03-29-2010 12:56 AM - edited 03-11-2019 10:26 AM
Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).
We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.
"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"
Also I enabled the access-list in outside interface
"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"
This time the website is not accessing from outside, showing error " The IE cannot display the webpage"
When I ADD the following configuration to ASA, it is working.
"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)
Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"
ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"
Now the website can access from outside.But can see the translated port on the address bar.
What I understand from the troubleshooting is the packets are going to webserver without any translation.
How can I resolve this issue, Please advice.
Thanks
GK
Solved! Go to Solution.
03-31-2010 08:54 PM
Thank you KS.
The server is listening on port 90. can be access from both inside and outside, by typing the port number with http address.
I will post the syslog later.
Thanks
GK
04-16-2010 11:41 PM
Dears,
Sorry for the late reply. The developer was on leave.
My goal is to translate port 80 from outside to port 90 dmz. Please find the syslog below.
Config:
ASA5540# access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www
ASA5540# static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
Sys Log:
4/15/2010 10:44:11 Local4.Critical 192.9.1.100 Apr 15 2010 10:44:11: %ASA-2-106001: Inbound TCP connection denied from 213.101.111.189/2082 to 125.145.215.185/90 flags RST on interface outside
4/15/2010 10:44:03 Local4.Critical 192.9.1.100 Apr 15 2010 10:44:03: %ASA-2-106001: Inbound TCP connection denied from 213.101.111.189/2151 to 125.145.215.185 /90 flags SYN on interface outside
When I permit tcp 90 on outside interface and created a static NAT (config Below) and the user is trying access from outside http://125.145.215.185:90 it is working fine.
New Config
ASA5540# access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90
ASA5540# static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255
New sys log when permit TCP 90
Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953415 for outside:213.100.118.100/13406 (213.100.118.100/13406) to dmz:172.16.20.8/90 (125.145.215.185/90)
Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953414 for outside:213.100.118.100/13404 (213.100.118.100/13404) to dmz:172.16.20.8/90 (125.145.215.185/90)
Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953413 for outside:213.100.118.100/13403 (213.100.118.100/13403) to dmz:172.16.20.8/90 (125.145.215.185/90)
Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953412 for outside:213.100.118.100/13400 (213.100.118.100/13400) to dmz:172.16.20.8/90 (125.145.215.185/90)
Please advice, why the 1st config was not working.
Thanks
GK
04-16-2010 11:56 PM
You have tried the following 2 statements:
1) static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
2) static (web,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255
You mentioned the second statement works, but not the first. But they are 2 different interfaces. First one is dmz, and the second one is web.
If you change your first line to the following:
static (web,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
Does this work?
04-17-2010 02:08 AM
Hi Halijenn,
Thank you for the reply.
Both are same interface. when I customize the current config for posting, I forget to edit the interface name.
Please read as following.
1) static (dmz,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255
2) static (dmz,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255
Thanks
GK
04-17-2010 02:24 AM
OK, in that case, can you check/test the following:
1) Do you have "inspect http" configured on your global policy? if you do, can you please remove it.
2) Can you please test with using a different port than port 80, maybe try with 8080 as follows:
static (dmz,outside) tcp 125.145.215.185 8080 172.16.20.8 90 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 8080
04-17-2010 03:36 AM
Thank you Halijenn,
We don't have 'inspect http' config in ASA
I have applied the same config as you requested.but no positive result.
config:
static (dmz,outside) tcp 125.145.215.185 8086 172.16.20.8 90 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 8086
Syslog:
04-17-2010 13:16:41 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:41: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:16:35 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:35: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:16:32 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:32: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:15:58 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:58: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:15:52 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:52: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:15:49 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:49: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN on interface outside
Thanks
GK
04-17-2010 03:40 AM
Don't use port 90 to test. Use port 8080.
04-17-2010 03:42 AM
Yes Halijenn,
I Used port 8086 for test.
Thanks
GK
04-17-2010 03:44 AM
Port 8080 you mean? not 8086.
But your syslog is showing you are using port 90, hence it's being denied.
04-17-2010 03:46 AM
ok. I will use port 8080 intead of 8086. and will update you the syslog.
Thanks GK
04-17-2010 03:58 AM
Hi Halijenn,
No hope!
Syslog:
04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:48:33 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:33: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 13:48:30 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:30: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN on interface outside
Config:
static (web,outside) tcp 125.145.215.185 8080 172.16.20.8 90 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 8080
So I execute from outside http://125.145.215.185:8080 , but no way !
Thanks
GK
04-17-2010 04:03 AM
Have you "clear xlate" and also remove the static 1:1 that you have earlier:
static (web,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255
04-17-2010 04:10 AM
Yes Halijenn,
I did the clear xlate whenever I change NAT config also NAT 1:1 was not there.
We are using IPS sensor infront of ASA. That means any outside request will first hit on IPS. Inspection engine was switched off and tested the issue. But no hope.
Thanks
GK
04-17-2010 05:02 AM
The syslog does not match the configuration and your test.
You tested it on port 8080, but the syslog saw the connection towards port 90:
04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN on interface outside
04-17-2010 05:15 AM
Hi Halijenn,
The server is listening on port 90 from inside.So the packet should go to port 90 after the port translation.
That means from outside (x.x.x.x/8080) to dmz : 172.16.20.8/90 (125.145.215.185/90)
That's why the syslog is showing port 90.
Thanks
GK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: