01-06-2011 04:03 PM - edited 03-04-2019 10:58 AM
I have an ASA 5510 running version 8.3 and am having trouble with NAT. Our ISP has given us a block of 5 IP addresses. 24.182.13.144/29. two weeks ago everything was working fine, then for no reason one of our NAT rules to IP address 24.182.13.147 stopped worked. If i change my nat rule from
nat (inside,outside) static 24.182.13.147 service tcp https https to
nat (inside,outside) static interface service tcp https 9997 i am able to connect to my device using https on the specified port. Would someone please look at my config and tell me what I am missing here.
I appreciate your time to even look at this.
ASA Version 8.3(1)
!
hostname CiscoASA
enable password V2weNZuR0xPieBxK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 24.182.13.146 255.255.255.248
no pim
no igmp
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 100.100.100.136 255.255.252.0
no pim
no igmp
ospf network point-to-point non-broadcast
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group BVCH
name-server 100.100.100.98
dns server-group DefaultDNS
name-server 68.190.192.35
name-server 71.9.127.107
name-server 4.2.2.3
dns-group BVCH
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object service PharmServerRD
service tcp destination eq 6257
object network obj-inside
subnet 100.100.100.0 255.255.252.0
object network obj-avreo
host 100.100.100.4
object network obj-avreord
host 100.100.100.4
object network obj-sqlrd
host 100.100.100.98
object network obj-adp
host 100.100.102.14
object network obj-Avreossl
host 100.100.100.4
object network NETWORK_OBJ_10.1.1.0_24
subnet 10.1.1.0 255.255.255.0
object network NETWORK_OBJ_100.100.100.0_22
subnet 100.100.100.0 255.255.252.0
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network NETWORK_OBJ_100.100.100.0_24
subnet 100.100.100.0 255.255.255.0
object network 100.100.5.0
subnet 100.100.5.0 255.255.255.0
description Voice
object network 100.100.5.4
host 100.100.5.4
description Message Manager
object network obj-Webserver
host 100.100.100.6
object network obj-barracuda
host 100.100.100.97
description SSLVPN
object-group service RD tcp
description RD
port-object eq 6250
port-object eq 6251
port-object eq 6252
port-object eq 6257
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_in remark Permit Traffic to 100.100.100.6 - HTTP
access-list outside_in extended permit tcp any host 100.100.100.6 eq www
access-list outside_in remark Permit Traffic to 100.100.102.14 - RD
access-list outside_in extended permit tcp any host 100.100.102.14 eq 3389
access-list outside_in remark Permit Traffic to 100.100.100.98 - RD
access-list outside_in extended permit tcp any host 100.100.100.98 eq 6252
access-list outside_in remark Permit Traffic to 100.100.100.4 - HTTPS
access-list outside_in extended permit tcp any host 100.100.100.4 eq https
access-list outside_in remark Permit Traffic to 100.100.100.4 - RD
access-list outside_in extended permit tcp any host 100.100.100.4
access-list outside_in remark Permit Traffic to 100.100.100.20 - RD
access-list outside_in extended permit tcp any host 100.100.100.20
access-list outside_in extended permit tcp any host 100.100.100.97 eq https
access-list to100.5.4 extended permit ip any host 100.100.5.4
access-list rhccomp extended permit ip any 10.10.10.0 255.255.255.224
access-list rhcphone extended permit ip any 10.10.5.0 255.255.255.224
access-list outside_cryptomap extended permit ip 100.100.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list CAP extended permit icmp any any
access-list CAP extended permit icmp any 24.182.13.144 255.255.255.248
access-list CAP extended permit tcp any host 24.182.13.147 eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0
nat (Inside,outside) source static NETWORK_OBJ_100.100.100.0_24 NETWORK_OBJ_100.100.100.0_24 destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24
!
object network obj-inside
nat (Inside,outside) dynamic interface
object network obj-avreo
nat (Inside,outside) static interface service tcp www www
object network obj-avreord
nat (Inside,outside) static interface service tcp 6256 6256
object network obj-sqlrd
nat (Inside,outside) static interface service tcp 6252 6252
object network obj-adp
nat (Inside,outside) static interface service tcp 3389 9999
object network obj-Avreossl
nat (Inside,outside) static interface service tcp https https
object network obj-barracuda
nat (Inside,outside) static 24.182.13.147 service tcp https https
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.182.13.145 1
route Inside 10.5.4.0 255.255.255.0 100.100.100.156 1
route Inside 10.5.5.0 255.255.255.0 100.100.100.156 1
route Inside 10.10.5.0 255.255.255.224 100.100.100.159 1
route Inside 10.10.10.0 255.255.255.224 100.100.100.159 1
route Inside 100.100.5.0 255.255.255.0 100.100.100.159 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 100.100.100.0 255.255.252.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
sysopt noproxyarp Inside
sysopt noproxyarp management
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer 65.115.125.41
crypto map outside_map1 1 set transform-set ESP-3DES-MD5
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet 100.100.100.0 255.255.252.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
username srogers password zI5NKeqdTq25lLxy encrypted privilege 15
username thagerman password PT28vZviqpU4QZ8k encrypted privilege 15
username mcard password l2OErQyeYqC72NG8 encrypted privilege 15
tunnel-group 65.115.125.41 type ipsec-l2l
tunnel-group 65.115.125.41 ipsec-attributes
pre-shared-key *****
!
class-map rhcphone
match access-list rhcphone
class-map test
match access-list to100.5.4
class-map inspection_default
match default-inspection-traffic
class-map rhc
match access-list rhccomp
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class test
set connection advanced-options tcp-state-bypass
class rhc
set connection advanced-options tcp-state-bypass
class rhcphone
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8920b9b09e9bd3cf874a84368a66911f
: end
01-06-2011 05:35 PM
nat (inside,outside) static 24.182.13.147 service tcp https https to
nat (inside,outside) static interface service tcp https 9997
Can you try :-
nat (inside,outside) static 24.182.13.147 service tcp https 9997
seems like your internal server is listening on 9997 ( mapped port ).
Manish
01-06-2011 06:23 PM
The internal server is listening on 443. i have tried changing my nat command to use PAT and still no luck. using that command i tried to access it via https://24.182.13.147:9997 and still no luck. it seems like the device is dropping the packet when it tried to come in from that ip address. I was thinking an incorrect acl, or possibly a missing one. any thoughts?
01-06-2011 06:36 PM
Please paste the output of :-
packet-tracer input outside x.x.x.x 2000 {your server's external ip } 443 detailed
Manish
01-06-2011 07:04 PM
I will post it first thing in the morning. Thank You
01-06-2011 09:20 PM
I got some time tonight to run the command. here is the output and the command run
CiscoASA# packet-tracer input outside tcp 4.2.2.2 2000 24.182.13.147 443 deta$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacb2a200, priority=1, domain=permit, deny=false
hits=470160, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-barracuda
nat (Inside,outside) static 24.182.13.147 service tcp https https
Additional Information:
NAT divert to egress interface Inside
Untranslate 24.182.13.147/443 to 100.100.100.97/443
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp any host 100.100.100.97 eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacc47918, priority=13, domain=permit, deny=false
hits=0, user_data=0xa8fec180, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=100.100.100.97, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacb7cb60, priority=0, domain=inspect-ip-options, deny=true
hits=13360, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad1f19c8, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=4119, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-barracuda
nat (Inside,outside) static 24.182.13.147 service tcp https https
Additional Information:
Forward Flow based lookup yields rule:
out id=0xa7f7c2e8, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xa7f7b818, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=100.100.100.97, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=outside, output_ifc=Inside
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xacbd61a0, priority=0, domain=inspect-ip-options, deny=true
hits=26202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20576, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
Also, I ran the "sh access-list outside_in" this is what I got
CiscoASA# sh access-l outside_in
access-list outside_in; 7 elements; name hash: 0xc5896c24
access-list outside_in line 1 remark Permit Traffic to 100.100.100.6 - HTTP
access-list outside_in line 2 extended permit tcp any host 100.100.100.6 eq www (hitcnt=0) 0x30d62f56
access-list outside_in line 3 remark Permit Traffic to 100.100.102.14 - RD
access-list outside_in line 4 extended permit tcp any host 100.100.102.14 eq 3389 (hitcnt=0) 0x826052c6
access-list outside_in line 5 remark Permit Traffic to 100.100.100.98 - RD
access-list outside_in line 6 extended permit tcp any host 100.100.100.98 eq 6252 (hitcnt=0) 0x47913749
access-list outside_in line 7 remark Permit Traffic to 100.100.100.4 - HTTPS
access-list outside_in line 8 extended permit tcp any host 100.100.100.4 eq https (hitcnt=2647) 0xa62cda93
access-list outside_in line 9 remark Permit Traffic to 100.100.100.4 - RD
access-list outside_in line 10 extended permit tcp any host 100.100.100.4 (hitcnt=184) 0x6e896bcd
access-list outside_in line 11 remark Permit Traffic to 100.100.100.20 - RD
access-list outside_in line 12 extended permit tcp any host 100.100.100.20 (hitcnt=0) 0x2405c7ce
access-list outside_in line 13 extended permit tcp any host 100.100.100.97 eq https (hitcnt=1) 0xbd6d6ed6
01-06-2011 11:02 PM
If you get a chance please post sh ran nat.
also since the hit count is going up for packet-tracer input outside , try packet-tracer input inside 100.x.x.x 443 4.2.2.2 2000 to see whats the reverse nat path its taking , cuz if secure traffic is sent 24.182.13.147 but the return nat is using 24.182.13.146 then the requesting machine will drop packets.
Also, you can try doing a static nat without port forwarding using the following to check close in on the problem:-
object network ext-1
host 24.x.13.147
object network ssl-baracuda
host 100.x.x.x
nat (inside,outside) static ext-1
hth
Manish
01-07-2011 08:29 AM
I tried switching to a static NAT like you suggested.
CiscoASA(config)# object network ext-1
CiscoASA(config-network-object)# host 24.182.13.147
CiscoASA(config-network-object)# object network ssl-baracuda
CiscoASA(config-network-object)# host 100.100.100.97
CiscoASA(config-network-object)# nat (inside,outside) static ext-1
It is still not allowing connections. Below is a sh run nat and the packet-tracer
CiscoASA# sh run nat
nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0
nat (Inside,outside) source static NETWORK_OBJ_100.100.100.0_24 NETWORK_OBJ_100.100.100.0_24 destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24
!
object network obj-inside
nat (Inside,outside) dynamic interface
object network obj-avreo
nat (Inside,outside) static interface service tcp www www
object network obj-avreord
nat (Inside,outside) static interface service tcp 6256 6256
object network obj-sqlrd
nat (Inside,outside) static interface service tcp 6252 6252
object network obj-adp
nat (Inside,outside) static interface service tcp 3389 9999
object network obj-Avreossl
nat (Inside,outside) static interface service tcp https https
object network ssl-baracuda
nat (Inside,outside) static ext-1
01-07-2011 09:41 AM
Hi Micheal,
the packet tracer output both ways are showing allow, which is very interresting cuz it still doesn't work. I would really like you to set up a capture and see if the packets are even making it to the firewall when initiated from outside and also have captures from inside interface to see if the replys are going out.
Also, does your ISP do firewalling as i am having difficulting even tracing you to your Gateway which means there is filtering somewhere before it even reaches your firewall.
On an note , what is the purpose of this statement :-
nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0
I do see that you have no nat in place for the VPN traffic to the same subnets, so this not required ( not sure, since unaware of your topology ).
Manish
01-07-2011 09:46 AM
I am unfamiliar with setting up captures. I do not know if they have any filtering in place. I can tell you the GW is 24.182.13.145 which does give an ICP echo reply. I know the tracing is interesting, everything I have looked at and tried in the configuration I know is right, which I why I thought maybe I was missing something. I am unable to find any reason why this is not working, especially with it working with this same config less then two weeks ago. There are other people here who have access to this firewall and do not know what they are doing, so I was thinking they got in there and did something to it. The NAT you are referring to was not put in place by me, I hate to admit it, but I am not fluent with the VPN commands on an ASA so had to use the wizard in ASDM. If it is not needed, then there is no reason to keep it in there.
01-07-2011 10:12 AM
1> clear logging buffer
2> here's how you can set up Capture :-
set up the NAT for 24.182.13.147 then
asa#
asa(config)#access-list test-nat per tcp any 24.182.13.147 443
asa(config)#capture test-out access-list test-nat interface outside
asa(config)#access-list test-nat2 per tcp 100.x.x.x 443 any
asa(config)#capture test-in access-list test-nat2 interface inside
Initiate traffic from nuetral location.
sh capture test-out
sh capture test-in
3> sh logging buffer
Manish
01-07-2011 04:18 PM
after doing the capture, it showed that there were no packets coming in or going out. I called my ISP to have them come replace the modem. After they did that it still did not work. I wanted to test the ip address so I changed my outside interface to the .147 address and verified the internet was working. I tested another nat with
nat (inside,outside) static interface service tcp https https
and it worked. I changed my outside interface back to the .146 address re configured my nat for my device
object network ssl-vpn
host x.x.x.97
nat (inside,outside) static 24.x.x.147 service tcp https https
exit
access-list outside_in extended permit tcp any host x.x.x.97
write mem
tested it and it all works. I do not know exactly why it stopped or why it is working now. the configuration i entered was the same that I had, and also had rebuilt in the course of troubleshooting. the only change was the ssl-vpn. I named it different numerous times in which it still didn't work. I want to thank you for all of your help. If I ever can figure out what happened I will make sure to post it.
Thank You Again,
Micheal Card
01-07-2011 04:50 PM
So, the Capture tool did help and made you call the ISP. I am happy that the issue is resolved.
Also, you should set up a little script ( bash ) for daily config backup of your firewall and setup some diff so that you know when changes are made etc.
Let me know if you need help or example of the script.
Manish
01-07-2011 05:12 PM
It did help. I called the isp because of the results. I am quite happy that it is working. What exactly do you mean "setup some diff so you know when changes are made". I would love some help with a script. Are you referring to a bash script on the asa? I didn't know the shell on an asa was bash.
01-07-2011 05:30 PM
No, i was saying set an EXPECT script on Linux (Centos ) and put it in cron, it will back up your config and match it with last day backup and if there are any changes done it will let you know.
here's the script :-
http://nixcraft.com/26913-post6.html
Set up directories accordingly.
Please Mark this thread answered if possible.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide