02-11-2012 07:47 PM - edited 03-11-2019 03:28 PM
Hello,
I am moving all of my nat/pat from my 2800 series to my ASA. I have a few things working including multiple outside ip addresses and dynamic nat, as well as outside access for a few servers.
My two probems are as follows:
1).
For the life of me I cannot get pat working when I want to access and internal web server using a different port on the outside interface.
For example I have added this:
network object test.obj
host 192.168.184.11
nat (inside,outside) static outside-ip-100.1.1.1 8080 www
This adds the nat statments into the network object nat list and it all make sense. Then I add the acl:
access-list outside_access_in extended permit tcp any object test.obj eq http-81
I see no hits on the acl when I try from an outside device, and the packet-tracer keeps telling me I have a nat problem with the reverse path forwarding check.
xlate shows this:
5520-fw# show xlate | i 100.1.1.1
TCP PAT from inside:192.168.184.11 80-80 to outside:100.1.1.1 81-81
NAT from inside:192.168.184.11 to outside:100.1.1.1
I have no idea why, I have followed many examples and I still get nothing. I also get no access to the internet on the computer running the web server unless I add another dynamic nat statement pointing a different network object with the same host ip to the same outside ip address. eg:
network object test.obj-dynamic
host 192.168.184.11
nat (inside,outside) dynamic outside-ip-100.1.1.1
Still after that I get no connection from the outside to the web server
2.)
Second problem.
I had moved our main web server over to the asa and access from the outside worked for a few minutes, I think, as I had hits on the acl. Then it stopped working and the logs showed a huge list of teardowns and it looked like they were all dns requests. I am assuming this is a problem with the virtual hosts on the web server and the dns inspection that the asa is doing. So I added the dns command at the end of the nat command and it did not solve my problem. So I am thinking the first problem with the RPF-check is related to this problem.
I have a couple of other web servers going through the asa with no problems but they are not running on apache and using virtual hosts, they are single stand alone web servers.
Any idea what I am doing wrong?
Thanks,
Dan.
Solved! Go to Solution.
02-13-2012 05:21 PM
Hello Dan,
Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?
object network web03-p81
host 10.5.0.13
object service http-proxy
service tcp source eq 8080
object service http
service tcp source eq 80
object network internet.77
host 77.77.77.77
Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?
So lets do it like this:
nat (inside,outside) source static web03-p81 internet.77 service http http-proxy
access-list outside_access_in permit tcp any host 10.5.0.13 eq 80
access-group outside_access_in in interface outside
Regards,
Julio
02-12-2012 07:01 AM
I think there is some kind of bug in the ASA. I setup a test web server (192.168.75.208), and I added two network objects
object network dan-laptop-pat
nat (inside,outside) static interface service tcp www www
object network dan-laptop
nat (any,outside) dynamic interface
So the device can get out onto the internet because of the second statement and I can access it remotely because of the first statement. So everything works fine.....
But when I use packet-tracer and I run a test it says it doesn't work! Yet it actually works....
Proof from the log file that it works:
6|Feb 12 2012|08:59:11|302014|68.171.231.80|43273|192.168.75.208|80|Teardown TCP connection 28185054 for outside:68.171.231.80/43273 to inside:192.168.75.208/80 duration 0:00:01 bytes 5904 TCP FINs
6|Feb 12 2012|08:59:09|302013|68.171.231.80|43273|192.168.75.208|80|Built inbound TCP connection 28185054 for outside:68.171.231.80/43273 (68.171.231.80/43273) to inside:192.168.75.208/80 (217.77.77.77/80)
Any ideas on what is happening?
Dan.
02-12-2012 05:57 PM
Hello Dan,
Yeap, you are doing the packet tracer to the private ip address, you should do it to the public ip address of the server.
Do rate helpful posts
Julio
02-12-2012 06:08 PM
Thank you for the reply, I have been pulling my hair out on this one....
If I use the public ip as you stated it all looks like it works fine in the packet tracer but in reality it does not work.
For example:
object network dan-laptop
host 192.168.75.208
object network dan-laptop-pat
host 192.168.75.208
This WORKS:
object network laptop-pat
nat (inside,outside) static interface service tcp www www
!
nat (inside,outside) after-auto source static laptop internet-75
access-list outside_access_in extended permit object http any object dan-laptop-pat
This DOES NOT WORK:
object network laptop-pat
nat (inside,outside) static interface service tcp www 81
!
nat (inside,outside) after-auto source static laptop internet-75
access-list outside_access_in extended permit object http-81 any object dan-laptop-pat
Am I doing the wrong kind of nat to make this work?
Thanks
Dan.
02-13-2012 03:31 PM
Found out it was a problem with the web server not accepting the request like that. I tried a different web server and now the port translation works.
02-13-2012 03:36 PM
Hello Dan,
That is correct, As I told you before the configuration its okay.
Please mark the question as answered, so future users can learn from this.
Regards,
Julio
02-13-2012 04:36 PM
Sorry I spoke to soon this is not solved and still not working. I cannot PAT anything on my asa using 8.4. Looks like this may be a bug because no scenario works.
02-13-2012 04:43 PM
Hello Dan,
So you are saying your internal users cannot get PATeed to the outside interface
Please provide sh run nat, then we will start working on captures if I do not see something strange.
Regards,
Julio
02-13-2012 04:49 PM
My issue is with outside access in. Not inside access out, that seems to be fine.
For example if I do this:
object network web03
host 10.5.0.13
object network web03-p81
host 10.5.0.13
object service http-proxy
service tcp destination eq 8080
object network internet.77
host 77.77.77.77
object network web03-p81
nat (inside,outside) static internet.77 service tcp www 8080
!
nat (inside,outside) after-auto source static web03 internet.77
access-list outside_access_in extended permit object http-proxy any object web03-p81
When trying to access the web server using http://77.77.77.77:8080 the log shows that the device is trying to access it using port 80???
18:31:15 | 106023 | 68.121.131.81 | 20347 | 10.5.0.13 | 80 | Deny tcp src outside:68.121.131.81/20347 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0] |
If I add an access list that allows port 80 it all works, yet I am typing :8080 in the web address...
02-13-2012 05:00 PM
object service http-proxy
no service tcp destination eq 8080
service tcp source eq 8080
Then give it a try!!!
02-13-2012 05:14 PM
Still no go. It is still hitting the box using port 80 instead of 8080 according to the logs
4 | Feb 13 2012 | 19:04:43 | 106023 | 68.121.131.80 | 63464 | 10.5.0.13 | 80 | Deny tcp src outside:68.121.131.80/63464 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0] |
I also tried from a different external system and still same problem.
02-13-2012 05:21 PM
Hello Dan,
Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?
object network web03-p81
host 10.5.0.13
object service http-proxy
service tcp source eq 8080
object service http
service tcp source eq 80
object network internet.77
host 77.77.77.77
Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?
So lets do it like this:
nat (inside,outside) source static web03-p81 internet.77 service http http-proxy
access-list outside_access_in permit tcp any host 10.5.0.13 eq 80
access-group outside_access_in in interface outside
Regards,
Julio
02-13-2012 05:37 PM
Ok, so this works sort of....I can access the site using http://77.77.77.77:8080 now, but I can still access the site using http://77.77.77.77/, but I don't want to be able to do that.
02-13-2012 05:39 PM
Hello Dan,
So remove all you configured before related to that and left what I sent you, that is the only one that should work from an outside user!
02-13-2012 05:43 PM
Yes, everything was removed and I entered in what you sent But I still can access it on port 80 and 8080 from the outside.
Dan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide