Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
0
Helpful
8
Replies

NAT ISSUE ASA 5505 VERSION 9.1

Go to solution
STYLIANOS DEMETRIOU
Level 1
Level 1

‎05-27-2014 02:03 AM - edited ‎03-11-2019 09:14 PM

Hi guys,

I have a firewall asa 5505 and behind it in the DMZ zone i have a windows server 2012 that is a load balancer with the ip 172.168.200.10 and two web servers that are responding to requests, server1 172.168.200.2 and server2 172.168.200.3

The problem i have is that i am able to access the public ip of my load balancer from any host on the internet and it works normally but i am unable to get server1 and server2 to reach the internet.

I am sure this is a Natting problem but i can't find the solution.

I am attaching the configuration and a drawing of the network 

Labels:
Preview file
57 KB
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to STYLIANOS DEMETRIOU

‎05-27-2014 11:52 PM

You could use an object-group to group those 3 servers together...so something like this:
object-group network WEBSERVERS-PRIVATEIP
  host 172.168.200.10
  host 172.168.200.2
  host 172.168.200.3
nat (DMZ,outside) source static WEBSERVERS-PRIVATEIP WEBSERVER-PUBLICIP
--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marius Gunnerud
VIP
VIP

‎05-27-2014 04:28 AM

Have you run a packet tracer on the ASA? If not please run the following command:

packet-tracer input DMZ tcp 172.168.200.10 12345 4.2.2.2 80 detail

and

packet-tracer input DMZ tcp 172.168.200.10 12345 4.2.2.2 443 detail

Could you also post the output of the object group INTERNET-TCP and INTERNET-UDP

Also please check the logs when connecting to the internet from the servers, do you see anything that might be out of place?

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
STYLIANOS DEMETRIOU
Level 1
Level 1
In response to Marius Gunnerud

‎05-27-2014 06:26 AM

Load Balancer with the ip 172.168.200.10 can access the internet since it has a static natting , the other two servers, server1 172.168.200.2 and server2 172.168.200.3 doesn't have a nat entry that's why they can't reach the internet. Basically what i want is to add a nat statement for those two servers also. If i use nat for the whole network 172.168.200.0/24 i am able to reach the internet from all servers but unable to get my load balancer work when i try to reach it using the public ip from outside.

You can see below the output for both 172.168.200.10 which has a static nat and works properly and below it the output for server1 172.168.200.2 which has not a nat statement and justifiably can't reach the internet.

 

packet-tracer input dmz tcp 172.168.200.10 12345 4.2.2.2 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ-IN in interface DMZ
access-list DMZ-IN extended permit tcp 172.168.200.0 255.255.255.0 any object-group INTERNET-TCP
object-group service INTERNET-TCP tcp
 description: TCP standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq ssh
 port-object eq domain
 port-object eq smtp
 port-object eq 3389
 port-object eq 62306
 port-object eq 60502
 port-object eq 58545
 port-object eq 445
 port-object eq 88
 port-object eq ldap
 port-object eq 135
 port-object eq 49155
 port-object eq 49159
 port-object eq 1433
 port-object eq 1434
 port-object eq 55527
 port-object eq 2794
 port-object eq 5985
 port-object eq 22233
 port-object eq 309
 port-object eq 902
 port-object eq 32843
 port-object eq 32844
 port-object eq 808
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,outside) source static WEBSERVER-REALIP WEBSERVER-PUBLICIP
Additional Information:
Static translate 172.168.200.10/12345 to A.B.C.D/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static WEBSERVER-REALIP WEBSERVER-PUBLICIP
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1697859, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

-----------------------------------------------------------------

asa# packet-tracer input dmz tcp 172.168.200.2 12345 4.2.2.2 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ-IN in interface DMZ
access-list DMZ-IN extended permit tcp 172.168.200.0 255.255.255.0 any object-group INTERNET-TCP
object-group service INTERNET-TCP tcp
 description: TCP standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq ssh
 port-object eq domain
 port-object eq smtp
 port-object eq 3389
 port-object eq 62306
 port-object eq 60502
 port-object eq 58545
 port-object eq 445
 port-object eq 88
 port-object eq ldap
 port-object eq 135
 port-object eq 49155
 port-object eq 49159
 port-object eq 1433
 port-object eq 1434
 port-object eq 55527
 port-object eq 2794
 port-object eq 5985
 port-object eq 22233
 port-object eq 309
 port-object eq 902
 port-object eq 32843
 port-object eq 32844
 port-object eq 808
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1697818, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to STYLIANOS DEMETRIOU

‎05-27-2014 06:38 AM

Well, I would have though that you would be able to send outgoing traffic through the loadbalancer also.
But you could add a dynamic NAT for the 172.168 network.


network object 172_168_200_0
  subnet 172.168.200.0 255.255.255.0
  nat (DMZ,outside) dynamic interface
--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
STYLIANOS DEMETRIOU
Level 1
Level 1
In response to Marius Gunnerud

‎05-27-2014 11:00 PM

Thanks for your help MariusGunnerud i am able to access the internet from those servers too.

The problem now is that they access the internet from the public ip assigned on the outside interface and not the dedicated ip address assigned for the load balancer.

 

isn't it possible to also add those two servers in the static nat statement and receive the ip of the load balancer?

0 Helpful

Go to solution
STYLIANOS DEMETRIOU
Level 1
Level 1
In response to STYLIANOS DEMETRIOU

‎05-27-2014 06:51 AM

Thanks for your help MariusGunnerud i am able to access the internet from those servers too.

The problem now is that they access the internet from the public ip assigned on the outside interface and not the dedicated ip address assigned for the load balancer.

 

isn't it possible to also add those two servers in the static nat statement and receive the ip of the load balancer?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to STYLIANOS DEMETRIOU

‎05-27-2014 11:52 PM

You could use an object-group to group those 3 servers together...so something like this:
object-group network WEBSERVERS-PRIVATEIP
  host 172.168.200.10
  host 172.168.200.2
  host 172.168.200.3
nat (DMZ,outside) source static WEBSERVERS-PRIVATEIP WEBSERVER-PUBLICIP
--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎05-28-2014 12:26 AM

Thank you for the rating :)

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
STYLIANOS DEMETRIOU
Level 1
Level 1
In response to Marius Gunnerud

‎05-28-2014 01:16 AM

Thanks for your help! :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card