Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3064
Views
0
Helpful
32
Replies

Problem with PAT ASA 5510 IOS 9.1.(3)

Go to solution
zero_cool83
Level 1
Level 1

‎11-29-2019 09:58 AM

Hello guys.

I have an strange problem wit ASA 5510 NAT settings.

We have one local network:

object network Local_Office_Network
subnet 172.16.0.0 255.255.248.0
description Local Network

and one ISP: 134.17.5.142

The main problem when I try to setup PAT to specific server inside the local network from outside:

object network RocketPAT
nat (inside,mts-out) static interface no-proxy-arp service tcp https 8443

It's not work, I always saw in Debug logging: 

7Nov 29 201919:45:33710005178.127.193.13056795134.17.5.1428443TCP request discarded from 178.127.193.130/56795 to mts-out:134.17.5.142/8443

 

I will give the main parts of the configuration below:

 

object network RocketPAT
host 172.16.0.100

...

access-list Beltelecom_access_in extended permit tcp any object Rocket_Server eq https log debugging

...

nat (Wifi,mts-out) source dynamic any interface
nat (any,any) source static VPN VPN destination static Local_Office_Network Local_Office_Network
nat (CORP,inside) source static any any dns no-proxy-arp route-lookup
nat (inside,mts-out) source dynamic any interface
!
object network RocketPAT
nat (inside,mts-out) static interface no-proxy-arp service tcp https 8443

 

Could you tell me what is wrong. Thanks in advance!

 

Labels:
Preview file
16 KB
0 Helpful
32 Replies 32

Go to solution
paul driver
VIP
VIP
In response to zero_cool83

‎12-01-2019 09:10 AM

Good 

turn off any software firewall on your pc and test just to make sure that int denying anything 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to zero_cool83

‎12-01-2019 11:21 AM

Hello,

 

in our original configuration, did you have a NAT exemption for your VPN users ?

 

nat (inside,mts-out) source static Local_Office_Network Local_Office_Network destination static VPN VPN

 

?

0 Helpful

Go to solution
zero_cool83
Level 1
Level 1
In response to Georg Pauwen

‎12-01-2019 12:44 PM

Solved!

Deleted first rule NAT in section 1:

nat (CORP,inside) source static any any dns no-proxy-arp route-lookup

all old lists were cleared

clear configure access-list

and the correct NAT was configured for the network object:

object network server-rocket
access-list outside_acl extended permit tcp any object server-rocket eq 3000

nat (inside,mts-out) static interface service tcp 3000 3000  

 

access-list outside_acl extended permit tcp any object server-rocket eq 3000
access-group outside_acl in interface mts-out

 

Many thanks to everyone who helped and participated!!!

Most likely, the reason was in the dump of old access lists, which ASA always sins ... It was necessary to delete everything initially).

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card