Can't get past ASA to internal hosts

Answered Question
Feb 6th, 2014
User Badges:

Hello,


I have a strange issue on my home LAN.  I have a front end router connected to my ASA 5505, which in turn connects my internal LAN.  (I have attached a diagram since there are several components).  I recently upgraded my 1841 router to an RV-320.  Since that change, I can't reach inside hosts from outside.


I initially started a discussion in the Business Router forum, since the issue started as a problem with the router.  (Link to that thread is https://supportforums.cisco.com/thread/2264686 in case anybody wishes to read the entire history, and why I need to make changes on the ASA to make this work).  In the end the only change I believe I need is to add a static NAT translation for each port I want redirected to an internal host.  I am attaching my config; but here is the entry I added in an attempt to redirect a SSH session FROM port 22, TO port 20 on internal host 192.168.1.202:


     static (inside,outside) tcp interface ftp-data 192,168.1.202 ssh netmask 255.255.255.255


Even after adding that I am unable to get through to that host.  FYI I have port forwarding enable on the RV router - forwarding all ports (except TCP 443) to the ASA.    So from outside I *am* able to connect to the RV router by establishing an HTTPS session to my public IP. Please let me know if I'm missing something obvious.


Thank you!

Brian

Correct Answer by Marius Gunnerud about 3 years 6 months ago

From the sounds of it you have configured port forwarding, and a static one to one NAT on the RV router.  This, I think, is where you may have gone wrong.  You should be configuring PAT in this case, which allows a many to one translation.  Now the way forward really depends on what you are more comfortable doing.


 Should that traffic be forwarded directly to the host IP, or to the ASA external interface?

If you continue with the port forwarding option, this should be forwarded directly to the host IP.  Of course there need to be access rules on the ASA permitting the traffic through.


If you go for my suggestion, this would mean to reconfigure the RV to use PAT instead of port forwarding and one to one NAT (actually disabling the one to one NAT would really depend what you have it configured for and how you have configured).


- Disable port forwarding on the RV

- Disable or possibly reconfigure staticone to one NAT

- Remove all NAT from the ASA

- Ensure that access rules are in place to allow traffic on the ASA

- Configure Port Address Translation (PAT) on the RV router


Keep in mind that for the PAT configuration you have to create a rule for each port you want to allow out, and you are limited to configuring 30.  This is why i prefer the enterprise routers as they are much more flexible when manipulating traffic...in my opinion that is. 


Now, reconfiguring the RV might be more time consuming and a hassel than it might be worth?  So it is up to you if you choose to do that.  I would suggest that you first amend the static port translation and see how that goes.


--
Please remember to rate and select a correct answer

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Julio Carvajal Thu, 02/06/2014 - 21:13
User Badges:
  • Purple, 4500 points or more

Hello Barry,


First of all in this case the NO_NAT rule will take precedence so you should be pointing to 192.168.1.202 when doing the SSH, Are you doing it?



If you are trying to use the rule you created remember that it will not take place cause the NAT 0 is taking precedence but


Why is the SSH session running over the FTP protocool? I mean Whyyyyyyy????? hahaha


That will cause a lot of issues as that port is reserved for the ASA FTP inspection which is turned on by default and in your case it is


If you want to SSH to an internal host then do something like


static (inside,outside) tcp interface 2222 x.x.x.x 22


But try to avoid using important and standard services for a custom defined rule


Note: Update the ACL to allow traffic on port 2222 and also: Use the public IP address on the ASA (In this case the outside interface)



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Marius Gunnerud Fri, 02/07/2014 - 00:45
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

What really stands out to me is this:

access-list NoNAT extended permit ip any any

nat (inside) 0 access-list NoNAT


The NoNAT will take precedence over all other NAT statements.  I suggest removing the nat(inside) 0 statement first and then test before doing anything else...or at least make the NoNAT access list more specific (don't use any any).  Is there any reason you have this configured?


--
Please remember to rate and select a correct answer

BarryJoseph Mon, 02/10/2014 - 18:49
User Badges:

Hi Julio,


Believe it or not I do have a reason for using that well known port.  My company has our systems locked down very tightly.  Only a few ports are open for me to use.  FTP happens to not be locked down (yet).  So that's what I have been using.  And this was working great - until I "upgraded" to this new router.


I have another hole that was opened, which also doesn't work.  (I removed it from the ASA config until I figure out what's going on).  I was attempting to user TCP 1701, to reach my internal web server on port 80.


I want to point out that I can (and have) unplug the RV320 router, plug the 1841 back in, and everything works as I want it.  I just really hope to make this RV router work since I already spent the money, and it's much smaller (and quieter) than than the 1841.


I only point to 192.168.1.202 when I want to SSH to that machine.  But from the external machine I point to the ISP address (I hope I understood your question correctly).


Right now I can connect to the router from outside using the ISP IP, and SSL.  I can also connect SSH to the ASA using the ISP IP address and port 22.  But not able to get past the ASA.


Thanks for your reply!

-Brian

Marius Gunnerud Tue, 02/11/2014 - 03:04
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Are you doing any NAT on the RV router?



--
Please remember to rate and select a correct answer

BarryJoseph Tue, 02/11/2014 - 13:29
User Badges:

Marius and Julio,


Yes the RV router is performing NAT.  My understanding is that NAT should be performed at the device closest to the ISP, which in this case is the RV.  Also Julio to further answer your question the RV is also Port Forwarding all traffic (except for port 443) to the ASA.


Should I still be running NAT at the ASA?  Marius in your previous post you questioned the NoNAT statements.  And honestly I could have sworn that I removed those a while back to make this setup work (with my previous router).  But obviously there they are in the config.  Should those be removed, since I'm not doing NAT at the ASA?


Or do I also need NAT (PAT) at the ASA?  Inside host 191.168.1.50 want to get out to the internet.  Hits gateway 192.168.1.199, which is the internal interface on the ASA.  Doesn't the ASA need to NAT that conversation when it passes it to the next hop (192.168.0.1 - RV LAN IP)?


Sorry trying to grasp this, but getting sort of confused along the way.  Please let me know if you have any ideas


Thank you!

Brian

BarryJoseph Tue, 02/11/2014 - 20:46
User Badges:

Guys I notice the following in my "SHOW NAT" logs:


ASA5505# show nat

NAT policies on Interface inside:
  match tcp inside host 192.168.1.202 eq 22 outside any
    static translation to 192.168.0.2/20
    translate_hits = 0, untranslate_hits = 21
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (192.168.0.2 [Interface PAT])
    translate_hits = 7168, untranslate_hits = 49


Does this indicate that NAT is  working properly?  I assume the first entry is from my STATIC entry.  It appears to be tracking something,,,or could that be from when it was working several weeks ago?


I don't know where the 2nd entry is coming from (concerning translation to pool 1).


Please let me know if this helps.


Thanks!
Brian

Marius Gunnerud Wed, 02/12/2014 - 02:48
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

You should remove all NAT from the ASA, unless you have a specific reason for having it there.  IT is the RV router that needs nat to allow connectivity to the internet.


Here are your NAT statements on the ASA:


global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1 access-list NAT-ACLs

static (inside,outside) tcp interface ftp-data 192.168.1.202 ssh netmask 255.255.255.255


access-list NoNAT extended permit ip any any


You have a dynamic NAT that translates everything on the inside to the outside ASA interface (which subsiquently connects to the RV router).  Then you have a static PAT that translates the outside interface IP to 192.168.1.202 and allows port 22.  But all this is negated by your NAT 0 (NoNAT) statement, as NAT 0 supersedes all other NAT configuration.  So, technically, you have configured NAT to not use NAT.  I would suggest to take a backup of the NAT config and then remove it and see if anyone starts complaining...I doubt anyone will have issues.


Your NAT hit count that you posted are most likely from a while ago.


The pool 1 is the dynamic NAT:


global (outside) 1 interface

nat (inside) 1 access-list NAT-ACLs

access-list NAT-ACLs extended permit ip 192.168.1.0 255.255.255.0 any


This is actually a policy NAT by definition.  As mentioned earlier, remove all NAT from the ASA, you don't need them here.


It is the RV that should be doing all NAT in this setup, so make sure the NAT statements on the RV are correct in regards to using FTP for SSH...etc.


--
Please remember to rate and select a correct answer

BarryJoseph Fri, 02/14/2014 - 19:13
User Badges:

Hey Marius,


I think we're really close.  Following your advice, I removed all NAT entries from the ASA.  Users can still connect to the internet.  I have a single static mapping on the ASA:


static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255.255.255.255


I also have the following access-list:


access-list outside-in permit tcp any host 192.168.1.202 eq 1701


I'm trying to reach an internal web server (at 192.168.1.202) from outside port 1701.


But I still can't access from outside.  I cleared all counters.  But after attempting a connection, when I SHOW NAT I get:


NAT policies on Interface inside:

  match tcp inside host 192.168.1.202 eq 80 outside any

    static translation to 192.168.0.2/1701

    translate_hits = 0, untranslate_hits = 12


But when I check the access-list, it shows 0 hits.  Any idea what I'm still missing?

Marius Gunnerud Fri, 02/14/2014 - 23:34
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255.255.255.255

This statement should be removed from the ASA and instead a likewise configuration should be implemented on the RV router.  You are accessing the network via the interface on the RV router, not the interface on the ASA.


access-list outside-in permit tcp any host 192.168.1.202 eq 1701

This statement is incorrect.  You are accessing the server on port 1701 from the internet which is via the RV router.  The RV router should have a NAT statement translating port 1701 to 80, and on the ASA you should have an ACL permitting traffic to port 80

access-list outside-in permit tcp any host 192.168.1.202 eq 80


The reason you are seeing no translations on the ASA is because you are configuring the wrong device for access to your network.  Configure the RV router and you should start to see results. The only thing that should be configured on the ASA is access lists that permit the desired traffic into the network.


--
Please remember to rate and select a correct answer

BarryJoseph Sat, 02/15/2014 - 12:41
User Badges:

Hi Marius,


I understand what you are saying.  However before I opened this support request I had a ticket opened with Cisco.  They told me this has to be done via a static translation on the ASA.  So right now at the RV router all traffic is being forwarded (via port forwarding) to the ASA interface at 192.168.0.2.  I had originally tried static translations at the RV instead of port forwarding, but traffic wasn't coming through.  (Please see the post I mentioned at the beginning of this thread for details).  I am very willing to try again though, if you have a suggestion how I can make it work.  If I understand so far this would entail:


- Disable Port Forwarding on the RV

- Remove both Static Translations, and Access List entries you mentioned above, at the ASA

- Create Static Port Translation entries on the RV, specifically forwarding traffic I wish to reach the inside host.


Question on that last item:  Should that traffic be forwarded directly to the host IP, or to the ASA external interface?


I already have port 80 opened on the ASA.


Please let me know if I have the right idea.


Thank you!

Brian

Correct Answer
Marius Gunnerud Sat, 02/15/2014 - 13:29
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

From the sounds of it you have configured port forwarding, and a static one to one NAT on the RV router.  This, I think, is where you may have gone wrong.  You should be configuring PAT in this case, which allows a many to one translation.  Now the way forward really depends on what you are more comfortable doing.


 Should that traffic be forwarded directly to the host IP, or to the ASA external interface?

If you continue with the port forwarding option, this should be forwarded directly to the host IP.  Of course there need to be access rules on the ASA permitting the traffic through.


If you go for my suggestion, this would mean to reconfigure the RV to use PAT instead of port forwarding and one to one NAT (actually disabling the one to one NAT would really depend what you have it configured for and how you have configured).


- Disable port forwarding on the RV

- Disable or possibly reconfigure staticone to one NAT

- Remove all NAT from the ASA

- Ensure that access rules are in place to allow traffic on the ASA

- Configure Port Address Translation (PAT) on the RV router


Keep in mind that for the PAT configuration you have to create a rule for each port you want to allow out, and you are limited to configuring 30.  This is why i prefer the enterprise routers as they are much more flexible when manipulating traffic...in my opinion that is. 


Now, reconfiguring the RV might be more time consuming and a hassel than it might be worth?  So it is up to you if you choose to do that.  I would suggest that you first amend the static port translation and see how that goes.


--
Please remember to rate and select a correct answer

BarryJoseph Sat, 02/15/2014 - 13:57
User Badges:

Hi Marius,


Thank you for your quick response.  I am going to read it carefully and make sure I understand what you are suggesting before I proceed.  But I wanted to let you know that I am *not* using one-to-one NAT.  The router appears to come with PAT preconfigured; it worked right out of the box. 


Actually I think this router only allows 25 PAT Translation rule; but that's ok with me (for now).  I only need about 5.  If I can get those working!


From your suggestions:


- Disable port forwarding on the RV  ** That is easy **

- Disable or possibly reconfigure staticone to one NAT  ** I can test this out with one static translation first, to see if it works.  Then add the others **

- Remove all NAT from the ASA  ** already done, except for the static translation I've been testing **

- Ensure that access rules are in place to allow traffic on the ASA  ** already done **

- Configure Port Address Translation (PAT) on the RV router  **PAT is already working.  I only need to add the specific PAT Translation(s) mentioned above


Please let me know if you have anything to add / or if anything I am not understanding properly.  Otherwise I'll give this a shot shortly, and let you know.


Thanks!
Brian

BarryJoseph Mon, 02/17/2014 - 14:46
User Badges:

Thanks Marius for all your assistance with this!  Finally got it working by following your advice, along with a few other tweaks.  (With more than a little assistance from Juan, also here on the forums).  In addition to totally removing NAT from the ASA:


- Removed Port Forwarding from the RV

- Added PAT Translation rules at the RV

- Added STATIC translations on the ASA.  These directed specific traffic from the ASA external interface, to the appropriate inside host.

- Corrected faulty access-list rules on the ASA.  For example I had this: 

---access-list outside-in extended permit tcp any host 192.168.1.202 eq www

Whereas I really needed this:

---access-list outside-in extended permit tcp any interface outside eq www


So thank you again for all your patience and assistance!


-Brian

Actions

This Discussion

Related Content