asa 5510 cant make PAT

Unanswered Question
Nov 28th, 2011

according to this document I do port translation through CLI and I have following config:

ciscoasa# show run access-list

access-list local standard permit any

access-list outside_access_in extended permit tcp any object http-155

ciscoasa# show run access-group

access-group outside_access_in in interface inet

ciscoasa# show run nat

!

object network http-155

nat (local,inet) static interface service tcp www 5010

!

nat (local,inet) after-auto source dynamic any interface

ciscoasa#

host 192.168.100.155 has IIS running on itself and it gives plain HTML page

when I try to run packet-tracer from my ASA 5510 I recieve ALLOW on all stages and on Phase: 2  UN-NAT I recieve ALLOW and "

Untranslate A.B.C.D/5010 to 192.168.100.155/80" action (output in attachment)

then I check ports on port scanner it shows "5010 is opened"

BUT in browser I cant recieve HTML page from 192.168.100.155 when I try to achieve http://A.B.C.D:5010

Where is my mistake?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
dmpopoff1981 Mon, 11/28/2011 - 07:19

all trafic from interface local to interface inet walks without problems/ The security level of inet is 0. And of loal is 100. Because of it I haven`t add access rule in direction from local to inet. Is it right?

Cadet Alain Mon, 11/28/2011 - 07:55

Hi,

for accessing a publicly natted service from inside by its natted IP address you have to do hairpinning otherwise you can also do dns doctoring by adding the dns keyword to your static PAT config then you access the service by FQDN from inside and the ASA will intercept the DNS reply from external DNS server and rewrite the  public IP obtained to the private address from your static PAT entry.

Here are the links explaining the 2 concepts:

http://blogg.kvistofta.nu/cisco-asa-hairpinning/

http://iptechtalk.wordpress.com/2009/09/04/the-need-for-dns-doctoring-on-asa-methods-and-workarounds/

Don't forget to inspect dns for the dns doctoring solution.

Regards.

Alain

Cadet Alain Tue, 11/29/2011 - 00:57

Hi,

do this:

(config)#access-list cap_inside extended permit tcp any any

(config)#access-list cap_outside extended permit tcp any any

#capture capin interface inside access-list cap_inside

#capture capout interface outside access-list cap_outside

try to access again from outside and  do this and post results

#show capture capin

#show capture capout

Regards.

Alain

Actions

Login or Register to take actions

This Discussion

Posted November 28, 2011 at 4:43 AM
Stats:
Replies:4 Avg. Rating:
Views:1074 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446