Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1959
Views
4
Helpful
6
Replies

ASA 5505 - Static NAT

Go to solution
jfendrody
Level 1
Level 1

‎11-09-2010 09:51 AM - edited ‎03-11-2019 12:06 PM

Hello,


I stuck with a static nat configuration problem on ASA 5505 equipment.

While there is already quite a few post regarding NAT on this forum I could not find anything solving my problem so any help from the community would be most welcome.

Problem is quite simple : I would like external computers (coming through outside interface) to access one internal HTTP server.

Here's my test configuration :

  • ASA outside address : 192.168.0.11
  • ASA inside address : 192.168.1.1
  • Internal server address : 192.168.1.6
  • External computer trying to access to the internal server : 192.168.0.10

ASA configuration :

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in remark autorise le reseau interne a accéder à internet
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in remark Autorise le reseau interne a faire des pings externes
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.6 www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:2e0ea6f12299faadcb90b77fbaea79cb
: end

Access Log:

Source IP

Source Port

Destination   IP

Destination   Port

Description

6

Nov 09   2010

10:26:07

302013

192.168.0.10

1649

192.168.1.6

80

Built inbound TCP connection 473 for outside:192.168.0.10/1649   (192.168.0.10/1649) to inside:192.168.1.6/80 (192.168.0.11/80)

6

Nov 09   2010

10:26:37

302014

192.168.0.10

1649

192.168.1.6

80

Teardown TCP connection 473 for outside:192.168.0.10/1649 to   inside:192.168.1.6/80 duration 0:00:30 bytes 0 SYN Timeout

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎11-09-2010 09:58 AM

Hello,

Mike here , NAT is right, problem is that the server is not responding (SYN timeout). You can check the following things.

Make sure that the server default gateway is the ASA

Put wireshark on the server and check if the server is receiving the packets.

If you need anything just let me know.

Cheers.

Mike

Mike

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎11-09-2010 09:57 AM

Hi Jean-Francois,

The config looks okay and the logs indicate that the connection is allowed. However, the connection eventually closes due to a SYN timeout. This means that the ASA never saw a reply from your web server.

Can you verify that the server is listening on TCP/80 and that there is nothing else in the path that would filter this traffic? Also, double check to make sure the server doesn't have a host-based firewall or security software that would block this connection.

Are you able to connect to the server from inside your network? A packet capture on the server will help to verify if the request is being received by the server or if the server is not replying.

-Mike

Go to solution
jfendrody
Level 1
Level 1
In response to mirober2

‎11-09-2010 10:31 AM

Hi Mike,

Thanks for the super fast answer ! Unfortunately it makes me even more confuse ...

For the test purposes, the "internal server" (192.168.1.6) was a SLM switch and I was trying to access its http admin server.

To reply to your post, I updated the test configuration and replaced the SLM with a PC running EasyPHP and WireShark.

This setup was supposed to allow me the see what was wrong with the reply.

To my surprise with this new configuration the setup works just fine ...

When I switch back to the SLM configuration, it just fails ...

Any idea why the switch would reject/not reply to the connection coming from the ASA ??

JF

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎11-09-2010 09:58 AM

Hello,

Mike here , NAT is right, problem is that the server is not responding (SYN timeout). You can check the following things.

Make sure that the server default gateway is the ASA

Put wireshark on the server and check if the server is receiving the packets.

If you need anything just let me know.

Cheers.

Mike

Mike
0 Helpful

Go to solution
jfendrody
Level 1
Level 1
In response to Maykol Rojas

‎11-09-2010 10:36 AM

Mike,

Thanks for the reply, please see my reply to the other Mike .

I was setting up exactly was you were suggesting and the result was quite surprising ...

Regarding the SLM configuration, it has the ASA as default gateway.

JF

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jfendrody

‎11-09-2010 10:48 AM

Hey,

Yeah, I saw that Mike answer first and we both thought the same. He is really good in what he does..... In that switch do you have any type of acl or restriction of any type? Are you able to access it from the inside?

Let us know.

Mike

Mike
0 Helpful

Go to solution
jfendrody
Level 1
Level 1
In response to Maykol Rojas

‎11-09-2010 02:06 PM

Yes, I can access it from inside. I will try to fond what's wrong with wireshark.

I consider the issue solved and tag the thread as such.

Thanks you guys for the support !

JF

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card