ASA 5505 static nat issues

Unanswered Question
Nov 9th, 2007
User Badges:

Hi there!

For the last two days i'm working on some very strange issue regarding 'static' or '1:1' mapping. Here is the scenario:


I have one firewall (ASA 5505) with two interfaces (vlan1 - which is the 'inside' and vlan2 - which is the outside) Vlan1 has default security level100 and vlan2 with security level 0. So, i have an ip address configured on vlan2 (10.0.0.2) with gateway 10.0.0.1 . On the other interface i have configured ip addres 192.168.0.1.


192.168.0.1(inside +ASA+ outside)10.0.0.2


Behind vlan1, i have network station with ip address 192.168.0.2. The goal is to achieve two-way NAT (static) for all packets going from 192.168.0.2 to be translated into public ipv4 ip x.x.x.x. For this i'm using the static command with following arguments:


static (inside,outside) x.x.x.x 192.168.0.2 netmask 255.255.255.255


And here is where my problems started. From inside to outside (i mean traffic initiated from 192.168.0.2) everything looks fine. The address is translated into x.x.x.x and it works fine. BUT when i try to reach the ip address x.x.x.x from ip located behind outside interface (let's say from 10.0.0.1) the traffic IS NOT redirected to address 192.168.0.2 (which the command static should process) but it's have been processed by the ASA itself like the traffic is destined for 10.0.0.2 (which is the outside ip address of the firewall). I have configured access-list which permits ip from any to any (with testing purposes) applied as an access-group for inbound traffic to outside interface:


[snip]

access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

[/snip]


Does anyone can give me a clue, because i'am getting desperate! What should i do to stop the ASA processing this traffic which should be redirected/translated? One more thing. I did a network scan with nmap software to check the open ports of the ASA: (here is the result)


PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

443/tcp open https

8080/tcp open http-proxy


Which application is using the http-proxy port? Because my problems starts here (traffic destined to x.x.x.x is with dst port 8080, so i believe there must be a reason for ASA to process it by itself)


Best Regards,

Danail Petrov

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pszczola1 Sun, 11/11/2007 - 20:17
User Badges:

I guess you must have a router after the firewall. It's hard to advise without the picture of the whole architecture. I used ASA 5505

with the following architecture:


Inside Network or vlan 1> ASA > DSL Model

How many public addresses do you have available?

Do you have any other translations (PAT?)

Why not to give a public address to the outside interface of ASA instead of 10.0.0.2 ?


The setting: private address on inside, public address on outside should fix the problem.



Actions

This Discussion