cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
0
Helpful
10
Replies

NAT Doesn't Seem to Work on ASA5505

Hi,

 

Referring to the topic, we have an ASA5505 (Unlimited-Base License) which was working fine for more than a year now. For WAN, we have a static IP configured on the ASA with default route pointing to the ISP router. For LAN portion, we have servers which are published to the Internet.

 

For this, we've configured static NAT with port forwarding to the server. Policies are also in place, allowing any source from the Internet to access to the server.

 

Network setup:

ISP Router <> ASA5505 WAN <> ASA5505 LAN <> Server

1.1.1.1               1.1.1.2                   10.10.10.1         10.10.10.10

 

## NATed 1.1.1.2 port 2048 to 10.10.10.10 port 2048

## On WAN incoming policy, allowed 'any' source to 'Server NATed' destination with service '2048'

 

During initial setup/testing, it was working fine or so it was claimed by the user, but if not mistaken we did perform simple testing and the server is reachable via that port. However, just today, we got a complaint from the user that the server is not reachable now. Checked on the configuration, nothing was changed. Perform test from our end, can't reach the server and no hit counts on the policy.

 

Then, we added an implicit permit rule for the WAN incoming policy and when we test again, server is still not reachable. But this time, there's a hit count on that implicit permit rule. Hence, thought of getting some advise on how to go about for this issue or if anyone had faced such issue before?

 

Thank you.

=====================================================================================

## Configuration ##

object network my-DB
 nat (inside,public) static interface service tcp 2048 2048
object network my-DB-FTP
 nat (inside,public) static interface service tcp ftp ftp
object network my-DB-8080
 nat (inside,public) static interface service tcp 8080 8080

access-list public_access_in extended permit tcp any object my-DB object-group TCP_2048
access-list public_access_in extended permit tcp any object my-DB-8080 object-group TCP_8080
access-list public_access_in extended permit tcp any object my-DB-FTP eq ftp
access-list public_access_in extended permit tcp any any

access-group inside_access_in in interface inside
access-group public_access_in in interface public

=====================================================================================

 

-----

Regards,

Danny

10 Replies 10

First thing when we enable access from outside to inside, we permit actual IP of the server not the NATed IP, not sure how it was working in past. Second thing since you have ASA 5505 you can use packet-tracer tool of ASA to check as where the traffic is being blocked. Also try to check with reverse NAT configuration on the firewall. (nat (public,inside) NATed IP Actual IP

 

Hi Rahul,
 
What do you mean by using actual IP? You mean the public IP or the private IP, to be added on the access rule? I do have other sites, where I add in the access rule using the private IP network object (which NAT to public IP) and it's working.

 

I mean private IP of server.

Yes, I'm using the private IP object, with NAT... And it's working on other site

Anyone got any ideas?

can you share object-group network configuration?

Here you go.

 

object network my-inside-net
 subnet 10.252.22.0 255.255.255.0
object network my-DB
 host 10.252.22.10
object network my-CCTV
 host 10.252.22.20
object network my-CCTV-3100
 host 10.252.22.20
object network my-DB-FTP
 host 10.252.22.10
object-group service TCP_2048 tcp
 port-object eq 2048
object-group service TCP_3100 tcp
 port-object eq 3100
object-group service DM_INLINE_TCP_1 tcp
 group-object TCP_3100
 port-object eq www

Could you do a packet tracer on the ASA

packet-tracer input outside tcp 4.2.2.2 1234 1.1.1.2 2048 detail

also this one for comparison

packet-tracer input outside tcp 4.2.2.2 2048 1.1.1.2 2048 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius,

 

I can't login to the ASA now, maybe the end users bypass it now. Anyway, I did try the packet tracer via ASDM and it showed packet drop due to implicit deny.

For which packet tracer did the packet drop?  Did you use the public IP of the server or the private IP?

Was it denied at a ACL rule, NAT rule...etc.?

If possible take a screenshot of the ASDM packet tracer

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: