12-07-2006 11:52 AM
Hi!
I'm trying to set up static translation from outside my network in to DMZ. I have tried both with nat, global and using static but have failed using both. The problem is that the packets are getting through to the servers in the DMZ but nothing is coming back to the sender. So when I try to access a webserver in DMZ I get SYN timeout.
Traffic from my local LAN(inside) to DMZ is working as it should though.
---- Important conf ---->
access-list OUT extended permit ip any any
global (dmz) 12 interface
nat (outside) 12 access-list OUT outside
access-group OUT in interface outside
no nat-control
---- more info ---->
inside - security level 100, IP 10.0.13.1
dmz - security level 50, IP 172.16.13.1
outside - security level 0, IP 192.168.13.2
bastionhost = webserver
---- show nat ---->
NAT policies on Interface outside:
match ip outside any dmz any
dynamic translation to pool 12 (172.16.13.1 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
// When I used static instead of nat, global I got same amount of untranslate_hits back as I sent to servers in DMZ.
---- debug ---->
Built dynamic TCP translation from outside:192.168.13.5/1316 to dmz(OUT):172.16.13.1/1028
Built inbound TCP connection 469 for outside:192.168.13.5/1316 (172.16.13.1/1028) to dmz:bastionhost/80 (bastionhost/80)
Teardown dynamic TCP translation from outside:192.168.13.5/1317 to dmz(OUT):172.16.13.1/1029 duration 0:00:39
Teardown TCP connection 473 for outside:192.168.13.5/1318 to dmz:bastionhost/80 duration 0:00:30 bytes 0 SYN Timeout
Thanks.
Solved! Go to Solution.
12-14-2006 03:43 PM
Your following config is fine, as mapping your bastionhost here with a public IP will enable the server to access internet as well.
access-list WEB extended permit icmp any any --> add this to test bastionhost reachability from outside/internet, and remove later.
access-list WEB extended permit ip any host 192.168.14.5 -> or add 'eq www' to specify port.
static (dmz,outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255
access-group WEB in interface outside
You can omit the following part as it meant to allow bastionhost to access internet only, not allowing internet user to access it.
global (outside) 1 192.168.14.5
nat (dmz) 1 bastionhost 255.255.255.255
BTW, what's the route statement looks like?
12-07-2006 05:34 PM
Correct me if I understand it wrongly, but you said the access (via static translation) from outside to DMZ is failing. Packets can get through but no return traffic to sender.
I believed your route from firewall to internet/internet route (route outside 0.0.0.0 0.0.0.0
I noticed that since you use the interface as PAT, try:
*assuming your bastionhost running on DMS's IP of 172.16.13.10
1. configure port redirection from outside interface to bastionhost, i.e
static (dmz,outside) tcp interface 21 172.16.13.10 netmask 255.255.255.255
2. Add/create access-list permitting incoming traffic to bastionhost via the public IP, i.e permitting ftp/21, to your existing acl OUT:
access-list OUT permit tcp any host 192.168.13.2 eq 21
Test the access, and check for any hitcount on the specific acl OUT above.
HTH
AK
12-07-2006 09:54 PM
Yes, you have understood the problem. The static default route is correct and present.
I have already tried to static forward from the external IP to the bastionhost and it works. But I would like to avoid that at the moment and address the bastionhost with it's real IP.
12-08-2006 02:20 AM
It will be the ideal case if you have sufficient Public IP to use.
Cheers!
AK
12-08-2006 09:32 AM
Yes it would. But as you have figured out by my subnets this is just a test setup. But I fail when I try to map the entire network. I know it in theory but in practise it just doesn't work. I haven't found any material from Cisco where they explain what I'm trying to do. They only explain mapping of single hosts.
12-10-2006 05:58 PM
As far as I am know, the port redirection/address mapping (outside to inside) is working from one (1) single Public/interface IP to many internal hosts with conditions each of them need to be mapped/redirected to different/unique port numbers. If you intend to redirect to the entire internal subnet, I don't think it's possible as PIX will not know who (ip/host) will use what port.
HTH
AK
12-11-2006 01:41 AM
That makes sense if you are able to only use the external IP and map inside.
But if you use the external IP only as a default route from the ISP. Then have a pool of public IP:s in the DMZ. And you don't adress the external public IP but instead a public IP directly in the DMZ.
What do you think?
12-12-2006 05:57 PM
Your current DMZ is running on private IP (172.16.13.0 network). If you intend to use/assign Public IP directly on the server, you might have issue with that, i.e server gateway.
Unless, of course, if you assigned the whole DMZ with public IP, then it should be fine. Any servers here can use allocated Public IP, and no address translation (nat 0) is required. Just make sure you have the ACL to control traffic in and out.
Otherwise, just proceed with static nat.
HTH
AK
12-14-2006 12:54 PM
Yes it would.
But I have tried the idea using static again. And it doesn't work either. I get the same error as I got the first time. Syn timeout and untranslate when trying to access the web server in DMZ on outside ip 192.168.14.5
This is the conf I'm currently trying. It would be nice if you could tell me what's wrong with it.
---------- Conf ----------
nat-control
global (outside) 2 192.168.14.20-192.168.14.254 netmask 255.255.255.0
global (dmz) 2 172.16.14.20-172.16.14.254 netmask 255.255.255.0
nat (inside) 2 10.0.14.0 255.255.255.0
! I think this only has to be included if I'd like traffic originating from DMZ to outside.
global (outside) 1 192.168.14.5
nat (dmz) 1 bastionhost 255.255.255.255
access-list WEB extended permit ip any host 192.168.14.5
static (dmz,outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255
access-group WEB in interface outside
---------- End conf ----------
[EDIT] I'm using ASA v7.2.2 [/EDIT]
/Regards
Andreas
12-14-2006 03:43 PM
Your following config is fine, as mapping your bastionhost here with a public IP will enable the server to access internet as well.
access-list WEB extended permit icmp any any --> add this to test bastionhost reachability from outside/internet, and remove later.
access-list WEB extended permit ip any host 192.168.14.5 -> or add 'eq www' to specify port.
static (dmz,outside) tcp 192.168.14.5 www bastionhost www netmask 255.255.255.255
access-group WEB in interface outside
You can omit the following part as it meant to allow bastionhost to access internet only, not allowing internet user to access it.
global (outside) 1 192.168.14.5
nat (dmz) 1 bastionhost 255.255.255.255
BTW, what's the route statement looks like?
12-19-2006 04:30 AM
I found the problem. It was a faulty VLAN configuration on the switch between the DMZ and the ASA. I changed the switch and now it works. It took a while to figure it out though since the traffic was working from Inside to DMZ.
Thanks for all the help.
Regards
/Andreas
01-17-2007 11:26 AM
Can you post the changes you made to the switch between the dmz and asa as I might be having the same problem. thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide