Solved: Re: Static or nat from outside to dmz?

AndreasJo · ‎12-07-2006

Hi!

I'm trying to set up static translation from outside my network in to DMZ. I have tried both with nat, global and using static but have failed using both. The problem is that the packets are getting through to the servers in the DMZ but nothing is coming back to the sender. So when I try to access a webserver in DMZ I get SYN timeout.

Traffic from my local LAN(inside) to DMZ is working as it should though.

---- Important conf ---->

access-list OUT extended permit ip any any

global (dmz) 12 interface

nat (outside) 12 access-list OUT outside

access-group OUT in interface outside

no nat-control

---- more info ---->

inside - security level 100, IP 10.0.13.1

dmz - security level 50, IP 172.16.13.1

outside - security level 0, IP 192.168.13.2

bastionhost = webserver

---- show nat ---->

NAT policies on Interface outside:

match ip outside any dmz any

dynamic translation to pool 12 (172.16.13.1 [Interface PAT])

translate_hits = 2, untranslate_hits = 0

// When I used static instead of nat, global I got same amount of untranslate_hits back as I sent to servers in DMZ.

---- debug ---->

Built dynamic TCP translation from outside:192.168.13.5/1316 to dmz(OUT):172.16.13.1/1028

Built inbound TCP connection 469 for outside:192.168.13.5/1316 (172.16.13.1/1028) to dmz:bastionhost/80 (bastionhost/80)

Teardown dynamic TCP translation from outside:192.168.13.5/1317 to dmz(OUT):172.16.13.1/1029 duration 0:00:39

Teardown TCP connection 473 for outside:192.168.13.5/1318 to dmz:bastionhost/80 duration 0:00:30 bytes 0 SYN Timeout

Thanks.

a.kiprawih · ‎12-14-2006

Your following config is fine, as mapping your bastionhost here with a public IP will enable the server to access internet as well.

access-list WEB extended permit icmp any any --> add this to test bastionhost reachability from outside/internet, and remove later.

access-list WEB extended permit ip any host 192.168.14.5 -> or add 'eq www' to specify port.

static (dmz,outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255

access-group WEB in interface outside

You can omit the following part as it meant to allow bastionhost to access internet only, not allowing internet user to access it.

global (outside) 1 192.168.14.5

nat (dmz) 1 bastionhost 255.255.255.255

BTW, what's the route statement looks like?

View solution in original post

a.kiprawih · ‎12-07-2006

Correct me if I understand it wrongly, but you said the access (via static translation) from outside to DMZ is failing. Packets can get through but no return traffic to sender.

I believed your route from firewall to internet/internet route (route outside 0.0.0.0 0.0.0.0 is correct.

I noticed that since you use the interface as PAT, try:

*assuming your bastionhost running on DMS's IP of 172.16.13.10

1. configure port redirection from outside interface to bastionhost, i.e

static (dmz,outside) tcp interface 21 172.16.13.10 netmask 255.255.255.255

2. Add/create access-list permitting incoming traffic to bastionhost via the public IP, i.e permitting ftp/21, to your existing acl OUT:

access-list OUT permit tcp any host 192.168.13.2 eq 21

Test the access, and check for any hitcount on the specific acl OUT above.

HTH

AK

AndreasJo · ‎12-07-2006

Yes, you have understood the problem. The static default route is correct and present.

I have already tried to static forward from the external IP to the bastionhost and it works. But I would like to avoid that at the moment and address the bastionhost with it's real IP.

a.kiprawih · ‎12-08-2006

It will be the ideal case if you have sufficient Public IP to use.

Cheers!

AK

AndreasJo · ‎12-08-2006

Yes it would. But as you have figured out by my subnets this is just a test setup. But I fail when I try to map the entire network. I know it in theory but in practise it just doesn't work. I haven't found any material from Cisco where they explain what I'm trying to do. They only explain mapping of single hosts.

a.kiprawih · ‎12-10-2006

As far as I am know, the port redirection/address mapping (outside to inside) is working from one (1) single Public/interface IP to many internal hosts with conditions each of them need to be mapped/redirected to different/unique port numbers. If you intend to redirect to the entire internal subnet, I don't think it's possible as PIX will not know who (ip/host) will use what port.

HTH

AK

AndreasJo · ‎12-11-2006

That makes sense if you are able to only use the external IP and map inside.

But if you use the external IP only as a default route from the ISP. Then have a pool of public IP:s in the DMZ. And you don't adress the external public IP but instead a public IP directly in the DMZ.

What do you think?

a.kiprawih · ‎12-12-2006

Your current DMZ is running on private IP (172.16.13.0 network). If you intend to use/assign Public IP directly on the server, you might have issue with that, i.e server gateway.

Unless, of course, if you assigned the whole DMZ with public IP, then it should be fine. Any servers here can use allocated Public IP, and no address translation (nat 0) is required. Just make sure you have the ACL to control traffic in and out.

Otherwise, just proceed with static nat.

HTH

AK

AndreasJo · ‎12-14-2006

Yes it would.

But I have tried the idea using static again. And it doesn't work either. I get the same error as I got the first time. Syn timeout and untranslate when trying to access the web server in DMZ on outside ip 192.168.14.5

This is the conf I'm currently trying. It would be nice if you could tell me what's wrong with it.

---------- Conf ----------

nat-control

global (outside) 2 192.168.14.20-192.168.14.254 netmask 255.255.255.0

global (dmz) 2 172.16.14.20-172.16.14.254 netmask 255.255.255.0

nat (inside) 2 10.0.14.0 255.255.255.0

! I think this only has to be included if I'd like traffic originating from DMZ to outside.

global (outside) 1 192.168.14.5

nat (dmz) 1 bastionhost 255.255.255.255

access-list WEB extended permit ip any host 192.168.14.5

static (dmz,outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255

access-group WEB in interface outside

---------- End conf ----------

[EDIT] I'm using ASA v7.2.2 [/EDIT]

/Regards

Andreas

a.kiprawih · ‎12-14-2006

Your following config is fine, as mapping your bastionhost here with a public IP will enable the server to access internet as well.

access-list WEB extended permit icmp any any --> add this to test bastionhost reachability from outside/internet, and remove later.

access-list WEB extended permit ip any host 192.168.14.5 -> or add 'eq www' to specify port.

static (dmz,outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255

access-group WEB in interface outside

You can omit the following part as it meant to allow bastionhost to access internet only, not allowing internet user to access it.

global (outside) 1 192.168.14.5

nat (dmz) 1 bastionhost 255.255.255.255

BTW, what's the route statement looks like?

AndreasJo · ‎12-19-2006

I found the problem. It was a faulty VLAN configuration on the switch between the DMZ and the ASA. I changed the switch and now it works. It took a while to figure it out though since the traffic was working from Inside to DMZ.

Thanks for all the help.

Regards

/Andreas

danielkaiser · ‎01-17-2007

Can you post the changes you made to the switch between the dmz and asa as I might be having the same problem. thanks.