Re: Cannot reach internal machine using NAT routed external IP

Michael Bradt · ‎04-05-2013

I'm trying to configure external access to our spiceworks server as well as various other software we use.

I used this to configure my cisco firewall:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml

I have tested the configuration with the packet tracer and everything is going through fine.

Is there something that I'm missing?

Is there any settings in IIS or the DNS server that I need to configure?

Here are the ACL/NAT entries on my cisco for these machines.

access-list outside_acl extended permit tcp any object NBDC1 eq 1234
access-list outside_acl extended permit tcp any object Spiceworks eq 9675

object network NBDC1
nat (inside,outside) static NBDC1-external-ip service tcp 1234 www
object network inside-subnet
nat (inside,outside) dynamic interface
object network Spiceworks
nat (inside,outside) static spiceworks-external-ip service tcp 9675 www
access-group inside_access_in in interface inside
access-group outside_acl in interface outside

Another question, do I need to assign this external IP to the outside interface? Or will it just work being defined to a network object?

Muhammad Thanveer · ‎04-06-2013

You would have asked this in security forum,

I have suggested this question to two persons whom I know and I believe they are experts in this corner.

They may help you out..

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Jennifer Halim · ‎04-06-2013

Thanks Thanveer.

Michael - if packet tracer shows OK, that means as per your testing, the traffic flow is OK via the ASA.

You don't need to assign the external IP to the outside interface, as long as the external IP is in the same subnet as the outside interface IP, or if the next hop route is routing this particular external IP to the ASA outside interface.

If the external IP is defined as above, all you need has already been configured (network object).

When you are testing it from the internet, check if you have a hit count on the access-list. If there is no hitcount, that means the traffic hasn't even hit the ASA yet.

If you are using FQDN to connect, pls ensure that the DNS resolves to the external IP defined in the network object. You can first try to access it via IP and see if that works.

Message was edited by: Jennifer Halim

Michael Bradt · ‎04-08-2013

Now the packet trace is failing. This is weird.

It's failing at a different NAT translation - nat (any,outside) dynamic obj_any-01 service any any

These are old entries that were there before I joined the company. When I delete those I lose internet access.

Muhammad Thanveer · ‎04-08-2013

Hello Michael Bradt,

I believe your config should look something like this...

object network Spiceworks-external-ip

host 198.51.100.101

object network Spiceworks

host 192.168.1.100

nat (inside,outside) static Spiceworks-external-ip service tcp www www

object network webserver-external-ip
host 198.51.100.101

Hello Jennifer Halim,

Can you please look in to this. It was been a while I did this in firewall.....

Please rate helpful posts...

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Jennifer Halim · ‎04-08-2013

Can you please share all your NAT statements?

You can't remove the dynamic NAT as those are used for outbound access, however, I would recommend that instead of having "any", please kindly specific the actual internal LAN interface.

Michael Bradt · ‎04-08-2013

Here is my current nat config.

nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static obj-colo obj-colo

nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static obj-10.15.25.0 obj-10.15.25.0

nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_10.25.10.xx NETWORK_OBJ_10.25.10.xx

nat (inside,any) source static obj-inside-subnet obj- inside-subnet destination static obj-10.20.14.0 obj-10.20.14.0

nat (inside,any) source static obj-inside-subnet obj- inside-subnet destination static obj-10.20.16.0 obj-10.20.16.0

nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static 10.20.13.0 10.20.13.0

nat (inside,outside) source static obj-inside-subnet obj-inside-subnet destination static 10.20.13.0 10.20.13.0

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.25.10.xx NETWORK_OBJ_10.25.10.xx

nat (inside,outside) source static NETWORK_OBJ_10.25.10.0_24 NETWORK_OBJ_10.25.10.0_24 destination static NETWORK_OBJ_10.20.15.0_24 NETWORK_OBJ_10.20.15.0_24

nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static obj-10.20.15.0 obj-10.20.15.0 description Falconer

!

object network inside-subnet

nat (inside,outside) dynamic interface

object network spiceworks

nat (inside,outside) static spiceworks-external-ip service tcp 9675 www

!

nat (any,outside) after-auto source dynamic obj_any-04 interface

nat (any,outside) after-auto source dynamic obj_any-01 interface

nat (any,outside) after-auto source dynamic obj_any-03 interface

nat (any,outside) after-auto source dynamic obj_any-02 interface

As of right now the packet is dropping at the nat. As you can see in this image.