Re: ASA 8.3 Pat problem

nelson.mendes · ‎11-24-2010

Hello everyone,

I have a customer with a ASA 8.3 version. The customer wants to make pat from the public ASA IP to several internal IP address in the inside interface (diferent ports).

something like, everyone who telnet to port 50030 on public ASA IP is send to port 80 in a private IP address.

I configure the ASA this way:

«

object network Webserver
host 192.168.100.100

object network Webserver
nat (inside,outside) static interface service tcp 80 50030

access-list outside_access_in extended permit tcp any object Webserver eq 50030

access-group outside_access_in in interface outside

»

When I type the command «show xlate» I have this result:

«

show xlate | inc 192.168.100.100

TCP PAT from inside:192.168.100.100 80-80 to outside:194.38.X.X 50030-50030

»

So I assume the nat is well done. The question is that, from the outside, when I make a telnet to 194.38.X.X port 50030, he doesn´t hit the access-list.

the port 80 in private IP is open and I can telnet him from the inside.

Any help ?

Nelson

Jitendriya Athavale · ‎11-24-2010

change your access-list to

access-list outside_access_in extended permit tcp any object Webserver eq 80

your translated port is 50030 and original port is 80 correct???

nelson.mendes · ‎11-24-2010

Many thanks jathaval,

I change the configuration as you suggest:

«

access-list outside_access_in extended permit tcp any object Webserver eq www

»

but it still not working and when I telnet to public IP in port 50030, it still not hit the access-list:

«

access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68

»

Jitendriya Athavale · ‎11-24-2010

Can you please run packet tracer and see if it is getting blocked anywhr

Also if it matches any of the rules above this rule in the access-list it will not show hit counts on this one, so please past eyour access-list rules for outside_access_in if it is not too big

nelson.mendes · ‎11-25-2010

Hello Jathaval,

You right. But I still don´t get it because the packet is droped due to a implicit rule (probably the last one that deny any any right ?):

«

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

»

So, why the packet don´t match with the rule we created to this particular packets ?

«

access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68

»

The access-list applied to outside interface is this one:

«

access-list outside_access_in extended permit gre host 62.28.X.X any
access-list outside_access_in extended permit gre host 195.245.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 213.13.X.X any
access-list outside_access_in extended permit icmp any object-group SITES_LAN
access-list outside_access_in extended permit tcp any object Webserver eq www

»

Jitendriya Athavale · ‎11-25-2010

Oh the packet is getting dropped here because you are running a packet tracer to the interface ip and also your static looks to be your outside interface ip

If so, In the static nat rules and interface rules use the keyword interface instead of interface ip.

Regards,

Jitendriya

nelson.mendes · ‎11-25-2010

This is the config I have.

«

object network Webserver

host 192.168.100.100

access-list outside_access_in extended permit tcp any object Webserver eq www

object network Webserver

nat (inside,outside) static interface service tcp www 50030

access-group outside_access_in in interface outside

»

I really miss something and I cannot understand what is it

Jitendriya Athavale · ‎11-25-2010

what test are you doing in packet tracer and while doing real world testing.

please paste the command you use for packet tracer

please move the access-list applied to line 1 in the access-group

nelson.mendes · ‎11-26-2010

Thanks again for your pacient,

I move the access-list to line 1 but is the same. Nothing hits.

In "real world" I´m doing a telnet from another customer with a ADSL line.

When I make telnet to port 50030 of the public IP, i don´t see anything in the ASDM Real Time Log Viewer. But if I make the same command but to port 80 (it should NOT work) i see the packet being denied in the ASDM Real Time Log Viewer.

The message thar appears is (telnet to ASA outside interface at port 80):

«

TCP access denied by ACL from 213.58.X.X/17927 to outside:194.38.X.X/80

»

The same command but to port 50030, nothing apears. It seems like the packets don´t reach the ASA. I make this test from several local and the result is the same.

Regarding the packet tracker command, I´m doing this:

«

packet-tracer input outside tcp 213.58.X.X 17927 194.38.X.X 50030

»

The result is this:

«

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 194.38.X.X 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

»

cadet alain · ‎11-26-2010

Hi,

access-list outside_access_in extended permit tcp any object Webserver eq www

so you are permitting port 80 not port 5030 which is blocked by implicit deny from outside to inside or dmz.

if you want the telnet on port 80 to work then you must change your nat command and leave port 80 and if you want port 5030 to work you must change your ACL to permit this port.

Does it work when doing so?

Regards.

Don't forget to rate helpful posts.

Kureli Sankar · ‎11-26-2010

If the server 192.168.100.100 listens on port 80 then what you have is correct. If you try the following url from the browser

http://ip_address_of_interface:50030 it should work.

Try to add the access-list as line 1 and give it a shot.

conf t

access-list outside_access_in line 1 extended permit tcp any host 192.168.100.100 eq www

-KS

nelson.mendes · ‎11-30-2010

Hello Poonguzhali,

I tried your suggestion but it still not work.

Yes, the real port is 80 in IP 192.168.100.100 and the "outside" port is 50030 in outside IP of ASA.

I have:

access-list outside_access_in line 1 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0)

but is strange because I´m making a telnet to outside interface on port 50030. So it should be something like this (also not hit):

access-list outside_access_in line 2 extended permit tcp any host 194.38.X.X eq 50030 (hitcnt=0)

nelson.mendes · ‎11-30-2010

Another thing that I really don´t undrestand is why when I make a telnet to ASA public IP at port 80 it appears at Real Time Log Viewer (ASDM) and if I make the same telnet but to port 50030 nothing appears. It seems like the packet do not reach ASA.

Kureli Sankar · ‎11-30-2010

It appears so. A quick capture will prove it.

cap capout int outside match tcp any any eq 50030

Test your telent to the interface IP address on port 50030 and look a the capture to see there are any packets.

sh cap capout

If you do not see any packets you need to check the upstream router to see if it is even sending these packets towards the ASA.

-KS

nelson.mendes · ‎12-02-2010

You right Sankar,

I test the command you suggest and the packets arrive to ASA:

«

ASA-Customer-DatacenterC# show capture capout

4 packets captured

   1: 08:18:14.857804 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
   2: 08:18:17.856599 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
   3: 08:18:23.857530 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
   4: 08:18:35.860642 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128

»

But it still not hit the access-list