 443. i have tried changing my nat command to use PAT and still no luck. using that command i tried to access it via https://24.182.13.147:9997 and still no luck. it seems like the device is dropping the packet when it tried to come in from that ip address. I was thinking an incorrect acl, or possibly a missing one. any thoughts?

manish arora · ‎01-06-2011

Please paste the output of :-

packet-tracer input outside x.x.x.x 2000 {your server's external ip } 443 detailed

Manish

michealcard · ‎01-06-2011

I will post it first thing in the morning. Thank You

michealcard · ‎01-06-2011

I got some time tonight to run the command. here is the output and the command run

CiscoASA# packet-tracer input outside tcp 4.2.2.2 2000 24.182.13.147 443 deta$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacb2a200, priority=1, domain=permit, deny=false

hits=470160, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-barracuda

nat (Inside,outside) static 24.182.13.147 service tcp https https

Additional Information:

NAT divert to egress interface Inside

Untranslate 24.182.13.147/443 to 100.100.100.97/443

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_in in interface outside

access-list outside_in extended permit tcp any host 100.100.100.97 eq https

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacc47918, priority=13, domain=permit, deny=false

hits=0, user_data=0xa8fec180, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=100.100.100.97, mask=255.255.255.255, port=443, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacb7cb60, priority=0, domain=inspect-ip-options, deny=true

hits=13360, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad1f19c8, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=4119, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network obj-barracuda

nat (Inside,outside) static 24.182.13.147 service tcp https https

Additional Information:

Forward Flow based lookup yields rule:

out id=0xa7f7c2e8, priority=6, domain=nat-reverse, deny=false

hits=1, user_data=0xa7f7b818, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=100.100.100.97, mask=255.255.255.255, port=443, dscp=0x0

input_ifc=outside, output_ifc=Inside

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xacbd61a0, priority=0, domain=inspect-ip-options, deny=true

hits=26202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=Inside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20576, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: allow

Also, I ran the "sh access-list outside_in" this is what I got

CiscoASA# sh access-l outside_in

access-list outside_in; 7 elements; name hash: 0xc5896c24

access-list outside_in line 1 remark Permit Traffic to 100.100.100.6 - HTTP

access-list outside_in line 2 extended permit tcp any host 100.100.100.6 eq www (hitcnt=0) 0x30d62f56

access-list outside_in line 3 remark Permit Traffic to 100.100.102.14 - RD

access-list outside_in line 4 extended permit tcp any host 100.100.102.14 eq 3389 (hitcnt=0) 0x826052c6

access-list outside_in line 5 remark Permit Traffic to 100.100.100.98 - RD

access-list outside_in line 6 extended permit tcp any host 100.100.100.98 eq 6252 (hitcnt=0) 0x47913749

access-list outside_in line 7 remark Permit Traffic to 100.100.100.4 - HTTPS

access-list outside_in line 8 extended permit tcp any host 100.100.100.4 eq https (hitcnt=2647) 0xa62cda93

access-list outside_in line 9 remark Permit Traffic to 100.100.100.4 - RD

access-list outside_in line 10 extended permit tcp any host 100.100.100.4 (hitcnt=184) 0x6e896bcd

access-list outside_in line 11 remark Permit Traffic to 100.100.100.20 - RD

access-list outside_in line 12 extended permit tcp any host 100.100.100.20 (hitcnt=0) 0x2405c7ce

access-list outside_in line 13 extended permit tcp any host 100.100.100.97 eq https (hitcnt=1) 0xbd6d6ed6

Look at the hitcnt on line 13. even though I get an unable to connect to server error, that still increases from time to time. What i really am unable to understand is that it was working, and nothing was changed on the asa 5510 but it still does not work. I have checked connectivity from my IP addresses going out to the internet, but am unable to have anything come in on .147, .148 and .149. I have also tried other servers and services on each of these addresses. like remote desktop with and without port translation, etc.. the only one that still works in the outside interface address of .146..

manish arora · ‎01-06-2011

If you get a chance please post sh ran nat.

also since the hit count is going up for packet-tracer input outside , try packet-tracer input inside 100.x.x.x 443 4.2.2.2 2000 to see whats the reverse nat path its taking , cuz if secure traffic is sent 24.182.13.147 but the return nat is using 24.182.13.146 then the requesting machine will drop packets.

Also, you can try doing a static nat without port forwarding using the following to check close in on the problem:-

object network ext-1

host 24.x.13.147

object network ssl-baracuda

host 100.x.x.x

nat (inside,outside) static ext-1

hth

Manish

michealcard · ‎01-07-2011

I tried switching to a static NAT like you suggested.

CiscoASA(config)# object network ext-1

CiscoASA(config-network-object)# host 24.182.13.147

CiscoASA(config-network-object)# object network ssl-baracuda

CiscoASA(config-network-object)# host 100.100.100.97

CiscoASA(config-network-object)# nat (inside,outside) static ext-1

It is still not allowing connections. Below is a sh run nat and the packet-tracer

CiscoASA# sh run nat

nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0

nat (Inside,outside) source static NETWORK_OBJ_100.100.100.0_24 NETWORK_OBJ_100.100.100.0_24 destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24

!

object network obj-inside

nat (Inside,outside) dynamic interface

object network obj-avreo

nat (Inside,outside) static interface service tcp www www

object network obj-avreord

nat (Inside,outside) static interface service tcp 6256 6256

object network obj-sqlrd

nat (Inside,outside) static interface service tcp 6252 6252

object network obj-adp

nat (Inside,outside) static interface service tcp 3389 9999

object network obj-Avreossl

nat (Inside,outside) static interface service tcp https https

object network ssl-baracuda

nat (Inside,outside) static ext-1

CiscoASA# packet-tracer input inside tcp 100.100.100.97 443 4.2.2.2 2000 detai$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacbd61a0, priority=0, domain=inspect-ip-options, deny=true

hits=60078, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=Inside, output_ifc=any

Phase: 3

Type: INSPECT

Subtype: inspect-skinny

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect skinny

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad253638, priority=70, domain=inspect-skinny, deny=false

hits=3, user_data=0xad2531d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=2000, dscp=0x0

input_ifc=Inside, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network ssl-baracuda

nat (Inside,outside) static ext-1

Additional Information:

Static translate 100.100.100.97/443 to 24.182.13.147/443

Forward Flow based lookup yields rule:

in id=0xac9d4f10, priority=6, domain=nat, deny=false

hits=1, user_data=0xad4186e8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=100.100.100.97, mask=255.255.255.255, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=Inside, output_ifc=outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xacb7cb60, priority=0, domain=inspect-ip-options, deny=true

hits=28802, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 45936, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_punt

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_punt

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

CiscoASA#

manish arora · ‎01-07-2011

Hi Micheal,

the packet tracer output both ways are showing allow, which is very interresting cuz it still doesn't work. I would really like you to set up a capture and see if the packets are even making it to the firewall when initiated from outside and also have captures from inside interface to see if the replys are going out.

Also, does your ISP do firewalling as i am having difficulting even tracing you to your Gateway which means there is filtering somewhere before it even reaches your firewall.

On an note , what is the purpose of this statement :-

nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0

I do see that you have no nat in place for the VPN traffic to the same subnets, so this not required ( not sure, since unaware of your topology ).

Manish

michealcard · ‎01-07-2011

I am unfamiliar with setting up captures. I do not know if they have any filtering in place. I can tell you the GW is 24.182.13.145 which does give an ICP echo reply. I know the tracing is interesting, everything I have looked at and tried in the configuration I know is right, which I why I thought maybe I was missing something. I am unable to find any reason why this is not working, especially with it working with this same config less then two weeks ago. There are other people here who have access to this firewall and do not know what they are doing, so I was thinking they got in there and did something to it. The NAT you are referring to was not put in place by me, I hate to admit it, but I am not fluent with the VPN commands on an ASA so had to use the wizard in ASDM. If it is not needed, then there is no reason to keep it in there.

manish arora · ‎01-07-2011

1> clear logging buffer

2> here's how you can set up Capture :-

set up the NAT for 24.182.13.147 then

asa#

asa(config)#access-list test-nat per tcp any 24.182.13.147 443

asa(config)#capture test-out access-list test-nat interface outside

asa(config)#access-list test-nat2 per tcp 100.x.x.x 443 any

asa(config)#capture test-in access-list test-nat2 interface inside

Initiate traffic from nuetral location.

sh capture test-out

sh capture test-in

3> sh logging buffer

Manish

michealcard · ‎01-07-2011

after doing the capture, it showed that there were no packets coming in or going out. I called my ISP to have them come replace the modem. After they did that it still did not work. I wanted to test the ip address so I changed my outside interface to the .147 address and verified the internet was working. I tested another nat with

nat (inside,outside) static interface service tcp https https

and it worked. I changed my outside interface back to the .146 address re configured my nat for my device

object network ssl-vpn

host x.x.x.97

nat (inside,outside) static 24.x.x.147 service tcp https https

exit

access-list outside_in extended permit tcp any host x.x.x.97

write mem

tested it and it all works. I do not know exactly why it stopped or why it is working now. the configuration i entered was the same that I had, and also had rebuilt in the course of troubleshooting. the only change was the ssl-vpn. I named it different numerous times in which it still didn't work. I want to thank you for all of your help. If I ever can figure out what happened I will make sure to post it.

Thank You Again,

Micheal Card

manish arora · ‎01-07-2011

So, the Capture tool did help and made you call the ISP. I am happy that the issue is resolved.

Also, you should set up a little script ( bash ) for daily config backup of your firewall and setup some diff so that you know when changes are made etc.

Let me know if you need help or example of the script.

Manish

michealcard · ‎01-07-2011

It did help. I called the isp because of the results. I am quite happy that it is working. What exactly do you mean "setup some diff so you know when changes are made". I would love some help with a script. Are you referring to a bash script on the asa? I didn't know the shell on an asa was bash.

manish arora · ‎01-07-2011

No, i was saying set an EXPECT script on Linux (Centos ) and put it in cron, it will back up your config and match it with last day backup and if there are any changes done it will let you know.

here's the script :-

http://nixcraft.com/26913-post6.html

Set up directories accordingly.

Please Mark this thread answered if possible.

Manish