11-24-2010 02:33 AM - edited 03-11-2019 12:13 PM
Hello everyone,
I have a customer with a ASA 8.3 version. The customer wants to make pat from the public ASA IP to several internal IP address in the inside interface (diferent ports).
something like, everyone who telnet to port 50030 on public ASA IP is send to port 80 in a private IP address.
I configure the ASA this way:
«
object network Webserver
host 192.168.100.100
object network Webserver
nat (inside,outside) static interface service tcp 80 50030
access-list outside_access_in extended permit tcp any object Webserver eq 50030
access-group outside_access_in in interface outside
»
When I type the command «show xlate» I have this result:
«
show xlate | inc 192.168.100.100
11-24-2010 05:15 AM
change your access-list to
access-list outside_access_in extended permit tcp any object Webserver eq 80
your translated port is 50030 and original port is 80 correct???
11-24-2010 06:12 AM
Many thanks jathaval,
I change the configuration as you suggest:
«
access-list outside_access_in extended permit tcp any object Webserver eq www
»
but it still not working and when I telnet to public IP in port 50030, it still not hit the access-list:
«
access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68
»
11-24-2010 07:58 AM
Can you please run packet tracer and see if it is getting blocked anywhr
Also if it matches any of the rules above this rule in the access-list it will not show hit counts on this one, so please past eyour access-list rules for outside_access_in if it is not too big
11-25-2010 06:42 AM
Hello Jathaval,
You right. But I still don´t get it because the packet is droped due to a implicit rule (probably the last one that deny any any right ?):
«
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
»
So, why the packet don´t match with the rule we created to this particular packets ?
«
access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68
»
The access-list applied to outside interface is this one:
«
access-list outside_access_in extended permit gre host 62.28.X.X any
access-list outside_access_in extended permit gre host 195.245.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 213.13.X.X any
access-list outside_access_in extended permit icmp any object-group SITES_LAN
access-list outside_access_in extended permit tcp any object Webserver eq www
»
11-25-2010 07:19 AM
Oh the packet is getting dropped here because you are running a packet tracer to the interface ip and also your static looks to be your outside interface ip
If so, In the static nat rules and interface rules use the keyword interface instead of interface ip.
Regards,
Jitendriya
11-25-2010 08:22 AM
This is the config I have.
«
object network Webserver
host 192.168.100.100
access-list outside_access_in extended permit tcp any object Webserver eq www
object network Webserver
nat (inside,outside) static interface service tcp www 50030
access-group outside_access_in in interface outside
»
I really miss something and I cannot understand what is it
11-25-2010 05:00 PM
what test are you doing in packet tracer and while doing real world testing.
please paste the command you use for packet tracer
please move the access-list applied to line 1 in the access-group
11-26-2010 01:47 AM
Thanks again for your pacient,
I move the access-list to line 1 but is the same. Nothing hits.
In "real world" I´m doing a telnet from another customer with a ADSL line.
When I make telnet to port 50030 of the public IP, i don´t see anything in the ASDM Real Time Log Viewer. But if I make the same command but to port 80 (it should NOT work) i see the packet being denied in the ASDM Real Time Log Viewer.
The message thar appears is (telnet to ASA outside interface at port 80):
«
TCP access denied by ACL from 213.58.X.X/17927 to outside:194.38.X.X/80
»
The same command but to port 50030, nothing apears. It seems like the packets don´t reach the ASA. I make this test from several local and the result is the same.
Regarding the packet tracker command, I´m doing this:
«
packet-tracer input outside tcp 213.58.X.X 17927 194.38.X.X 50030
»
The result is this:
«
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 194.38.X.X 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
»
11-26-2010 07:06 AM
Hi,
access-list outside_access_in extended permit tcp any object Webserver eq www
so you are permitting port 80 not port 5030 which is blocked by implicit deny from outside to inside or dmz.
if you want the telnet on port 80 to work then you must change your nat command and leave port 80 and if you want port 5030 to work you must change your ACL to permit this port.
Does it work when doing so?
Regards.
11-26-2010 12:22 PM
If the server 192.168.100.100 listens on port 80 then what you have is correct. If you try the following url from the browser
http://ip_address_of_interface:50030 it should work.
Try to add the access-list as line 1 and give it a shot.
conf t
access-list outside_access_in line 1 extended permit tcp any host 192.168.100.100 eq www
-KS
11-30-2010 09:18 AM
Hello Poonguzhali,
I tried your suggestion but it still not work.
Yes, the real port is 80 in IP 192.168.100.100 and the "outside" port is 50030 in outside IP of ASA.
I have:
access-list outside_access_in line 1 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0)
but is strange because I´m making a telnet to outside interface on port 50030. So it should be something like this (also not hit):
access-list outside_access_in line 2 extended permit tcp any host 194.38.X.X eq 50030 (hitcnt=0)
11-30-2010 09:59 AM
Another thing that I really don´t undrestand is why when I make a telnet to ASA public IP at port 80 it appears at Real Time Log Viewer (ASDM) and if I make the same telnet but to port 50030 nothing appears. It seems like the packet do not reach ASA.
11-30-2010 07:12 PM
It appears so. A quick capture will prove it.
cap capout int outside match tcp any any eq 50030
Test your telent to the interface IP address on port 50030 and look a the capture to see there are any packets.
sh cap capout
If you do not see any packets you need to check the upstream router to see if it is even sending these packets towards the ASA.
-KS
12-02-2010 07:30 AM
You right Sankar,
I test the command you suggest and the packets arrive to ASA:
«
ASA-Customer-DatacenterC# show capture capout
4 packets captured
1: 08:18:14.857804 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
2: 08:18:17.856599 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
3: 08:18:23.857530 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
4: 08:18:35.860642 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
»
But it still not hit the access-list
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide