11-09-2010 09:51 AM - edited 03-11-2019 12:06 PM
Hello,
I stuck with a static nat configuration problem on ASA 5505 equipment.
While there is already quite a few post regarding NAT on this forum I could not find anything solving my problem so any help from the community would be most welcome.
Problem is quite simple : I would like external computers (coming through outside interface) to access one internal HTTP server.
Here's my test configuration :
ASA configuration :
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in remark autorise le reseau interne a accéder à internet
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in remark Autorise le reseau interne a faire des pings externes
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.6 www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:2e0ea6f12299faadcb90b77fbaea79cb
: end
Access Log:
Source IP | Source Port | Destination IP | Destination Port | Description | ||||
6 | Nov 09 2010 | 10:26:07 | 302013 | 192.168.0.10 | 1649 | 192.168.1.6 | 80 | Built inbound TCP connection 473 for outside:192.168.0.10/1649 (192.168.0.10/1649) to inside:192.168.1.6/80 (192.168.0.11/80) |
6 | Nov 09 2010 | 10:26:37 | 302014 | 192.168.0.10 | 1649 | 192.168.1.6 | 80 | Teardown TCP connection 473 for outside:192.168.0.10/1649 to inside:192.168.1.6/80 duration 0:00:30 bytes 0 SYN Timeout |
Solved! Go to Solution.
11-09-2010 09:58 AM
Hello,
Mike here , NAT is right, problem is that the server is not responding (SYN timeout). You can check the following things.
Make sure that the server default gateway is the ASA
Put wireshark on the server and check if the server is receiving the packets.
If you need anything just let me know.
Cheers.
Mike
11-09-2010 09:57 AM
Hi Jean-Francois,
The config looks okay and the logs indicate that the connection is allowed. However, the connection eventually closes due to a SYN timeout. This means that the ASA never saw a reply from your web server.
Can you verify that the server is listening on TCP/80 and that there is nothing else in the path that would filter this traffic? Also, double check to make sure the server doesn't have a host-based firewall or security software that would block this connection.
Are you able to connect to the server from inside your network? A packet capture on the server will help to verify if the request is being received by the server or if the server is not replying.
-Mike
11-09-2010 10:31 AM
Hi Mike,
Thanks for the super fast answer ! Unfortunately it makes me even more confuse ...
For the test purposes, the "internal server" (192.168.1.6) was a SLM switch and I was trying to access its http admin server.
To reply to your post, I updated the test configuration and replaced the SLM with a PC running EasyPHP and WireShark.
This setup was supposed to allow me the see what was wrong with the reply.
To my surprise with this new configuration the setup works just fine ...
When I switch back to the SLM configuration, it just fails ...
Any idea why the switch would reject/not reply to the connection coming from the ASA ??
JF
11-09-2010 09:58 AM
Hello,
Mike here , NAT is right, problem is that the server is not responding (SYN timeout). You can check the following things.
Make sure that the server default gateway is the ASA
Put wireshark on the server and check if the server is receiving the packets.
If you need anything just let me know.
Cheers.
Mike
11-09-2010 10:36 AM
Mike,
Thanks for the reply, please see my reply to the other Mike .
I was setting up exactly was you were suggesting and the result was quite surprising ...
Regarding the SLM configuration, it has the ASA as default gateway.
JF
11-09-2010 10:48 AM
Hey,
Yeah, I saw that Mike answer first and we both thought the same. He is really good in what he does..... In that switch do you have any type of acl or restriction of any type? Are you able to access it from the inside?
Let us know.
Mike
11-09-2010 02:06 PM
Yes, I can access it from inside. I will try to fond what's wrong with wireshark.
I consider the issue solved and tag the thread as such.
Thanks you guys for the support !
JF
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: