12-24-2011 07:13 AM - edited 03-11-2019 03:06 PM
Hello Experts,
Is the static Port Address Translation is bidirectional in 8.4 ???
I have configured static port address translation for the 2 server with same Public IP for the port 80 and 23. The strange thing is when they initiate a connection to the outside world they are allowed access to the internet as they are not included in the Dynamic Port address translation pool.
object network inside network.
subnet 192.168.10.0 255.255.255.0
Can anybody help me.
Thanks
12-24-2011 08:16 AM
Please post your configuration.
12-24-2011 11:00 AM
ciscoasa(config-network-object)# sh running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object network all
subnet 192.168.10.0 255.255.255.0
object network static
host 2.2.2.2
object network PAT
host 10.10.10.1
access-list outside extended permit tcp any host 2.2.2.2 eq telnet
access-list outside extended permit tcp any host 10.10.10.1 eq www
pager lines 24
logging enable
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network all
nat (inside,outside) dynamic 192.168.20.5
object network static
nat (inside,outside) static 3.3.3.3 service tcp telnet telnet
object network PAT
nat (inside,outside) static 3.3.3.3 service tcp 8080 www
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.20.2 1
route inside 2.2.2.0 255.255.255.0 192.168.10.2
route inside 10.10.10.0 255.255.255.0 192.168.10.2
12-24-2011 11:13 AM
Hello Estela,
You are doing port-forwarding, this kind of nat is just for inbound connections.
Static will always be bi-directional, port-forwarding will be for communications innitiated on the lower security level interface.
Regards,
Julio
12-24-2011 11:21 AM
yes correct ,
But when these server initiate a connection by what IP they will go out.??/
Tx
12-24-2011 11:37 AM
Hello,
Will use the PAT ip address : 192.168.20.5
Regards,
Do rate helpful posts
Julio
12-24-2011 11:47 AM
yes,
This is my concern, this is what not happening just see the logs below. I just initiate a connection from these servers and it is successful though their addresses are not included in PAT pool, still they are going out, how come??????????????
ciscoasa(config)# sh conn
1 in use, 10 most used
TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:00:12, bytes 149, flags UIO
ciscoasa(config)# sh xlate
2 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23
flags sr idle 0:41:35 timeout 0:00:00
TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80
flags sr idle 0:02:29 timeout 0:00:00
ciscoasa(config)# sh local-host
Interface management: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 2 maximum active, 0 denied
local host: <10.10.10.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO
Interface outside: 1 active, 5 maximum active, 0 denied
local host: <1.1.1.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO
Tx
12-24-2011 12:18 PM
Hello Estela,
I see what you are saying,
Can you provide the following packet-tracer
packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80
Regards,
Do please rate helpful posts
Julio
12-24-2011 12:24 PM
Hello,
U need the captured packets, from inside to outside, if i m not wrong.
I did'nt understood the below line, i dont have the following IP's in my network, i hope it is an example.
packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80
Tx
12-24-2011 12:37 PM
Hello Stela,
This will show us all the nat rules, acl, routes that the traffic for that host is hitting, of course is an example. you can use any host on that network.
Regards,
Julio
12-24-2011 10:55 PM
Hello Dears
Packet tracer for the Static port redirection server IP's.
ciscoasa(config)# sh conn
1 in use, 1 most used
TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:09, bytes 149, flags UIO
ciscoasa(config)# sh xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23
flags sr idle 2:11:34 timeout 0:00:00
TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80
flags sr idle 2:11:34 timeout 0:00:00
ciscoasa(config)# sh local-host
Interface management: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 2 maximum active, 0 denied
local host: <2.2.2.2>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO
Interface outside: 1 active, 1 maximum active, 0 denied
local host: <1.1.1.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO
ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 28826 1.1.1.1 23
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 15, using existing flow
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow
#####################################################################################
ciscoasa(config)# sh conn
1 in use, 1 most used
TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:18, bytes 149, flags UIO
ciscoasa(config)# sh xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23
flags sr idle 2:15:10 timeout 0:00:00
TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80
flags sr idle 2:15:10 timeout 0:00:00
ciscoasa(config)# sh local-host
Interface management: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 2 maximum active, 0 denied
local host: <10.10.10.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO
Interface outside: 1 active, 1 maximum active, 0 denied
local host: <1.1.1.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO
ciscoasa(config)# packet-tracer input inside tcp 10.10.10.1 31862 1.1.1.1 23
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 17, using existing flow
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow
Thanks
12-24-2011 11:39 PM
Post full trace all phase.
12-24-2011 11:41 PM
Hello Estela,
You are using an exisiting flow for the packet tracer that is not what I am looking for.....
I want you to do the following packet tracer please!
packet-tracer input inside tcp 10.10.10.1 1025 1.1.1.1 23
12-25-2011 12:37 AM
The source port what i m using is 23 and the destination is also 23 , Is it OK or i m wrong.Please correct if this is not enough.
In such case when i don't know the source port what i shld use.
ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 23 1.1.1.1 23
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network static
nat (inside,outside) static 3.3.3.3 service tcp telnet telnet
Additional Information:
Static translate 2.2.2.2/23 to 3.3.3.3/23
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2368, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-25-2011 10:22 AM
Hello Estela,
You need to use a random port, but for this monitoring purposes its okay, I saw what I was looking for.
That traffic is hitting the static rule, seems like on ASA version 8.3 and prior the static port-forwarding will be taken biderectional.
Are you looking for just inbound connections or it is okay if its bi-derectional?
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide