cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8250
Views
0
Helpful
40
Replies

ASA port translation (PAT) Issue

gopakumarmk
Level 1
Level 1

Hi,
I have a strange issue with PAT in Cisco ASA 5540 running Version 8.0(5).

We have a web server (172.16.20.8) which is in DMZ listening port 90. If anyone access from outside to the website on port 80 the ASA should translate the port on 90. So I execute the command as follows.

"static (DMZ,outside) tcp 125.145.215.185 www 172.16.20.8 90 netmask 255.255.255.255"

Also I enabled the access-list in outside interface

"access-list outside_access_in extended permit tcp any host 125.145.215.185 eq www"

This time the website is not accessing from outside, showing error " The IE cannot display the webpage"

When I ADD the following configuration to ASA, it is working.

"static (DMZ,outside) 125.145.215.185 172.16.20.8 netmask 255.255.255.255" ( A direct nat applied. ASA showing a warning that there is conflict with existing PAT, but i ignored the warning)

Also I have added access-list in outside interface - "access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90"

ASA5540# show xlate -
"PAT Global 125.145.215.185(80) Local 172.16.20.8(90)"
"Global 125.145.215.185 Local 172.16.20.8"

Now the website can access from outside.But can see the translated port on the address bar.

What I understand from the troubleshooting is the packets are going to webserver without any translation.

How can I resolve this issue, Please advice.

Thanks
GK

40 Replies 40

Thank you KS.

The server is listening on port 90. can be access from both inside and outside, by typing the port number with http address.

I will post the syslog later.

Thanks

GK

Dears,

Sorry for the late reply. The developer was on leave.

My goal is to translate port 80 from outside to port 90 dmz. Please find the syslog below.

Config:

ASA5540# access-list outside_access_in extended permit tcp any host 125.145.215.185  eq www
ASA5540# static (dmz,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask 255.255.255.255

Sys Log:

4/15/2010 10:44:11 Local4.Critical              192.9.1.100         Apr 15 2010 10:44:11: %ASA-2-106001: Inbound TCP connection denied from 213.101.111.189/2082 to 125.145.215.185/90 flags RST  on interface outside

4/15/2010            10:44:03               Local4.Critical     192.9.1.100         Apr 15 2010 10:44:03: %ASA-2-106001: Inbound TCP connection denied from 213.101.111.189/2151 to 125.145.215.185 /90 flags SYN  on interface outside

When I permit tcp 90 on outside interface and created a static NAT (config Below) and the user is trying access from outside http://125.145.215.185:90 it is working fine.

New Config
ASA5540# access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 90
ASA5540# static (dmz,outside) 125.145.215.185  172.16.20.8 netmask 255.255.255.255

New sys log when permit TCP 90

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953415 for outside:213.100.118.100/13406 (213.100.118.100/13406) to dmz:172.16.20.8/90 (125.145.215.185/90)

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953414 for outside:213.100.118.100/13404 (213.100.118.100/13404) to dmz:172.16.20.8/90 (125.145.215.185/90)

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953413 for outside:213.100.118.100/13403 (213.100.118.100/13403) to dmz:172.16.20.8/90 (125.145.215.185/90)

Apr 15 2010 12:13:16: %ASA-6-302013: Built inbound TCP connection 6953412 for outside:213.100.118.100/13400 (213.100.118.100/13400) to dmz:172.16.20.8/90 (125.145.215.185/90)

Please advice, why the 1st config was not working.

Thanks

GK

Jennifer Halim
Cisco Employee
Cisco Employee

You have tried the following 2 statements:

1) static (dmz,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask  255.255.255.255

2) static (web,outside) 125.145.215.185  172.16.20.8 netmask  255.255.255.255

You mentioned the second statement works, but not the first. But they are 2 different interfaces. First one is dmz, and the second one is web.

If you change your first line to the following:

static (web,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask  255.255.255.255

Does this work?

Hi Halijenn,

Thank you for the reply.

Both are same interface. when I customize the current config for posting, I forget to edit the interface name.

Please read as following.

1) static (dmz,outside) tcp 125.145.215.185  www 172.16.20.8 90 netmask  255.255.255.255

2) static (dmz,outside) 125.145.215.185  172.16.20.8 netmask  255.255.255.255

Thanks

GK

OK, in that case, can you check/test the following:

1) Do you have "inspect http" configured on your global policy? if you do, can you please remove it.

2) Can you please test with using a different port than port 80, maybe try with 8080 as follows:

static (dmz,outside) tcp 125.145.215.185 8080 172.16.20.8 90 netmask   255.255.255.255

access-list outside_access_in extended permit tcp any host  125.145.215.185  eq 8080

Thank you Halijenn,

We don't have 'inspect http' config in ASA

I have applied the same config as you requested.but no positive result.

config:

static (dmz,outside) tcp 125.145.215.185 8086 172.16.20.8 90 netmask   255.255.255.255

access-list outside_access_in extended permit tcp any host  125.145.215.185  eq 8086

Syslog:

04-17-2010 13:16:41 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:41: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:16:35 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:35: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:16:32 Local4.Critical 192.9.1.100 Apr 17 2010 13:16:32: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50002 to 125.145.215.185/90 flags SYN  on interface outside


04-17-2010 13:15:58 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:58: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:15:52 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:52: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:15:49 Local4.Critical 192.9.1.100 Apr 17 2010 13:15:49: %ASA-2-106001: Inbound TCP connection denied from 89.80.108.157/50001 to 125.145.215.185/90 flags SYN  on interface outside

Thanks

GK

Jennifer Halim
Cisco Employee
Cisco Employee

Don't use port 90 to test. Use port 8080.

Yes Halijenn,

I Used port 8086 for test.

Thanks

GK

Port 8080 you mean? not 8086.

But your syslog is showing you are using port 90, hence it's being denied.

ok. I will use port 8080 intead of 8086. and will update you the syslog.

Thanks GK

Hi Halijenn,

No hope!

Syslog:

04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:48:33 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:33: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN  on interface outside

04-17-2010 13:48:30 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:30: %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058 to 125.145.215.185/90 flags SYN  on interface outside

Config:

static (web,outside) tcp 125.145.215.185 8080 172.16.20.8 90 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 125.145.215.185 eq 8080

So I execute from outside http://125.145.215.185:8080 , but no way !

Thanks

GK

Have you "clear xlate" and also remove the static 1:1 that you have earlier:

static (web,outside) 125.145.215.185 172.16.20.8 netmask  255.255.255.255

Yes Halijenn,

I did the clear xlate whenever I change NAT config also NAT 1:1 was not there.

We are using IPS sensor infront of ASA. That means any outside request will first hit on IPS. Inspection engine was switched off and tested the issue. But no hope.

Thanks

GK

The syslog does not match the configuration and your test.

You tested it on port 8080, but the syslog saw the connection towards port 90:

04-17-2010 13:48:39 Local4.Critical 192.9.1.100 Apr 17 2010 13:48:39:  %ASA-2-106001: Inbound TCP connection denied from 89.211.108.157/50058  to 125.145.215.185/90 flags SYN  on interface outside

Hi Halijenn,

The server is listening on port 90 from inside.So the packet should go to port 90 after the port translation.

That means from outside (x.x.x.x/8080) to dmz : 172.16.20.8/90 (125.145.215.185/90)

That's why the syslog is showing port 90.

Thanks

GK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: