02-28-2012 07:14 AM - edited 03-11-2019 03:36 PM
Hi, I not familiar with the ASA 5510 product. I having trouble since last 24 hours and still cant find out the root cause yet.
Here is my scenario, my network should be
WAN --- ASA5510 (FW) --- SERVER (192.168.1.0/24)
Now I face the problem, all the NAT static 1-to-1 is working OK. All my public IP can be ping from outside internet. But the problem happen when I try to telnet to port 80 on each server. I had try telnet from my PC to public IP 124.xxx.179 80, it's work fine, but failed on 124.xxx.180 80, then on 124.xxx.181 80, its work fine.
Then I do try on my colleague PC, in same network as mine, I face another case where the public IP 124.xxx.179 80 cannot be telnet, but it's ok for 124.xxx.180, then failed on 124.xxx.181 80.
FYI.. all our PC can ping to the Public IP and no packet lose.
The scenario is very weird, I cant find any other solution as had review my configuration few times.
Please help me to check does my configuration is working perfectly or not.
Thanks. Any advise will do..
ASA Version 8.2(5)
!
hostname fw-asa
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif untrust
security-level 0
ip address 124.xx.190 255.255.255.240
!
interface Ethernet0/1
nameif trust
security-level 100
ip address 192.168.1.1 255.255.255.128
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.11.203 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST 8
access-list untrust_access_in extended permit icmp any 124.xxx.176 255.255.255.240
access-list untrust_access_in extended permit tcp any 124.xxx.176 255.255.255.240 eq www
access-list untrust_access_in extended permit tcp any 124.xxx.176 255.255.255.240 eq 8080
access-list untrust_access_in extended permit tcp any 124.xxx.176 255.255.255.240 eq telnet
access-list trust_access_in extended permit ip any any
pager lines 24
logging enable
logging trap debugging
logging asdm informational
mtu untrust 1500
mtu trust 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (trust,untrust) 124.xxx.182 192.168.1.122 netmask 255.255.255.255
static (trust,untrust) 124.xxx.178 192.168.1.15 netmask 255.255.255.255
static (trust,untrust) 124.xxx.180 192.168.1.17 netmask 255.255.255.255
static (trust,untrust) 124.xxx.181 192.168.1.18 netmask 255.255.255.255
static (trust,untrust) 124.xxx.186 192.168.1.116 netmask 255.255.255.255
static (trust,untrust) 124.xxx.187 192.168.1.117 netmask 255.255.255.255
static (trust,untrust) 124.xxx.188 192.168.1.118 netmask 255.255.255.255
static (trust,untrust) 124.xxx.189 192.168.1.119 netmask 255.255.255.255
static (trust,untrust) 124.xxx.179 192.168.1.16 netmask 255.255.255.255
access-group untrust_access_in in interface untrust
access-group trust_access_in in interface trust
route untrust 0.0.0.0 0.0.0.0 124.xxx.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.11.122 255.255.255.255 management
snmp-server host management 192.168.11.254 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxx
quit
telnet 192.168.11.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:xxx
: end
Solved! Go to Solution.
02-28-2012 10:24 AM
Hello,
Perhaps some captures would shed some light on the issue. Let's consider the case that you cannot telnet to .180 port 80.
fw-asa(config)# access-list capout permit tcp any host 124.x.x.180 eq 80
fw-asa(config)# access-list capout permit tcp host 124.x.x.180 eq 80 any
fw-asa(config)# access-list capin permit tcp any host 192.168.1.17 eq 80
fw-asa(config)# access-list capin permit tcp host 192.168.1.17 eq 80 any
fw-asa(config)# end
fw-asa# cap capout access-list capout interface untrust
fw-asa# cap capin access-list capin interface trust
** Now try to telnet to .180 from your PC on the outside and post the following output: **
fw-asa# show cap capout
fw-asa# show cap capin
Note: You can replace the 'any' above with the IP of your PC. Also, remember to turn off the captures after grabbing the output. You can do this by doing a 'no cap capout' and 'no cap capin'. You can remove the access-lists by using the 'no' form of these as well.
I hope this makes sense to you.
Thanks!
Joey
02-29-2012 11:49 PM
hi
try this
policy-map global_policy
class inspection_default
inspect icmp
after you inspect icmp , you should get ping works
thanks !
02-28-2012 10:24 AM
Hello,
Perhaps some captures would shed some light on the issue. Let's consider the case that you cannot telnet to .180 port 80.
fw-asa(config)# access-list capout permit tcp any host 124.x.x.180 eq 80
fw-asa(config)# access-list capout permit tcp host 124.x.x.180 eq 80 any
fw-asa(config)# access-list capin permit tcp any host 192.168.1.17 eq 80
fw-asa(config)# access-list capin permit tcp host 192.168.1.17 eq 80 any
fw-asa(config)# end
fw-asa# cap capout access-list capout interface untrust
fw-asa# cap capin access-list capin interface trust
** Now try to telnet to .180 from your PC on the outside and post the following output: **
fw-asa# show cap capout
fw-asa# show cap capin
Note: You can replace the 'any' above with the IP of your PC. Also, remember to turn off the captures after grabbing the output. You can do this by doing a 'no cap capout' and 'no cap capin'. You can remove the access-lists by using the 'no' form of these as well.
I hope this makes sense to you.
Thanks!
Joey
02-29-2012 10:38 PM
Hi,
Sorry for late reply,
I had success work out the Static NAT which is working.
access-list untrust_access_in extended permit tcp any host 124.xxx.180 eq www
access-list untrust_access_in extended permit tcp any host 124.xxx.179 eq www
static (trust,untrust) tcp 124.xxx.180 www 192.168.1.17 www netmask 255.255.255.255
static (trust,untrust) tcp 124.xxx.179 www 192.168.1.16 www netmask 255.255.255.255
And it's working fine..
But in this way, I could not solve the ping as the NAT does not go through for ping.
Thanks
02-29-2012 11:49 PM
hi
try this
policy-map global_policy
class inspection_default
inspect icmp
after you inspect icmp , you should get ping works
thanks !
03-01-2012 12:01 AM
Hi,
I do try this command and seem not work. I only can ping the interface 124.xx.190.
Do had try with command
icmp permit any untrust
Still the luck not with me. Ping not work on 124.xxx.179 and others.
03-01-2012 12:09 AM
are the rest servers pingable ? i mean somehow icmp could be blokced by windows firewall. did you try to ping these servers from internal ?
otherwise you try below
access-list untrust_access_in extended permit icmp any host 124.xxx.180
thanks
03-01-2012 12:23 AM
the rest of server not pingable from outside. If ping from internal to the server inside IP, then its work fine.
yes, the access-list do had implement as suggest but still failed.
I believe there is something missing in my static NAT as I set are
static (trust,untrust) tcp 124.xxx.180 www 192.168.1.17 www netmask 255.255.255.255
static (trust,untrust) tcp 124.xxx.179 www 192.168.1.16 www netmask 255.255.255.255
and not in
static (trust,untrust) 124.xxx.180 192.168.1.17 netmask 255.255.255.255
static (trust,untrust) 124.xxx.179 192.168.1.16 netmask 255.255.255.255
Wonder does there is a way to have static NAT which allow ICMP to go through?
Thanks
03-01-2012 12:53 AM
actually , you are not depolying really NAT due to you defined protocal argument "TCP".
you just use static NAT form to handle a PAT translation.
yes , if you move "TCP" just like you presented secondary CLI , ICMP will works properly , that's really NAT.
thanks
03-04-2012 09:01 PM
Thanks for the explanation..
Look like I can close this topic for the moment first..
Thanks for all the contribution
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: