PAT problem

teymur azimov · ‎01-22-2012

Hi,

we have a problem. we have a router which performs NAT, and behind router we have ASA. in inside we have a server. we need requests which come to our outside interface with port number 9000 convert to server ip with port number 443. we do port address translation on router :

ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 9000

and on ASA we permit everything for test.

but our config doesnt work. what should we do?

cadet alain · ‎01-23-2012

Hi,

can you provide the config of the ASA.

Regards.

Alain.

Don't forget to rate helpful posts.

teymur azimov · ‎01-23-2012

Hi

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.25 5.255.0

access-list out_to_in extended permit tcp any host 192.168.10.10 eq smtp

access-list out_to_in extended permit tcp any host 192.168.10.10 eq www

access-list out_to_in extended permit tcp any host 192.168.10.10 eq https

pager lines 24

logging enable

logging timestamp

logging list my-list level debugging class vpn

logging trap my-list

logging host inside 192.168.1.10

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list 111

access-group out_to_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

route inside 192.168.1.0 255.255.255.0 172.16.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CiscoAsa protocol radius

aaa-server CiscoAsa (inside) host 192.168.1.10

key 1q2w!1q2w

radius-common-pw 1q2w!1q2w

http server enable

http 10.0.0.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign local

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy RAVPN internal

group-policy RAVPN attributes

dns-server value 192.168.1.10

dhcp-network-scope 192.168.20.0

vpn-idle-timeout 45

username risk password WJjW/emCr.pCrXeq encrypted

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

authentication-server-group CiscoAsa

default-group-policy RAVPN

dhcp-server 192.168.1.10

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e49b92e97309f3e2767d8c8ad29f9c14

: end

Vivek Ganapathi · ‎01-23-2012

Hi,

Can you provide show ip nat translation output from your router as well? Most important to look at is, if the translation is happening. There could be a chance that the traffic is really not coming in with Port 9000 on the router. Hence translation doesnt happen.

teymur azimov · ‎01-23-2012

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 172.16.10.2:9000 192.168.10.10:443 172.16.10.1:1902 172.16.10.1:1902

tcp 172.16.10.2:9000 192.168.10.10:443 --- ---

and asa access-list:

access-list out_to_in line 1 extended permit tcp any host 192.168.10.10 eq smtp (hitcnt=1) 0x8c8a5270

access-list out_to_in line 3 extended permit tcp any host 192.168.10.10 eq www (hitcnt=0) 0x66a8840a

access-list out_to_in line 4 extended permit tcp any host 192.168.10.10 eq https (hitcnt=5) 0x66546073