cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
9
Replies

ASA5505 PAT problem

efarkhondeh
Level 1
Level 1

Hi, I'm trying to set up PAT on an ASA550 for host on the inside but I'm not able to. Here's my config. please help

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

names

name 192.168.1.10 WebServer description Inside Web Server

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service NetMeeting tcp

description NetMeeting Ports

port-object eq 1503

port-object eq 1731

port-object eq 522

port-object eq h323

port-object eq ldap

access-list outside_access_in extended permit tcp any host WebServer eq ftp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp WebServer ftp netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

9 Replies 9

rleivaoc
Cisco Employee
Cisco Employee

I see that you already have PAT setup for the inside segment based on these lines:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Are you able to ping the gateway from the client having the issues? (Make sure to enable ICMP for the inside interface "icmp permit any inside")Are you able to ping 4.2.2.2 from the host? Can you reach yahoo.com using it's IP on a broswer? (The IP is: 209.131.36.158)

please add :

interface Ethernet0/1

switchport access vlan1

hth

Sushil

oops.please make it

interface Ethernet0/1

switchport access Vlan1

:)

No matter how many times I attempt to run Switchport access Vlan1 it just simply does not stick! However this is the output of 'sh switch vlan':

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------

1 inside up Et0/1, Et0/2, Et0/3, Et0/4

Et0/5, Et0/6, Et0/7

2 outside up Et0/0

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 12.100.99.999 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

no nameif

no security-level

no ip address

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

What's up with that?

Vlan 1 is the native vlan, by default all port are on vlan 1 unless they get assigned to other VLans and that's why when you assign a port to vlan 1 it does not show on config.

I configured the ICMP and it works, what I'm trying to do is to connect to my ftp server from outside. I have a daynamic IP which I get from my ISP, I have used PAT to translate the outside interface to my FTP serve and when I try this is what's logged by syslog

Denied by access-group "outside_access_in" [0x0, 0x0]

robfos123
Level 1
Level 1

you have to add icmp to your inspection rules for ping to work. Also you have auto config on your dhcp scope without specifying a DNS server.. Try

dns domain-lookup outside

dns server-group group

name-server 4.2.2.1

You cannot refer to webserver in your acl by it's inside address. (192.168.1.10)

access-list outside_access_in extended permit tcp any host WebServer eq ftp

should be...

access-list outside_access_in extended permit tcp any interface outside eq ftp

please rate if it helped

Do your clients not get assigned an IP address? Is the DHCPclient service ON? Is the firewall OFF? Any IPsec on windows clients?

What is sh xlate , sh conn showing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: