Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.3 Pat problem

Hello everyone,

I have a customer with a ASA 8.3 version. The customer wants to make pat from the public ASA IP to several internal IP address in the inside interface (diferent ports).

something like, everyone who telnet to port 50030 on public ASA IP is send to port 80 in a private IP address.

I configure the ASA this way:

«

object network Webserver
host 192.168.100.100


object network Webserver
nat (inside,outside) static interface service tcp 80 50030


access-list outside_access_in extended permit tcp any object Webserver eq 50030


access-group outside_access_in in interface outside

»

When I type the command «show xlate» I have this result:

«

show xlate | inc 192.168.100.100

TCP PAT from inside:192.168.100.100 80-80 to  outside:194.38.X.X 50030-50030
»

So I assume the nat is well done. The question is that, from the outside, when I make a telnet to 194.38.X.X port 50030, he doesn´t hit the access-list.
the port 80 in private IP is open and I can telnet him from the inside.

Any help ?

Nelson

  • Firewalling
Everyone's tags (3)
25 REPLIES
Cisco Employee

Re: ASA 8.3 Pat problem

change your access-list to

access-list outside_access_in extended permit tcp any object Webserver eq 80

your translated port is 50030 and original port is 80 correct???

New Member

Re: ASA 8.3 Pat problem

Many thanks jathaval,

I change the configuration as you suggest:

«

access-list outside_access_in extended permit tcp any object Webserver eq www

»

but it still not working and when I telnet to public IP in port 50030, it still not hit the access-list:

«

access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
  access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68

»

Cisco Employee

Re: ASA 8.3 Pat problem

Can you please run packet tracer and see if it is getting blocked anywhr

Also if it matches any of the rules above this rule in the access-list it will not show hit counts on this one, so please past eyour access-list rules for outside_access_in if it is not too big

New Member

Re: ASA 8.3 Pat problem

Hello Jathaval,

You right. But I still don´t get it because the packet is droped due to a implicit rule (probably the last one that deny any any right ?):

«

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

»

So, why the packet don´t match with the rule we created to this particular packets ?

«

access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
  access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68

»

The access-list applied to outside interface is this one:

«

access-list outside_access_in extended permit gre host 62.28.X.X any
access-list outside_access_in extended permit gre host 195.245.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 213.13.X.X any
access-list outside_access_in extended permit icmp any object-group SITES_LAN
access-list outside_access_in extended permit tcp any object Webserver eq www

»

Cisco Employee

Re: ASA 8.3 Pat problem

Oh the packet is getting dropped here because you are running a packet tracer to the interface ip and also your static looks to be your outside interface ip

If so, In the static nat rules and interface rules use the keyword interface instead of interface ip.

Regards,

Jitendriya

New Member

Re: ASA 8.3 Pat problem

This is the config I have.

«

object network Webserver

host 192.168.100.100

access-list outside_access_in extended permit tcp any object Webserver eq www

object network Webserver

nat (inside,outside) static interface service tcp www 50030

access-group outside_access_in in interface outside

»

I really miss something and I cannot understand what is it

Cisco Employee

Re: ASA 8.3 Pat problem

what test are you doing in packet tracer and while doing real world testing.

please paste the command you use for packet tracer

please move the access-list applied to line 1 in the access-group

New Member

Re: ASA 8.3 Pat problem

Thanks again for your pacient,

I move the access-list to line 1 but is the same. Nothing hits.

In "real world" I´m doing a telnet from another customer with a ADSL line.

When I make telnet to port 50030 of the public IP, i don´t see anything in the ASDM Real Time Log Viewer. But if I make the same command but to port 80 (it should NOT work) i see the packet being denied in the ASDM Real Time Log Viewer.

The message thar appears is (telnet to ASA outside interface at port 80):

«

TCP access denied by ACL from 213.58.X.X/17927 to outside:194.38.X.X/80

»

The same command but to port 50030, nothing apears. It seems like the packets don´t reach the ASA. I make this test from several local and the result is the same.

Regarding the packet tracker command, I´m doing this:

«

packet-tracer input outside tcp 213.58.X.X 17927 194.38.X.X 50030

»

The result is this:

«

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   194.38.X.X   255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

»

Purple

Re: ASA 8.3 Pat problem

Hi,

access-list outside_access_in extended permit tcp any object Webserver eq www

so you are permitting port 80 not port 5030 which is blocked by implicit deny from outside to inside or dmz.

if you want the telnet on port 80 to work then you must change your nat command  and leave port 80 and if you want port 5030 to work you must change your ACL to permit this port.

Does it work when doing so?

Regards.

Don't forget to rate helpful posts.
2411
Views
0
Helpful
25
Replies
This widget could not be displayed.