Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with my first ASA config. (NAT/PAT)

I am trying to set up NAT/PAT for access to a webserver behind the ASA.  (Running 8.4)

I have a single Static IP on the outside interface (70.102.23.xxx) and I have a webserver with an IP of 192.168.0.1 and I need to make sure all http requests are sent to it.

I can do this in a IOS router pretty well, but in the ASA I seem to get turned around pretty easily.  I would like to do it via CLi but will accept help with doing it via ASDM as well.

I already have created an access list to allow the traffic to the webserver.

access-list outside_access_in extended permit udp any any eq www

access-list outside_access_in extended permit tcp any any eq www

Thanks in advance.

Jeffrey

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Yes, you can use the single "object" created for the ACL rules.

With regards to the "nat" configuration I suggest you remove, it is not needed. The other "nat" configuration before it already contains everything needed. That rule is bidirectional so only one configuration needed for it.

Your "outside_access_in" ACL should be cleaned up a bit also

access-list outside_access_in remark Webserver

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER

access-list outside_access_in extended permit udp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER access

access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124

Do these changes. They should remove some rules (like one permitting ALL traffic) and later insert one of the rules to the correct line in the ACL. Mostly to make the ACL be in better order with regards to the "remark" lines.

no access-list outside_access_in remark Webserver

no access-list outside_access_in extended permit tcp any any eq www

no access-list outside_access_in extended permit ip any any

no access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

no access-list outside_access_in extended permit udp any object WEB-SERVER eq www

access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www

The "packet-tracer" seems fine

Hope this helps

- Jouni

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

The target IP address is wrong for the "packet-tracer" command.

Your commands IP address ends with .161 while your interface IP address ends with .162. And when you look at the NAT configurations you are using the "interface" IP address in the Static PAT (Port Forward) configurations.

So test the "packet-tracer" with the .162 target IP address

- Jouni

35 REPLIES
Super Bronze

Re: Help with my first ASA config. (NAT/PAT)

Hi,

The configuration is probably something like this

object network WEB-SERVER

  host 192.168.0.1

  nat (inside,outside) static interface service tcp 80 80

access-list outside_access_in permit tcp any object WEB-SERVER eq 80

For the exact form we would need to see the current firewall configuration.

If this doesnt get it to work then you should provide us with the output of the command

packet-tracer input outside tcp 1.1.1.1 12345 80

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

Here is what I got if this helps. (I will test out what you gave me soon)

*I feel there may be some stuff in there that is not needed as all they really need s access to the webserver from the outside world, and shell access over port 39124*

Feel free to tell me if you see something that is not needed (I was trying out ASDM and it may have put a BUNCH of crap in there that is superfluous*

object network Server

host 192.168.0.1

description Created during name migration

object network LOCAL_LAN

subnet 192.168.0.0 255.255.255.0

object network SSLVPN_NETWORK

subnet 192.168.100.0 255.255.255.0

object network WEBSERVER

host 192.168.0.1

object network 70.102.23.162

host 70.102.23.162

object service http

service tcp source eq www destination eq www

object-group service HTTP

service-object tcp source eq www

object-group service SSH

description Remote server access

service-object tcp destination eq 39124

access-list inside_access_in remark Webserver

access-list inside_access_in extended permit udp any any eq www

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in remark Webserver

access-list outside_access_in extended permit udp any object Server eq www

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in remark Remote Server access

access-list outside_access_in extended permit tcp any object Server eq 39124

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK

nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN

!

object network LOCAL_LAN

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Seems to me that you have a basic Dynamic PAT for Internet access and NAT0 / NAT Exempt for VPN Client traffic.

Adding the Static PAT I suggested should forward the port you need. You seem to have allowed the needed traffic already

access-list outside_access_in remark Webserver

access-list outside_access_in extended permit udp any object Server eq www

access-list outside_access_in remark Remote Server access

access-list outside_access_in extended permit tcp any object Server eq 39124

Naturally you will need the Static PAT for the TCP/39124 also

object network WEB-SERVER-TCP39214

  host 192.168.0.1

  nat (inside,outside) static interface service tcp 39124 39124

I dont think you need the following configuration

no nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

So this is what I currently have in the config.

object network LOCAL_LAN

subnet 192.168.0.0 255.255.255.0

object network SSLVPN_NETWORK

subnet 192.168.100.0 255.255.255.0

object network 70.102.23.162

host 70.102.23.162

object service http

service tcp source eq www destination eq www

object network WEB-SERVER

host 192.168.0.1

object network WEB-SERVER-TCP39214

host 192.168.0.1

object-group service HTTP

service-object tcp source eq www

object-group service SSH

description Remote server access

service-object tcp destination eq 39124

access-list inside_access_in remark Webserver

access-list inside_access_in extended permit udp any any eq www

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in remark Webserver

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER

access-list outside_access_in extended permit udp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER access

access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124

access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK

nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN

!

object network LOCAL_LAN

nat (inside,outside) dynamic interface

object network WEB-SERVER

nat (inside,outside) static interface service tcp www www

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 39124

access-group outside_access_in in interface outside

You're saying I don't need the: no nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN  statment?

I thought I needed to add it for both directions. Is this not true?

(I also cleaned up the network objects as you can see and got rid of the "Server" one and just am using the "WEB_SERVER" one.  Is this ok?  Also both packet-tracer tests passed with port 80 and 39124.

CMNW# packet-tracer input outside tcp 1.1.1.1 12345 50.186.40.128 39124

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 39124

Additional Information:

NAT divert to egress interface inside

Untranslate 50.186.40.128/39124 to Server/39124

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 39124

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1607, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

CMNW# packet-tracer input outside tcp 1.1.1.1 12345 50.186.40.128 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WEB-SERVER

nat (inside,outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 50.186.40.128/80 to Server/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any eq www

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WEB-SERVER

nat (inside,outside) static interface service tcp www www

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1609, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Yes, you can use the single "object" created for the ACL rules.

With regards to the "nat" configuration I suggest you remove, it is not needed. The other "nat" configuration before it already contains everything needed. That rule is bidirectional so only one configuration needed for it.

Your "outside_access_in" ACL should be cleaned up a bit also

access-list outside_access_in remark Webserver

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER

access-list outside_access_in extended permit udp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER access

access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124

Do these changes. They should remove some rules (like one permitting ALL traffic) and later insert one of the rules to the correct line in the ACL. Mostly to make the ACL be in better order with regards to the "remark" lines.

no access-list outside_access_in remark Webserver

no access-list outside_access_in extended permit tcp any any eq www

no access-list outside_access_in extended permit ip any any

no access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

no access-list outside_access_in extended permit udp any object WEB-SERVER eq www

access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www

The "packet-tracer" seems fine

Hope this helps

- Jouni

Super Bronze

Re: Help with my first ASA config. (NAT/PAT)

Hi,

Let us know if you got the connections working.

They should work even without the above ACL changes but it would be good to make the above changes.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

Ok I get what you are saying now. And I was thinking of removing those ACL's as well (They were created when i did something with the ASDM)

Here is how it stands now:

name 192.168.0.1 Server description Server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network LOCAL_LAN

subnet 192.168.0.0 255.255.255.0

object network SSLVPN_NETWORK

subnet 192.168.100.0 255.255.255.0

object network 70.102.23.162

host 70.102.23.162

object service http

service tcp source eq www destination eq www

object network WEB-SERVER

host 192.168.0.1

object network WEB-SERVER-TCP39214

host 192.168.0.1

object-group service HTTP

service-object tcp source eq www

object-group service SSH

description Remote server access

service-object tcp destination eq 39124

access-list inside_access_in remark Webserver

access-list inside_access_in extended permit udp any any eq www

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in remark WEB-SERVER

access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER access

access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124

access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK

!

object network LOCAL_LAN

nat (inside,outside) dynamic interface

object network WEB-SERVER

nat (inside,outside) static interface service tcp www www

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 39124

access-group outside_access_in in interface outside

Look good?

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Yes it looks good to me.

- Jouni

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Answering here with regards to your PM.

The correct default route configuration format is

route outside 0.0.0.0 0.0.0.0

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

So the 1 at the end is not required?

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Its the default value for a staticly configured route. It will be added there automatically so I dont usually enter it there. It will show up in the configuration after you have inserted the command though.

Check the output of  "show run route" after you have configured a static route and you should see it.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

So I made the changes above and now I am testing everything again before heading out in an hour or so and the packet tracer is failing

CMNW(config)# packet-tracer input outside tcp 1.1.1.1 80 70.102.23.161 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   70.102.23.160   255.255.255.252 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

CMNW(config)# packet-tracer input outside tcp 1.1.1.1 12345 70.102.23.161 39124

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   70.102.23.160   255.255.255.252 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

CMNW(config)# packet-tracer input outside tcp 1.1.1.1 80 70.102.23.161 80

What changed??

Current config:

hostname CMNW

enable password RF6LqGyeeuDAGlOY encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.1 Server description Server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.102.23.162 255.255.255.252

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network LOCAL_LAN

subnet 192.168.0.0 255.255.255.0

object network SSLVPN_NETWORK

subnet 192.168.100.0 255.255.255.0

object network 70.102.23.162

host 70.102.23.162

object service http

service tcp source eq www destination eq www

object network WEB-SERVER

host 192.168.0.1

object network WEB-SERVER-TCP39214

host 192.168.0.1

object-group service HTTP

service-object tcp source eq www

object-group service SSH

description Remote server access

service-object tcp destination eq 39124

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in remark WEB-SERVER

access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER access

access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124

access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK

!

object network LOCAL_LAN

nat (inside,outside) dynamic interface

object network WEB-SERVER

nat (inside,outside) static interface service tcp www www

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 39124

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.102.23.161 1

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

The target IP address is wrong for the "packet-tracer" command.

Your commands IP address ends with .161 while your interface IP address ends with .162. And when you look at the NAT configurations you are using the "interface" IP address in the Static PAT (Port Forward) configurations.

So test the "packet-tracer" with the .162 target IP address

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

Yes thank you! I saw it and posted my reply and then saw yours.

New Member

Help with my first ASA config. (NAT/PAT)

So I am on site and I am testing the remote access on port 80 and ssh on 39124 and it is not working for some reason.,..

I am not sure why. Packet tracer looks fine when I run it.

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

Are you testing from the Internet or behind the ASA from the internal network?

Since the Static PAT (Port Forward) configurations that we did only work from the external network (behind "outside" interface)

For you to be able to connect to the public IP address from the internal network you would have to configure some other NAT configurations.

But I am not sure from where you are trying to connect.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

At the time I was connecting out via my cell phone hotspot.

I am now back at my office and still cannot connect tot he server at the internal IP of 192.168.0.1 via port 39124

Here is the config again.

name 192.168.0.1 Server description Server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.102.23.162 255.255.255.252

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network LOCAL_LAN

subnet 192.168.0.0 255.255.255.0

object network SSLVPN_NETWORK

subnet 192.168.100.0 255.255.255.0

object network 70.102.23.162

host 70.102.23.162

object service http

service tcp source eq www destination eq www

object network WEB-SERVER

host 192.168.0.1

object network WEB-SERVER-TCP39214

host 192.168.0.1

object-group service HTTP

service-object tcp source eq www

object-group service SSH

description Remote server access

service-object tcp destination eq 39124

access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in remark WEB-SERVER

access-list outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list outside_access_in remark WEB-SERVER access

access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124

access-list outside_access_in extended permit udp any object WEB-SERVER-TCP39214 eq 39124

access-list outside_access_in extended permit udp any object WEB-SERVER eq 39124

access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0

access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK

!

object network LOCAL_LAN

nat (inside,outside) dynamic interface

object network WEB-SERVER

nat (inside,outside) static interface service tcp www www

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 39124

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.102.23.161 1

Any help is appreciated.

Super Bronze

Re: Help with my first ASA config. (NAT/PAT)

Hi,

You could try TCP Ping from the ASA itself and see if those ports on the host reply to the ASA.

ping tcp 192.168.0.1 80

ping tcp 192.168.0.1 39124

The ASA will essentially send TCP SYN to the host and you should see "!" if the TCP Ping is succesfull. Pretty much like with the normal ping command.

Have you confirmed that those ports answer from the internal network? Are the ACL rules getting hitcounts when you check with the command "show access-list" ? Notice that the "packet-tracer" command increases the hitcount each time so better to check the current hitcount and then try from the external network.

If we want complete confirmation about the situation we would need to configure a traffic capture but probably best to check the above 2 things.

Naturally if you can monitor ASA logs through ASDM for example when connecting to the server it would be easy to see if the connection is coming to the ASA and then what happens to it.

I can't see anything wrong with the ASA configuration at the moment. Atleast havent noticed anything yet.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

Yes both of those pings work. Also when I was on site and connected to the local LAN I was able to telnet on both those ports.

What kind of packet capture would you like set up for the ASDM?

New Member

Help with my first ASA config. (NAT/PAT)

As for the counters I am not seeing them go up at all:

access-list inside_access_in; 2 elements; name hash: 0x433a1af1

access-list inside_access_in line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0x60dc925d

access-list inside_access_in line 2 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x3a0c50b5

access-list outside_access_in; 6 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit icmp any any echo (hitcnt=0) 0x2a287810

access-list outside_access_in line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x54b872f3

access-list outside_access_in line 3 remark WEB-SERVER

access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www (hitcnt=0) 0x6d0acdc0

  access-list outside_access_in line 4 extended permit tcp any host 192.168.0.1 eq www (hitcnt=11) 0x6d0acdc0

access-list outside_access_in line 5 remark WEB-SERVER access

access-list outside_access_in line 6 extended permit tcp any object WEB-SERVER eq 39124 (hitcnt=0) 0x1125a6a4

  access-list outside_access_in line 6 extended permit tcp any host 192.168.0.1 eq 39124 (hitcnt=25) 0x1125a6a4

access-list outside_access_in line 7 extended permit udp any object WEB-SERVER-TCP39214 eq 39124 (hitcnt=0) 0x98c99e62

  access-list outside_access_in line 7 extended permit udp any host 192.168.0.1 eq 39124 (hitcnt=0) 0x98c99e62

access-list outside_access_in line 8 extended permit udp any object WEB-SERVER eq 39124 (hitcnt=0) 0x8b2db537

  access-list outside_access_in line 8 extended permit udp any host 192.168.0.1 eq 39124 (hitcnt=0) 0x8b2db537

access-list NAT-EXEMPT; 1 elements; name hash: 0x147e016b

access-list NAT-EXEMPT line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0xef022860

access-list SPLIT_TUNNEL; 2 elements; name hash: 0x63aa8f22

access-list SPLIT_TUNNEL line 1 standard permit 192.168.0.0 255.255.255.0 (hitcnt=0) 0x4f11a7a4

access-list SPLIT_TUNNEL line 2 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x00fb5725

Super Bronze

Re: Help with my first ASA config. (NAT/PAT)

Hi,

Are you saying that all of the hitcounts in the following output are the result of the "packet-tracer" command?

access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www (hitcnt=0) 0x6d0acdc0

  access-list outside_access_in line 4 extended permit tcp any host 192.168.0.1 eq www (hitcnt=11) 0x6d0acdc0

access-list outside_access_in line 5 remark WEB-SERVER access

access-list outside_access_in line 6 extended permit tcp any object WEB-SERVER eq 39124 (hitcnt=0) 0x1125a6a4

  access-list outside_access_in line 6 extended permit tcp any host 192.168.0.1 eq 39124 (hitcnt=25)

If that is true then it doesnt really make sense.

This would mean the Internet connection through the ASA should not work either.

How are you managing the ASA? Are you doing it now remotely or locally at the site? Does the site perhaps have another external connection through which you connect to the ASA?

If there is another external connection then it would raise a possible question regarding the routing. Then it might be that the actual server was using some other networking device as its default gateway out of the network and therefore the external connections through the ASA would naturally not work.

TCP Ping reply could be explained by the fact that the ASA is directly connected to the same network which means the server can reply directly to ASA but nothing past it if the default gateway device is something else.

But all of this is just guessing.

If you can connect to the ASA through its external interface for management purposes then there should be no reason why the NAT configurations should not work.

If you cannot connect remotely to the ASA external interface then the problem would be its external connection.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

When i attempt to SSH in on port 39124 this is the only counter that goes up:

  access-list outside_access_in line 6 extended permit tcp any host 192.168.0.1 eq 39124 (hitcnt=37) 0x1125a6a4

And it only goes up one at a time.

New Member

Help with my first ASA config. (NAT/PAT)

And I can connect to the ASA just fine remotely. I am currently in there via CLI and ASDM.

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

If the hitcount for the ACL rules that you have created are increasing when you attempt the connection and you are managing the ASA remotely then there should be no problem with the connection between ASA and the ISP.

That leads to the next question. Would this customer have any other external connection to the Internet other than the one through the ASA? Is the LAN servers default gateway pointing to the ASA or where?

If the server replies to the TCP Ping from the ASA I would imagine that the server should also reply from the remote network if the routing is fine. ASA rules seem to be fine atleast.

If its not a default gateway or routing problem then it seems wierd.

Maybe you could save the configuration and reboot the firewall if that is possible.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

The site only has one WAN access point and that is the outside interface of the ASA.

Should there be a reverse ACL like:

access-list inside_access_in extended permit tcp any object WEB-SERVER eq 39124   ?

I can not reboot it right now as they are up and working.

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

It wont require an ACL for the other direction. If the ASA has allowed the connection to form through it initially then the traffic related to that connection is allowed throuhgh the firewall as long as the connection doesnt timeout or is not terminated by either side.

If you want to configure a capture on the ASA to confirm if the server is replying at all then you could try the following configuration

access-list SERVER-CAP permit ip host host 192.168.0.1

access-list SERVER-CAP permit ip host 192.168.0.1 host

capture SERVER-CAP type raw-data access-list SERVER-CAP interface inside buffer 5000000 circular-buffer

Then you can use the following command to confirm if anything has hit the capture after tests from the external network

show capture

You can view the capture on the CLI with the command

show capture SERVER-CAP

You can also copy the capture to your computer with TFTP with the command

copy /pcap capture:SERVER-CAP tftp://x.x.x.x/SERVER-CAP.pcap

You can remove the capture with

no capture SERVER-CAP

This should tell us if the server send any traffic back to a connection attempt

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

Is this my public host as in from my current location?

Super Bronze

Help with my first ASA config. (NAT/PAT)

Hi,

The would be the public IP address with which your host is visible to the ASA. For example the IP address which you see yourself logged into the ASA with.

- Jouni

New Member

Help with my first ASA config. (NAT/PAT)

This is what I see:

3 packets captured

   1: 08:15:33.824191 802.1Q vlan#1 P2 69.64.226.1.59286 > 192.168.0.1.39124: S 189790974:189790974(0) win 8192

   2: 08:15:36.532809 802.1Q vlan#1 P2 69.64.226.1.59286 > 192.168.0.1.39124: S 189790974:189790974(0) win 8192

   3: 08:15:42.536669 802.1Q vlan#1 P2 69.64.226.1.59286 > 192.168.0.1.39124: S 189790974:189790974(0) win 8192

338
Views
0
Helpful
35
Replies