cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
5
Replies

Firewall/NAT issues on Cisco ASA 5520

leonardof
Level 1
Level 1

Dear NetPro folks,

I've been working on a homologation process for the deployment of Cisco ASA 5520 appliances and I've been unable to successfully make use of static NAT/PAT in order to translate services from the outside pool of IP addresses to inside (real) IP addresses (there is no DMZ perimeter at this time; there are "outside" and "inside" interfaces only).

The scenario is as follows:

Cisco ASA:

- Inside: 10.1.4.16/24

- Outside: 200.200.10.41/26

The pool of registered IP addresses is as follows: 200.200.10.0/26.

The actual ASA configuration (or at least a small part of it that represents the scope of my issue) is as follows:

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.4.16 255.255.255.0

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 200.200.10.41 255.255.255.192

object-group service DM_INLINE_TCP_1 tcp

port-object eq 1374

port-object eq 3389

port-object eq ftp

port-object eq ftp-data

port-object eq www

access-list outside_access_in extended permit tcp any host 200.200.10.60 object-group DM_INLINE_TCP_1 log disable

access-group outside_access_in in interface outside

global (outside) 1 interface

nat (inside) 1 10.1.0.0 255.255.0.0

static (inside,outside) tcp 200.200.10.60 ftp-data 10.1.4.10 ftp-data netmask 255.255.255.255

static (inside,outside) tcp 200.200.10.60 ftp 10.1.4.10 ftp netmask 255.255.255.255

static (inside,outside) tcp 200.200.10.60 www 10.1.4.10 www netmask 255.255.255.255

static (inside,outside) tcp 200.200.10.60 3389 10.1.4.10 3389 netmask 255.255.255.255

static (inside,outside) tcp 200.200.10.60 1374 10.1.4.10 1374 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 200.200.10.1 1

route inside 10.1.0.0 255.255.0.0 10.1.4.254 1

There are, of course, several other Access Control Lists and Static NAT/PAT entries, and each one of them uses a separate IP address from the global pool (ie.: 200.200.10.35, 200.200.10.36... 200.200.10.60), and the objective here is to NAT these registered IP addresses to their respective private ones at some specific ports, from outside to inside (ie.: 200.200.10.39 TCP 22 --> 10.1.4.8 TCP 22). These translations are not working either.

I would really appreciate if someone could possibly help me out. Please find enclosed a drawing and the actual ASA config (the full version of it).

I look forward to hearing from you soon. Thank you in advance!

Best regards.

Leonardo Furtado

5 Replies 5

Can you post the output of 'show run sysopt'

Hello sundar.

Thanks for your help in this matter. I really appreciate it.

Please find enclosed my actual config file (full version). This is what my configuration looks like.

Unfortunately the box had to be decommissioned until we find out what has caused the static NAT issues. I am gonna request my team to issue a 'show run sysopt' and get it back to you shortly.

Thank you!!

Leonardo Furtado

Leonardo,

I don't see anything wrong with the configuration. The outside ACL and static are configured correct for the server(s) to be accessed from outside.

I was suspecting may be the proxyarp was disabled on the outside interface as that could present this problem but the configuration appears to indicate the proxyarp is enabled on the outside. Did you try the clear xlate after the configuration was changed?

HTH

Sundar

Hi Sundar,

Once again, thanks for your support!

Well... as a matter of fact, yes, I cleared out xlate after performing the configuration changes. I have also recycled the box a couple of times to see what would happen next, and still nothing at all. I am unable to get it done as it was supposed to.

I guess I should contact Cisco directly in order to determine what the heck is going on with this box! Actually I was just wondering if I had been doing something wrong, configuration-wise, but apparently I am doing the right thing.

I will surely reply to this topic once I find out what has caused these issues.

Thank you for your help, and have a good one!

Best regards,

Leonardo

leonardof
Level 1
Level 1

After a troubleshooting session, we've identified that a Cisco switch was causing all the mess. Configuration-wise, everything looked like perfect. After upgrading its software and rebooting the switch - although preserving all of its original configuration parameters - the issue has gone for good. Indeed, very weird.

I appreciate everybody's help in this matter.

Leo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: