Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
0
Helpful
9
Replies

Static NAT Problem - Help Me Understand This

spottedowl
Level 1
Level 1

‎06-22-2007 08:19 AM - edited ‎03-11-2019 03:34 AM

In my ASA 5510 config (posted below), I have an inside interface, two DMZ's, and an outside interface. I have a web server on the 1st DMZ at local address 10.1.2.2. I want this web server to be accessible from the Internet at global address xx.xx.150.80, which is the same address as the outside interface.

The relevant lines from the config are:

static (dmz1,outside) xx.xx.150.80 10.1.2.2 netmask 255.255.255.255

access-list outside_in extended permit tcp any host xx.xx.150.80 eq www

access-group outside_in in interface outside

This doesn't work. When I try to access the web server from the Internet, I get a message in the log saying "TCP connection blocked by ACL". When I change the static statement to:

static (dmz1,outside) interface 10.1.2.2 netmask 255.255.255.255

everything works. My question is: why does this work when I use "interface" in place of the actual IP address of the outside interface in the static statement?

asdm image disk0:/asdm506.bin

no asdm history enable

: Saved

:

ASA Version 7.0(6)

!

hostname asa

domain-name example.com

enable password xxxxxxxxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.150.80 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz1

security-level 50

ip address 10.1.2.1 255.255.255.0

!

interface Ethernet0/3

nameif dmz2

security-level 10

ip address 10.1.3.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxx.xxxxxxxxx encrypted

ftp mode passive

access-list inside_dmz1 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list dmz1_in extended permit tcp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 eq ssh

access-list dmz1_in extended deny ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list dmz1_in extended permit ip any any

access-list outside_in extended permit tcp any host xx.xx.150.80 eq www

pager lines 77

logging enable

logging monitor informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

mtu management 1500

no failover

monitor-interface outside

monitor-interface inside

monitor-interface dmz1

monitor-interface dmz2

monitor-interface management

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_dmz1

nat (inside) 1 10.1.1.0 255.255.255.0

nat (dmz1) 1 10.1.2.0 255.255.255.0

static (dmz1,outside) xx.xx.150.80 10.1.2.2 netmask 255.255.255.255

access-group outside_in in interface outside

access-group dmz1_in in interface dmz1

route outside 0.0.0.0 0.0.0.0 xx.xx.150.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.1.1.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 10.1.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Cryptochecksum:xxx

: end

Labels:
0 Helpful
9 Replies 9

gurdsing
Level 1
Level 1

‎06-22-2007 04:27 PM

Thats the way static command works in 7.x code.

Read through the note in command reference, syntax description (interface):

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1540284

Regards,

Guru.

0 Helpful

kcarjun2002
Level 1
Level 1

‎06-22-2007 06:22 PM

I got the exact sam eproblem as yours after I migrated to asa5510. I see all the NAT and access-list fine but the web server located at dmz is not accessible form outside. But I have not issued that command that you mentioned.

When you run the command this way which public ip gets mapped with your internal ip

10.1.2.2?

static (dmz1,outside) interface 10.1.2.2 netmask 255.255.255.255

0 Helpful

gurdsing
Level 1
Level 1
In response to kcarjun2002

‎06-22-2007 11:49 PM

The outside interface IP address will get mapped to the 10.1.2.2 address in your case.

Regards,

Guru.

0 Helpful

kcarjun2002
Level 1
Level 1
In response to gurdsing

‎06-23-2007 07:48 AM

Thanks Guru

I already have different public ip mapped with my new web server,located at dmz. When I compare the nat and access-list with the other web servers at the same location, I don't see anything different. Why is it not still accessible from outside? Can you explain me in little details how can I troubleshoot this.

Thanks in advance.

Thanks

0 Helpful

JBDanford2002
Level 1
Level 1
In response to kcarjun2002

‎06-23-2007 08:16 AM

The problem is that you were trying use the IP address assigned to the interface. When using the interface IP you must use the "interface" keyword.

"

INTERFACE:

Specifies the interface IP address for the global address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

Note You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry. "

0 Helpful

kcarjun2002
Level 1
Level 1
In response to JBDanford2002

‎06-23-2007 12:58 PM

Actually, I am using the static NAT address not the one from the outside interface.

My outside interface is x.x.2.147

and the internal ip that I am using for web server is 172.16.1.6.

The following is the relevant config that I am using. But its still not accesible from outside. DO I have to do anything special for version 7.x

static (dmz,outside) X.X.2.125 172.16.1.6 netmask 255.255.255.255

access-list acl_allow_in permit tcp any host X.X.2.125 eq www

access-list acl_allow_in in interface outside

0 Helpful

JBDanford2002
Level 1
Level 1
In response to kcarjun2002

‎06-23-2007 02:54 PM

Kind of confused. Your config above shows the following for your DMZs and I didnt see any additional route so I am figuring you have conflicting subnets. Below you DMZ shows

10.1.3.1 but your server IP is 172.16.1.6. Has something changed? Post a full scrubbed config.

interface Ethernet0/2

nameif dmz1

security-level 50

ip address 10.1.2.1 255.255.255.0

!

interface Ethernet0/3

nameif dmz2

security-level 10

ip address 10.1.3.1 255.255.255.0

0 Helpful

kcarjun2002
Level 1
Level 1
In response to kcarjun2002

‎06-23-2007 03:42 PM

Sorry for confusion. May be I should have posted my problem separately.

0 Helpful

JBDanford2002
Level 1
Level 1
In response to kcarjun2002

‎06-23-2007 04:34 PM

My apologies. I didnt realize you werent the original poster.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card