ASA port translation (PAT) Issue

Answered Question
Mar 29th, 2010

Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).

We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.

"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Also I enabled the access-list in outside interface

"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"

This time the website is not accessing from outside, showing error " The IE cannot display the webpage"

When I ADD the following configuration to ASA, it is working.

"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)

Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"

ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"

Now the website can access from outside.But can see the translated port on the address bar.

What I understand from the troubleshooting is the packets are going to webserver without any translation.

How can I resolve this issue, Please advice.

Thanks
GK

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

Don't use port 90 to test. Use port 8080.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 03/29/2010 - 01:12

1) Is 125.145.215.185 the ASA outside interface ip address, or a different ip address to the ASA outside IP?

2) Also, did you perform a "clear xlate local 172.16.20.8" or "clear xlate" in general after configuring the port address translation?

gopakumarmk Mon, 03/29/2010 - 01:47

Hi,

Thank you for the message.

Answer for,

Q 1. The concern IP -125.145.215.185 is not an interface IP. It is a different ip address in our public ip address range and never used for our any other translation.

Q2. Clear Xlate command has been issued so many times whenever I do this configuration changes.

Thanks

GK

Jennifer Halim Mon, 03/29/2010 - 01:56

Thanks GK.

When the following translation is used:

"static (DMZ,outside) tcp  125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Do you see any increase in hitcount on your ACL when you tried to initiate the connection multiple times:

access-list outside_access_in  extended permit tcp any host 125.145.215.185 eq www

gopakumarmk Mon, 03/29/2010 - 02:26

Hi,

Thank you for the response.

Yes I saw the hitcount on the following access list BEFORE I do the configuration changes.

access-list outside_access_in  extended permit tcp any host 125.145.215.185 eq www.

But now I can't see any hitcount on the above access list, instead I can see the hitcount on following access list.

access-list outside_access_in  extended permit tcp any host 125.145.215.185 eq 90 (hitcnt=15)

Thanks

GK

gopakumarmk Mon, 03/29/2010 - 05:41

Hi,

Sorry Halijenn,

I forget to tell you the public IP which I posted in this discussions is not real one, because some security reasons I can't explore the IP. It is a military web site and it is not yet published so far. SO please excuse me.

I am sure that the web site is working from outside and getting the hit count to access list which is equal to tcp 90.

Do you think any other issue is still existing?

Please advice.

Thank you

GK

Kureli Sankar Mon, 03/29/2010 - 07:58

The warning that you ignored may be causing this to fail. Remove this line (port 80 to 90) and add it again and copy and paste the message that you get when you do this.

Need the output of

sh run static | i 125.145.215.185

sh run global

-KS

gopakumarmk Mon, 03/29/2010 - 21:09

Hi,

Here is the warning message when I create additional static nat translation.

ASA5540(config)#static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255

WARNING: mapped-address conflict with existing static

  TCP dmz:172.16.20.8/90 to outside:125.145.215.185/80 netmask 255.255.255.255

WARNING: real-address conflict with existing static

  TCP dmz:172.16.20.8/90 to outside:125.145.215.185/80 netmask 255.255.255.255

Please note that, there was already a PAT when I execute the above command.

" static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255 "

Output of show run static | in 125.145.215.185

static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255

static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255

Output of sh run global

global (outside) 1 interface

global (outside) 3 125.145.215.182

global (outside) 2 125.145.215.183

global (outside) 4 125.145.215.184

Thanks & Regards

GK

Lunzhicheng7 Tue, 03/30/2010 - 00:51

Are you really sure you've activated port 90 just for the service ? I made a test on my rack configured as what you minded of the first half part . And it work so well.

gopakumarmk Tue, 03/30/2010 - 02:21

Hi,

Thank you Mr. Lun,

The server is listening on port 90. and the user can access by typing (http:// address>:90).

The port translation is NOT working in ASA.

The strange thing is I have another port translation and it is working fine.

"ASA(config)# static (inside,outside) tcp 125.145.215.182 9130 192.168.10.2 80 netmask 255.255.255.255

ASA(config)# global (outside) interface (Note : interface IP)

The above config is working properly. The users accessing to web server on port 9130 and the translation is working.

Thanks & Regards

GK

Jennifer Halim Tue, 03/30/2010 - 03:02

When you configure just the following:

static (DMZ,outside) tcp  125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255

and test to access it, can you please gather the syslog messages to see why it's not allowing the connection.

Also, "clear asp drop", and test the connection again, and grab the output of "show asp drop"

Kureli Sankar Tue, 03/30/2010 - 05:55

Gopal,

static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255

static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255 --------------------------------> you already have this line

so, you cannot add the first line.  You have 1-1 NAT already configured.

You may want to remove static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255 line and then add

static PAT lines instead.

-KS

gopakumarmk Tue, 03/30/2010 - 20:50

Hi Sankar,

Thank you for the message.

The issue is the port translation not working when I do the PAT as I mentioned earlier. But when I add 1-1 nat, then it work!.

Do I need to configure "inspect http" in global inspection?

Also I am preparing the syslog and will post it later.

Thanks

GK

Kureli Sankar Wed, 03/31/2010 - 06:02

So, you remove the 1-1 NAT and only leave the port 80 to port 90 static PAT, allowed permission via acl applied on the outside and you did a clear xlate x.x.x.x for this host and it does not work?

That is strange.  Need syslogs.

Are you sure this host 172.16.20.8 listens on port 90? Does it work internally when you try to load the page?

-KS

gopakumarmk Wed, 03/31/2010 - 20:54

Thank you KS.

The server is listening on port 90. can be access from both inside and outside, by typing the port number with http address.

I will post the syslog later.

Thanks

GK

gopakumarmk Fri, 04/16/2010 - 23:41

Dears,

Sorry for the late reply. The developer was on leave.

My goal is to translate port 80 from outside to port 90 dmz. Please find the syslog below.

Config:

ASA5540# access-list outside_access_in extended permit tcp any host 125.145.215.185  eq www
ASA5540# static (dmz,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask 255.255.255.255

Sys Log:

4/15/2010 10:44:11 Local4.Critical              192.9.1.100         Apr 15 2010 10:44:11: %ASA-2-106001: Inbound TCP connection denied from 213.101.111.189/2082 to 125.145.215.185/90 flags RST  on interface outside

4/15/2010            10:44:03               Local4.Critical     192.9.1.100         Apr 15 2010 10:44:03: %ASA-2-106001: Inbound TCP connection denied from 213.101.111.189/2151 to 125.145.215.185 /90 flags SYN  on interface outside

When I permit tcp 90 on outside interface and created a static NAT (config Below) and the user is trying access from outside http://125.145.215.185:90 it is working fine.

New Config
ASA5540# access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90
ASA5540# static (dmz,outside) 125.145.215.185  172.16.20.8 netmask 255.255.255.255

New sys log when permit TCP 90

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953415 for outside:213.100.118.100/13406 (213.100.118.100/13406) to dmz:172.16.20.8/90 (125.145.215.185/90)

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953414 for outside:213.100.118.100/13404 (213.100.118.100/13404) to dmz:172.16.20.8/90 (125.145.215.185/90)

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953413 for outside:213.100.118.100/13403 (213.100.118.100/13403) to dmz:172.16.20.8/90 (125.145.215.185/90)

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953412 for outside:213.100.118.100/13400 (213.100.118.100/13400) to dmz:172.16.20.8/90 (125.145.215.185/90)

Please advice, why the 1st config was not working.

Thanks

GK

Jennifer Halim Fri, 04/16/2010 - 23:56

You have tried the following 2 statements:

1) static (dmz,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask  255.255.255.255

2) static (web,outside) 125.145.215.185  172.16.20.8 netmask  255.255.255.255

You mentioned the second statement works, but not the first. But they are 2 different interfaces. First one is dmz, and the second one is web.

If you change your first line to the following:

static (web,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask  255.255.255.255

Does this work?

gopakumarmk Sat, 04/17/2010 - 02:08

Hi Halijenn,

Thank you for the reply.

Both are same interface. when I customize the current config for posting, I forget to edit the interface name.

Please read as following.

1) static (dmz,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask  255.255.255.255

2) static (dmz,outside) 125.145.215.185  172.16.20.8 netmask  255.255.255.255

Thanks

GK

Jennifer Halim Sat, 04/17/2010 - 02:24

OK, in that case, can you check/test the following:

1) Do you have "inspect http" configured on your global policy? if you do, can you please remove it.

2) Can you please test with using a different port than port 80, maybe try with 8080 as follows:

static (dmz,outside) tcp 125.145.215.185 8080 172.16.20.8 90 netmask   255.255.255.255

access-list outside_access_in extended permit tcp any host  125.145.215.185  eq 8080

gopakumarmk Sat, 04/17/2010 - 03:36

Thank you Halijenn,

We don't have 'inspect http' config in ASA

I have applied the same config as you requested.but no positive result.

config:

static (dmz,outside) tcp 125.145.215.185 8086 172.16.20.8 90 netmask   255.255.255.255

access-list outside_access_in extended permit tcp any host  125.145.215.185  eq 8086

Syslog:

04-17-2010 13:16:41 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:41: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:16:35 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:35: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:16:32 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:32: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN  on interface outside


04-17-2010 13:15:58 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:58: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:15:52 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:52: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:15:49 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:49: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN  on interface outside

Thanks

GK

Jennifer Halim Sat, 04/17/2010 - 03:44

Port 8080 you mean? not 8086.

But your syslog is showing you are using port 90, hence it's being denied.

gopakumarmk Sat, 04/17/2010 - 03:46

ok. I will use port 8080 intead of 8086. and will update you the syslog.

Thanks GK

gopakumarmk Sat, 04/17/2010 - 03:58

Hi Halijenn,

No hope!

Syslog:

04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:48:33 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:33: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:48:30 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:30: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN  on interface outside

Config:

static (web,outside) tcp 125.145.215.185 8080 172.16.20.8 90 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 8080

So I execute from outside http://125.145.215.185:8080 , but no way !

Thanks

GK

Jennifer Halim Sat, 04/17/2010 - 04:03

Have you "clear xlate" and also remove the static 1:1 that you have earlier:

static (web,outside) 125.145.215.185 172.16.20.8 netmask  255.255.255.255

gopakumarmk Sat, 04/17/2010 - 04:10

Yes Halijenn,

I did the clear xlate whenever I change NAT config also NAT 1:1 was not there.

We are using IPS sensor infront of ASA. That means any outside request will first hit on IPS. Inspection engine was switched off and tested the issue. But no hope.

Thanks

GK

Jennifer Halim Sat, 04/17/2010 - 05:02

The syslog does not match the configuration and your test.

You tested it on port 8080, but the syslog saw the connection towards port 90:

04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39:  %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058  to 125.145.215.185/90 flags SYN  on interface outside

gopakumarmk Sat, 04/17/2010 - 05:15

Hi Halijenn,

The server is listening on port 90 from inside.So the packet should go to port 90 after the port translation.

That means from outside (x.x.x.x/8080) to dmz : 172.16.20.8/90 (125.145.215.185/90)

That's why the syslog is showing port 90.

Thanks

GK

Jennifer Halim Sat, 04/17/2010 - 05:19

No, please look closely at the syslog again:

04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39:   %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058   to 125.145.215.185/90 flags SYN  on interface outside

The SYN packet is going towards the public ip address 125.145.215.185 on port 90

Can you plug a PC directly to the outside interface VLAN, and try to connect?

Kureli Sankar Sat, 04/17/2010 - 06:04

GK,

Is this IP address 125.145.215.185 the outside interface IP address?

If so, on your static pls. replace the IP address with the keyword "interface".

Give it a shot.

-KS

Kureli Sankar Sat, 04/17/2010 - 06:17

Pls. paste the output of

sh xlate debug | i 172.16.20.8

sh run static | i 172.16.20.8

Certainly the x-late is not there so, the firewall denies these packets.

Make sure to try this from an outside computer browser: http://125.145.215.185:8080

Requests are coming to port 90 that is incorrect. Also from the client on the outside you can also try this "telnet 125.145.215.185 8080"

-KS

gopakumarmk Sat, 04/17/2010 - 06:41

Hi sankar,

Sorry, I have removed the port 8080 from outside and replace port 80. Here is the output.

sh xlate debug | i 172.16.20.8

TCP PAT from dmz:172.16.20.8/90 to outside:125.145.215.185/80 flags sr idle 0:01:14 timeout 0:00:00
sh run static | i 172.16.20.8

static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255

Thanks

GK

Kureli Sankar Sat, 04/17/2010 - 07:03

Make sure to try this from an outside computer browser: http://125.145.215.185

Requests are coming to port 90 that is incorrect. Also from the client on the outside you can also try this "telnet 125.145.215.185 80"

while someone is doing the test, get the syslog.

sh logg | i 125.145.215.185

-KS

gopakumarmk Sat, 04/17/2010 - 08:56

Sankar,

Tried http://125.145.215.185  no hope and

telnet 125.145.215.185 80 (working listening on port 80)

Thanks GK

Kureli Sankar Sat, 04/17/2010 - 09:27

Kumar,

You are making it very hard to help you.

1. Pls. do not keep changing the port in the statics. Just leave one port until you get it working.

2. Pls. finish all the steps that we ask you to do.  Where are the syslogs when it worked for the "telnet ip_address 80" ? You got a blank black screen with a blinking cursor?

-KS

gopakumarmk Sat, 04/17/2010 - 09:50

Hi sankar,

Here is the syslog when I connect telneted to the server.

04-17-2010 18:51:48 Local4.Info 192.9.1.100 Apr 17 2010 18:51:48: %ASA-6-302013: Built inbound TCP connection 7544564 for outside:78.101.224.135/52839 (78.101.224.135/52839) to dmz:172.16.20.8/90 (125.145.215.185/80)

Yes I got a black blank screen with cursor.

Thanks

GK

Kureli Sankar Sat, 04/17/2010 - 14:24

The config on the firewall is correct. The connection is built perfectly.

I think there is something wrong with the webserver.

Try to telnet to this http://172.16.20.8:90 from a computer in the 172.16.20.0/24 subnet and make sure the page loads.

-KS

Actions

This Discussion

Related Content