08-24-2012 12:30 PM - edited 03-11-2019 04:46 PM
The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like
static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255
Plus an extended ACL to allow the traffic.
I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
Can anyone help me with the syntax for this?
Solved! Go to Solution.
08-28-2012 01:00 PM
Hello,
Since 8.3 the order of operations of the ASA changed, nat goes first, then ACL's.
It's not that I don't believe you is that I do it like that everyday
Okay, I see what you mean by overlaps.
nat (internal,external) source static Pod3_SQL interface service D3000_Pod3 SQL_SVR
Try it like that and let me know
Remember to rate all the helpful posts, that is as important for us as a thanks
Regards,
08-24-2012 04:29 PM
Hello Eric,
object service Random_port
service tcp source eq 14033
object service Specific_port
service tcp source eq 1433
object network INTERNAL_HOST
host 192.168.12.2
object network Outside_Ip
host 4.1.1.1
nat (inside,outside) source static INTERNAL_HOST Outside_Ip service tcp Specific_port Random_port
access-list outside_in permit tcp host 209.114.146.122 host 192.168.12.2 eq 1433
access-group outside_in in interface outside
That should do it
Rate all the helpful posts
Julio
08-27-2012 09:50 AM
Hello Julio,
Thank you for y our reply. It got me closer, but i am still missing something. I have played around with the code suggestions that you made, and am not getting traction. It is possible that I did not explain my project completely, or I just misused your suggested code. I am including much of my ASA config, and will try to restate what I hope to accomplish.
I have clients that hit our FW from their outside IP hitting out IP on port 15003 say. I want to take any traffic hitting our IP on 15003 and translate that to port 1433 on an internal private IP.
What I have so far is:
!
interface Ethernet0/0
nameif External
security-level 0
ip address 66.112.199.133 255.255.255.224
!
interface Ethernet0/2
nameif Internal
security-level 100
ip address 10.187.10.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name informz.net
object network Pod3_SQL
host 10.187.10.230
object network Outside_IP
host 66.112.199.133
object service D3000_Pod3
service tcp source eq 15003
object service SQL_SVR
service tcp source eq 1433
object-group network DM_INLINE_NETWORK_1
nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3
network-object object Outside_IP
network-object object Pod3_SQL
access-list Pod3_In extended permit tcp any eq 15003 host 10.187.10.230 eq 1433
access-group Pod3_In in interface External
I have tried specific address (or network object) and "Any" in the Access-List. Neither seems to let me through. I do not get any hit count on the ACL so I do not believe that teh traffic gets even that far. The available debug commands for NAT do not appear to be as robust as for IPSec. i was hoping to see real time (or even old logs) of the NAT activities to see where it is breaking down.
Do you see where it is breaking?
Thanx for your help!!
08-27-2012 12:12 PM
Hello Eric,
Yeah you did not follow my instructions but that's okay that is why we are here
Copy and paste what I am going to place in here:
no nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3
nat (Internal,External) 1 source static Pod3_SQL Outside_IP service SQL_SVR D3000_Pod3
no access-list Pod3_In extended permit tcp any eq 15003 host 10.187.10.230 eq 1433
access-list Pod3_In line 1 permit tcp any host 10.187.10.230 eq 1433
Please do that and let me know, do not do something different with the comands just place them the way they are
Rate all the helpful posts
Julio
08-28-2012 07:09 AM
Hey Julio,
Thank you for your persistence and assistance.
I made one slight change in your suggested config as you will note from the attached code. I reversed the source destination, as the ASA would not take it as initially persented. NAT statement should be reversed, from what I Understand. I got errors entering it in the order that you suggested.
I still get no translation. Most NAT config examples are for out bound translation. Since I am coming in should it be nat (external,internal) 1 source static .......?
Also, just so you know how my lab is currently set, I have a PC with 66.192.199.129 on it attempting connection to 66.192.199.133 on 15003 and have a SQL box at 10.187.10.230 listening on 1433.
Is there something similar to isakmp and ipsec debugs that I can run to see either in real time or log where this traffic is going and where it is dying?
interface Ethernet0/0
nameif External
security-level 0
ip address 66.192.199.133 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif Internal
security-level 100
ip address 10.187.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
object network Pod3_SQL
host 10.187.10.230
object network Outside_IP
host 66.192.199.133
object service D3000_Pod3
service tcp source eq 15003
object service SQL_SVR
service tcp source eq 1433
object-group network DM_INLINE_NETWORK_1
network-object object Outside_IP
network-object object Pod3_SQL
access-list Pod3_In extended permit tcp any host 10.187.10.230 eq 1433
nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3
access-group Pod3_In in interface External
Thanx again for you help!
E
08-28-2012 11:37 AM
Hello Eric,
"I still get no translation. Most NAT config examples are for out bound translation. Since I am coming in should it be nat (external,internal) 1 source static .......?"
Not at all, the translation rule is being made from the inside to the outside world, that is why it should follow the order I sent you
"nat (Internal,External) source static Outside_IP Pod3_SQL service SQL_SVR D3000_Pod3"
My friend if you keep setting the rule like this it will not work
It needs to be
nat (internal,external) source static Pod3_SQL Outside_IP service D3000_Pod3 SQL_SVR
At least the ACL is right now
Copy/paste and let me know
You can rate as many posts as you want my friend
Julio
08-28-2012 12:29 PM
Julio,
I do really appreciate that you are trying to help here. What I do not think that you understand is that I have tried the code exactly as you have suggested and I get an error message. If I reverse the "real source" and the "mapped source" the ASA takes it. It still does not work, but it takes the entry . If I present it as you have suggested I get "Address 66.192.199.133 overlaps with External interface address". I will sent you a screen shot if you do not believe me. I have tried straight cut/paste and I have manually entered this repeatedly and it will not take as it currently is....
That said, everything I have been able to find and read says that the statement (despite being counter intuitive) must reverse the two sources. In fact, when I enter it one statement at a time followed by "?", the first source is supposed to be the "Real" and the second the "Mapped". Is Outside_IP not the Real and Pod3_SQL the mapped?
Is it that I cannot use a local external interface as the source, as ultimately (when I take it out of lab and want to use in Production) I will want to be using the IP of the users I want to enter and access the Server via this mapping? I have added a Router in front of the ASA with my test PC outside of that to try to test this theory, but still have no joy.
Doesn't the ACL get checked before any translation occurs? I am not seeing any hits on the ACL, which is part of my curiosity as to where this is breaking down.
08-28-2012 01:00 PM
Hello,
Since 8.3 the order of operations of the ASA changed, nat goes first, then ACL's.
It's not that I don't believe you is that I do it like that everyday
Okay, I see what you mean by overlaps.
nat (internal,external) source static Pod3_SQL interface service D3000_Pod3 SQL_SVR
Try it like that and let me know
Remember to rate all the helpful posts, that is as important for us as a thanks
Regards,
08-29-2012 06:09 AM
Hello Julio,
I tried your latest proposed code, and I still get nada on the translation. If you are correct in the order of processing, it is the Translation that is failing, as I still do not get hit counts on the ACL.
I do truly appreciate your persistence and patience with this issue. I think that I am going to open a TAC ticket and see if I can get a tech from Cisco to take a look at it. If they are able to resolve my NAT issue, I will post the config that they dream up here.
Again, thank you for your help!
08-29-2012 07:02 AM
can you try the following
object network Pod3_SQL
nat (Internal,External) static interface service SQL_SVR D3000_Pod3
with the acceslist you already got in your code it should work
08-29-2012 08:29 AM
Hello Eric,
As we already know the problem was not with the NAT configuration could you mark the question as answered.
Regards.
Julio
08-29-2012 08:02 AM
Customer came to TAC and the configuration was fine since the begininng.
nat (Internal,External) source static Pod3_SQL interface service SQL_SVR D3000_Pod3
Cheers,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: