NAT only working for some IP addresses on 5505

mjames_wdd · ‎12-17-2011

I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.

After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I have no idea why. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.

Does anyone have any ideas what I'm missing?

One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.

Thanks,

Matt James

Julio Carvajal · ‎12-17-2011

Hello Mjames,

I will be more than glad to help on this,

Error numer one:

nat (outside) 0 access-list outside_nat0_outbound

This is the no nat rule for the VPN, please change it to :

nat (inside) 0 access-list outside_nat0_outbound

Error number two:

Now regarding the Port forwarding rules for example check this ones:

static (inside,outside) tcp interface ftp-data 192.168.2.7 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.2.7 ftp netmask 255.255.255.255

The interface IP address is

ip address a.b.c.178

And now check the Access-list

access-list outside_access_in extended permit tcp any a.b.c.176 255.255.255.240 eq ftp-data

access-list outside_access_in extended permit tcp any a.b.c.176 255.255.255.240 eq ftp

Why are they pointing to a.b.c.176?? They should be pointing to a.b.c.178.

I do see all the access-list pointing to 176 they should be pointing to the global ip address on the static statement (please change that and that should do it)

Please rate helpful posts

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mjames_wdd · ‎12-18-2011

Julio -

As seen in the other thread, the VPN answer took care of it - thanks!

On the NAT side, however, I don't think that's what I'm looking for. In the end, I want to be able to NAT any traffic sent to .177 through .189 - such as this:

static (inside,outside) tcp 173.167.162.188 www 192.168.2.42 www netmask 255.255.255.255

The access-list is set up as it is so that any traffic to those IPs will be allowed to be considered for NAT-ing. I've tried setting the access list rules up where I had one per IP per protocol, but didn't have any luck. Once I set it to "outside-network" (in ASDM), that at least got 3 of the IPs running. I would have expected either method to work (by IP with the mask at 255.255.255.255 or the whole outside network with the mask at 255.255.255.240), but neither is getting it all the way there.

Anything else that you can think of?

Thanks,

Matt

Julio Carvajal · ‎12-18-2011

Hello Matt,

The nat configuration is the same for those that are working and the ones that are not working.

I would like to run a packet tracer to see the rules the ASA uses for this packets:

packet-tracer input outside tcp 4.2.2.2 1025 a.b.c.183 80

packet-tracer input outside tcp 4.2.2.2 1025 interface_ip_address 21

packet-tracer input outside tcp 4.2.2.2 1025 a.b.c.183 80

Please provide the output of those packet tracers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mjames_wdd · ‎12-19-2011

Files are attached. Still confused, as the packet trace works for both.

Thoughts?

Thanks - Matt

Julio Carvajal · ‎12-19-2011

Hello,

So the ASA seems to be taken the right path regarding those packets, next thing would be to do captures:

access-list capin permit tcp host xxxxx host 192.168.2.115 eq 80

access-list capin permit tcp host 192.168.2.115 eq 80 host xxxx

access-list capout permit tcp host a.b.c.183 80 host xxxxxx

access-list capout permit tcp host xxxxxx host a.b.c.183 80

capture capin access-list capin interface inside

capture capout access-list capout interface dmz

The xxxx is the host trying to connect to the server on the inside.

So I will need you to start sending traffic from that host and then provide the following outputs:

-sh capture capin

-sh capture capout

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mjames_wdd · ‎12-22-2011

After much investigation and a few long days, we've determined that this issue was caused by factors outside the ASA. The configuration is correct, and we are up and running.

Thanks to everyone for their help.

Matt

Julio Carvajal · ‎12-22-2011

Hello,

Great to hear that, the captures were going to let us know that as well.

Please mark the question as answered for future references.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC