cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3518
Views
0
Helpful
25
Replies

ASA 8.3 Pat problem

nelson.mendes
Level 1
Level 1

Hello everyone,

I have a customer with a ASA 8.3 version. The customer wants to make pat from the public ASA IP to several internal IP address in the inside interface (diferent ports).

something like, everyone who telnet to port 50030 on public ASA IP is send to port 80 in a private IP address.

I configure the ASA this way:

«

object network Webserver
host 192.168.100.100


object network Webserver
nat (inside,outside) static interface service tcp 80 50030


access-list outside_access_in extended permit tcp any object Webserver eq 50030


access-group outside_access_in in interface outside

»

When I type the command «show xlate» I have this result:

«

show xlate | inc 192.168.100.100

TCP PAT from inside:192.168.100.100 80-80 to  outside:194.38.X.X 50030-50030
»

So I assume the nat is well done. The question is that, from the outside, when I make a telnet to 194.38.X.X port 50030, he doesn´t hit the access-list.
the port 80 in private IP is open and I can telnet him from the inside.

Any help ?

Nelson

25 Replies 25

This is the first entry of my access-list that is applied to outside interface (access-group outside_access_in in interface outside):

«

access-list outside_access_in line 1 extended permit tcp any host 194.38.X.X eq 50030 (hitcnt=0)

»

The packets appear at show capture but don´t hit the entry at access-list. WHY ??????????????

Hi,

They don't hit your ACL entry because you are referencing public IP and you must reference real IP.

Regards.

Don't forget to rate helpful posts.

Hello Cadetalain,

It´s not that because I have all this entrys in access-list:

«

access-list outside_access_in extended permit tcp any host 194.38.X.X eq 50030
access-list outside_access_in extended permit tcp host 213.58.X.X any eq www  - IP 213.58.X.X is the IP of the router from where I´m testing telnet to port
access-list outside_access_in extended permit tcp host 213.58.X.X any eq 50030
access-list outside_access_in extended permit tcp any object Webserver eq 50030
access-list outside_access_in extended permit tcp any object Webserver eq www

»

the packet don´t hit any of this entrys

I put this entry at access-list (with the real private IP address) but is exacly the same (no hits):

«

access-list outside_access_in line 1 extended permit ip any host 192.168.100.100 (hitcnt=0)

»

Ok. This is very interesting. Could you pls. quickly open a TAC case and provide the case number here?

I will take a look.

on the capture command that I gave you, you can include the word "trace" in the end and issue "sh cap capout trace" and see where we are dropping the packet.

-KS

Hi Nelson,

I have the same Problem with ASA 8.3.2.

Do you have a resolutin yet from CCO ?

regards,

Herbert

Yeah..any answer for this problem yet?

Foo,

I am not sure if Nelson opened a TAC case or not. Whether this issue is resolved or not. We do need the output that I requested in the earlier thread - capture with the trace option.

-KS

that's too bad...as I think I'm hitting a similar issue (not exact, just similar) and I will look into it further before submitting a TAC.

Hello,

I have found a solution for my problem:

since this NAT is a "Source-NAT" and the service object defaults to a destination service objects, I changed the configuration

of the service object like this:

object service obj-https-service
service tcp source eq https

(in CSM this looks like tcp/443/Default Range )

then the NAT is

nat (inside,outside) 1 source static obj-real interface service obj-https-service obj-https-service

regards,

Herbert

Glad to hear that. That is a very good point to note. But in this thread I believe it fails when specifically specifying the port number without using a service object.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: