ciscoasa(config-network-object)# sh running-config

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.20.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object network all

subnet 192.168.10.0 255.255.255.0

object network static

host 2.2.2.2

object network PAT

host 10.10.10.1

access-list outside extended permit tcp any host 2.2.2.2 eq telnet

access-list outside extended permit tcp any host 10.10.10.1 eq www

pager lines 24

logging enable

logging buffered notifications

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!            

object network all

nat (inside,outside) dynamic 192.168.20.5

object network static

nat (inside,outside) static 3.3.3.3 service tcp telnet telnet

object network PAT

nat (inside,outside) static 3.3.3.3 service tcp 8080 www

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.20.2 1

route inside 2.2.2.0 255.255.255.0 192.168.10.2

route inside 10.10.10.0 255.255.255.0 192.168.10.2

Hello Estela,

You are doing port-forwarding, this kind of nat is just for inbound connections.

Static will always be bi-directional, port-forwarding will be for communications innitiated on the lower security level interface.

Regards,

Julio

yes correct ,

But when these server initiate a connection by what IP they will go out.??/

Tx

Hello,

Will use the PAT ip address : 192.168.20.5

Regards,

Do rate helpful posts

Julio

yes,

This is my concern, this is what not happening just see the logs below. I just initiate a connection from these servers and it is successful though their addresses are not included in PAT pool, still they are going out, how come??????????????

ciscoasa(config)# sh conn

1 in use, 10 most used

TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:00:12, bytes 149, flags UIO

ciscoasa(config)# sh xlate

2 in use, 4 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23

    flags sr idle 0:41:35 timeout 0:00:00

TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80

    flags sr idle 0:02:29 timeout 0:00:00

ciscoasa(config)# sh local-host

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <10.10.10.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO

Interface outside: 1 active, 5 maximum active, 0 denied

local host: <1.1.1.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO

Tx

Hello Estela,

I see what you are saying,

Can you provide the following packet-tracer

packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80

Regards,

Do please rate helpful posts

Julio

Hello,

U need the captured packets, from inside to outside, if i m not wrong.

I did'nt understood the below line, i dont have the following IP's in my network, i hope it is an example.

packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80

Tx

Hello Stela,

This will show us all the nat rules, acl, routes that the traffic for that host is hitting, of course is an example. you can use any host on that network.

Regards,

Julio

Hello Dears

Packet tracer for the Static port redirection server IP's.

ciscoasa(config)# sh conn

1 in use, 1 most used

TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:09, bytes 149, flags UIO

ciscoasa(config)# sh xlate

2 in use, 3 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23

    flags sr idle 2:11:34 timeout 0:00:00

TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80

    flags sr idle 2:11:34 timeout 0:00:00

ciscoasa(config)# sh local-host

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <2.2.2.2>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO

Interface outside: 1 active, 1 maximum active, 0 denied

local host: <1.1.1.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO

ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 28826 1.1.1.1 23    

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 15, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: allow

#####################################################################################

ciscoasa(config)# sh conn

1 in use, 1 most used

TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:18, bytes 149, flags UIO

ciscoasa(config)# sh xlate

2 in use, 3 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23

    flags sr idle 2:15:10 timeout 0:00:00

TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80

    flags sr idle 2:15:10 timeout 0:00:00

ciscoasa(config)# sh local-host

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <10.10.10.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO

Interface outside: 1 active, 1 maximum active, 0 denied

local host: <1.1.1.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO

ciscoasa(config)# packet-tracer input inside tcp 10.10.10.1 31862 1.1.1.1 23

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 17, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: allow

Thanks

Post full trace all phase.

Hello Estela,

You are using an exisiting flow for the packet tracer that is not what I am looking for.....

I want you to do the following packet tracer please!

packet-tracer input inside tcp 10.10.10.1 1025 1.1.1.1 23

The source port what i m using is 23 and the destination is also 23 , Is it OK or i m wrong.Please correct if this is not enough.

In such case when i don't know the source port what i shld use.

ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 23 1.1.1.1 23

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network static

nat (inside,outside) static 3.3.3.3 service tcp telnet telnet

Additional Information:

Static translate 2.2.2.2/23 to 3.3.3.3/23

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2368, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hello Estela,

You need to use a random port, but for this monitoring purposes its okay, I saw what I was looking for.

That traffic is hitting the static rule, seems like on ASA version 8.3 and prior the static port-forwarding will be taken biderectional.

Are you looking for just inbound connections or it is okay if its bi-derectional?

Regards,

Julio