Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

configure nat on asa5505

i have the asa5505. the configuration of asa 5505 is:

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.17 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.13.74.33 255.255.255.0

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network server

host 192.168.0.20

object network sharepointdri

host 192.168.0.22

object network paragraflex

host 192.168.0.20

object network dri.local

subnet 192.168.0.0 255.255.255.0

object service ParagrafLex1

service tcp source eq 6190

description Odlazni

object service paragraf

service tcp destination eq 6190

description dolazni

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp echo-reply

service-object tcp

object-group service DM_INLINE_SERVICE_1

service-object icmp echo-reply

service-object tcp

service-object ip

service-object tcp destination eq domain

service-object tcp destination eq ldap

service-object object ParagrafLex1

object-group service DM_INLINE_SERVICE_3

service-object tcp

service-object tcp destination eq domain

service-object tcp destination eq ldap

object-group service DM_INLINE_SERVICE_4

service-object tcp

service-object icmp echo-reply

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object icmp echo-reply

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

object-group service DM_INLINE_SERVICE_6

service-object ip

service-object tcp

service-object icmp echo-reply

service-object icmp

object-group service DM_INLINE_SERVICE_7

service-object ip

service-object tcp

service-object icmp echo-reply

access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any

access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_5 interface inside interface 

access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0

access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any

access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0

access-list outside_access_in_1 extended permit object paragraf any object server

access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server

access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp outside 10.13.74.1 000d.bd64.a8e2

arp timeout 14400

!

object network server

nat (inside,outside) static 10.13.74.34 dns

object network sharepointdri

nat (any,any) static 10.13.74.39

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 10.13.74.1 1

route outside 10.15.100.0 255.255.255.0 10.13.74.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect ftp paragraf

parameters

policy-map global_policy

class inspection_default

  inspect dns

  inspect icmp

  inspect ip-options

  inspect netbios

  inspect tftp

  inspect h323 h225

  inspect h323 ras

!

service-policy global_policy global

prompt hostname context state priority domain

no call-home reporting anonymous

Cryptochecksum:be2fe7cac5d11b328e0bb11d292899cc

: end

on wan port of asa5505 is network 10.13.74.0/24 and on lan port is network 192.168.0.0/24. on lan network is my server on which is application, this application is on address 192.168.0.20. my users from wan side 10.13.74.0/24 and the other networks need to access this application, this application  work on port 6190.this application use ftp and traffic come to this port and leave from this port. ports on users computers change but on server is always same. i make nat- lan address 192.168.0.20 to 10.13.74.34. the users from lan side can use this application without problem, but the users from wan side and the other network can use this application but, they can not download updates for this application. i traced traffic in syslog and i receive:

29323|||SSL session with client inside:192.168.0.108/29323 terminated.

6|Mar 16 2012|14:54:31|106015|192.168.0.108|29323|192.168.0.17|443|Deny TCP (no connection) from 192.168.0.108/29323 to 192.168.0.17/443 flags FIN ACK  on interface inside

6|Mar 16 2012|14:54:31|302014|192.168.0.108|29323|192.168.0.17|443|Teardown TCP connection 627298 for inside:192.168.0.108/29323 to identity:192.168.0.17/443 duration 0:00:00 bytes 726 TCP Reset-O

6|Mar 16 2012|14:54:31|605005|192.168.0.108|29323|192.168.0.17|https|Login permitted from 192.168.0.108/29323 to inside:192.168.0.17/https for user "enable_15"

6|Mar 16 2012|14:54:31|725002|192.168.0.108|29323|||Device completed SSL handshake with client inside:192.168.0.108/29323

6|Mar 16 2012|14:54:31|725001|192.168.0.108|29323|||Starting SSL handshake with client inside:192.168.0.108/29323 for TLSv1 session.

6|Mar 16 2012|14:54:31|302013|192.168.0.108|29323|192.168.0.17|443|Built inbound TCP connection 627298 for inside:192.168.0.108/29323 (192.168.0.108/29323) to identity:192.168.0.17/443 (192.168.0.17/443)

6|Mar 16 2012|14:54:23|302014|10.13.74.100|49222|192.168.0.20|6190|Teardown TCP connection 627294 for outside:10.13.74.100/49222 to inside:192.168.0.20/6190 duration 0:00:23 bytes 2947 TCP FINs

6|Mar 16 2012|14:54:23|302014|10.13.74.100|49219|192.168.0.20|6190|Teardown TCP connection 627291 for outside:10.13.74.100/49219 to inside:192.168.0.20/6190 duration 0:00:23 bytes 222 TCP FINs

6|Mar 16 2012|14:54:23|302014|10.13.74.100|49221|192.168.0.20|6190|Teardown TCP connection 627293 for outside:10.13.74.100/49221 to inside:192.168.0.20/6190 duration 0:00:23 bytes 173 TCP FINs

5|Mar 16 2012|14:54:10|305013|192.168.0.20|4981|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49223 dst inside:192.168.0.20/4981 denied due to NAT reverse path failure

5|Mar 16 2012|14:54:04|305013|192.168.0.20|4981|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49223 dst inside:192.168.0.20/4981 denied due to NAT reverse path failure

5|Mar 16 2012|14:54:01|305013|192.168.0.20|4981|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49223 dst inside:192.168.0.20/4981 denied due to NAT reverse path failure

6|Mar 16 2012|14:54:00|302013|10.13.74.100|49222|192.168.0.20|6190|Built inbound TCP connection 627294 for outside:10.13.74.100/49222 (10.13.74.100/49222) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:54:00|302013|10.13.74.100|49221|192.168.0.20|6190|Built inbound TCP connection 627293 for outside:10.13.74.100/49221 (10.13.74.100/49221) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:54:00|302014|10.13.74.100|49220|192.168.0.20|6190|Teardown TCP connection 627292 for outside:10.13.74.100/49220 to inside:192.168.0.20/6190 duration 0:00:00 bytes 230 TCP FINs

6|Mar 16 2012|14:53:59|302013|10.13.74.100|49220|192.168.0.20|6190|Built inbound TCP connection 627292 for outside:10.13.74.100/49220 (10.13.74.100/49220) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:53:59|302014|10.13.74.100|49214|192.168.0.20|6190|Teardown TCP connection 627283 for outside:10.13.74.100/49214 to inside:192.168.0.20/6190 duration 0:00:21 bytes 335 TCP FINs

6|Mar 16 2012|14:53:59|302013|10.13.74.100|49219|192.168.0.20|6190|Built inbound TCP connection 627291 for outside:10.13.74.100/49219 (10.13.74.100/49219) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:53:59|302014|10.13.74.100|49218|192.168.0.20|6190|Teardown TCP connection 627290 for outside:10.13.74.100/49218 to inside:192.168.0.20/6190 duration 0:00:00 bytes 233 TCP FINs

6|Mar 16 2012|14:53:59|302013|10.13.74.100|49218|192.168.0.20|6190|Built inbound TCP connection 627290 for outside:10.13.74.100/49218 (10.13.74.100/49218) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:53:59|302014|10.13.74.100|49217|192.168.0.20|6190|Teardown TCP connection 627289 for outside:10.13.74.100/49217 to inside:192.168.0.20/6190 duration 0:00:00 bytes 232 TCP FINs

6|Mar 16 2012|14:53:59|302013|10.13.74.100|49217|192.168.0.20|6190|Built inbound TCP connection 627289 for outside:10.13.74.100/49217 (10.13.74.100/49217) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:53:59|302014|10.13.74.100|49216|192.168.0.20|6190|Teardown TCP connection 627288 for outside:10.13.74.100/49216 to inside:192.168.0.20/6190 duration 0:00:00 bytes 234 TCP FINs

6|Mar 16 2012|14:53:59|302013|10.13.74.100|49216|192.168.0.20|6190|Built inbound TCP connection 627288 for outside:10.13.74.100/49216 (10.13.74.100/49216) to inside:192.168.0.20/6190 (10.13.74.34/6190)

5|Mar 16 2012|14:53:47|305013|192.168.0.20|4974|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49215 dst inside:192.168.0.20/4974 denied due to NAT reverse path failure

6|Mar 16 2012|14:53:46|106015|10.13.74.100|49211|10.13.74.34|6190|Deny TCP (no connection) from 10.13.74.100/49211 to 10.13.74.34/6190 flags ACK  on interface outside

6|Mar 16 2012|14:53:46|302014|10.13.74.100|49211|192.168.0.20|6190|Teardown TCP connection 627278 for outside:10.13.74.100/49211 to inside:192.168.0.20/6190 duration 0:00:30 bytes 327 TCP Reset-I

5|Mar 16 2012|14:53:41|305013|192.168.0.20|4974|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49215 dst inside:192.168.0.20/4974 denied due to NAT reverse path failure

6|Mar 16 2012|14:53:39|302014|10.13.74.100|49179|192.168.0.20|6190|Teardown TCP connection 627113 for outside:10.13.74.100/49179 to inside:192.168.0.20/6190 duration 0:10:01 bytes 172 FIN Timeout

5|Mar 16 2012|14:53:38|305013|192.168.0.20|4974|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49215 dst inside:192.168.0.20/4974 denied due to NAT reverse path failure

6|Mar 16 2012|14:53:37|302013|10.13.74.100|49214|192.168.0.20|6190|Built inbound TCP connection 627283 for outside:10.13.74.100/49214 (10.13.74.100/49214) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:53:37|302014|10.13.74.100|49213|192.168.0.20|6190|Teardown TCP connection 627282 for outside:10.13.74.100/49213 to inside:192.168.0.20/6190 duration 0:00:00 bytes 226 TCP FINs

6|Mar 16 2012|14:53:37|302013|10.13.74.100|49213|192.168.0.20|6190|Built inbound TCP connection 627282 for outside:10.13.74.100/49213 (10.13.74.100/49213) to inside:192.168.0.20/6190 (10.13.74.34/6190)

5|Mar 16 2012|14:53:25|305013|192.168.0.20|4972|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49212 dst inside:192.168.0.20/4972 denied due to NAT reverse path failure

5|Mar 16 2012|14:53:19|305013|192.168.0.20|4972|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49212 dst inside:192.168.0.20/4972 denied due to NAT reverse path failure

5|Mar 16 2012|14:53:16|305013|192.168.0.20|4972|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49212 dst inside:192.168.0.20/4972 denied due to NAT reverse path failure

6|Mar 16 2012|14:53:16|302013|10.13.74.100|49211|192.168.0.20|6190|Built inbound TCP connection 627278 for outside:10.13.74.100/49211 (10.13.74.100/49211) to inside:192.168.0.20/6190 (10.13.74.34/6190)

5|Mar 16 2012|14:50:46|305013|192.168.0.20|4968|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49210 dst inside:192.168.0.20/4968 denied due to NAT reverse path failure

5|Mar 16 2012|14:50:40|305013|192.168.0.20|4968|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49210 dst inside:192.168.0.20/4968 denied due to NAT reverse path failure

5|Mar 16 2012|14:50:37|305013|192.168.0.20|4968|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49210 dst inside:192.168.0.20/4968 denied due to NAT reverse path failure

6|Mar 16 2012|14:50:36|302013|10.13.74.100|49209|192.168.0.20|6190|Built inbound TCP connection 627245 for outside:10.13.74.100/49209 (10.13.74.100/49209) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:36|302013|10.13.74.100|49208|192.168.0.20|6190|Built inbound TCP connection 627244 for outside:10.13.74.100/49208 (10.13.74.100/49208) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:36|302014|10.13.74.100|49207|192.168.0.20|6190|Teardown TCP connection 627243 for outside:10.13.74.100/49207 to inside:192.168.0.20/6190 duration 0:00:00 bytes 230 TCP FINs

6|Mar 16 2012|14:50:36|302013|10.13.74.100|49207|192.168.0.20|6190|Built inbound TCP connection 627243 for outside:10.13.74.100/49207 (10.13.74.100/49207) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:36|302013|10.13.74.100|49206|192.168.0.20|6190|Built inbound TCP connection 627242 for outside:10.13.74.100/49206 (10.13.74.100/49206) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:36|302014|10.13.74.100|49205|192.168.0.20|6190|Teardown TCP connection 627241 for outside:10.13.74.100/49205 to inside:192.168.0.20/6190 duration 0:00:00 bytes 233 TCP FINs

6|Mar 16 2012|14:50:35|302013|10.13.74.100|49205|192.168.0.20|6190|Built inbound TCP connection 627241 for outside:10.13.74.100/49205 (10.13.74.100/49205) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:35|302014|10.13.74.100|49204|192.168.0.20|6190|Teardown TCP connection 627240 for outside:10.13.74.100/49204 to inside:192.168.0.20/6190 duration 0:00:00 bytes 231 TCP FINs

6|Mar 16 2012|14:50:35|302013|10.13.74.100|49204|192.168.0.20|6190|Built inbound TCP connection 627240 for outside:10.13.74.100/49204 (10.13.74.100/49204) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:35|302014|10.13.74.100|49201|192.168.0.20|6190|Teardown TCP connection 627233 for outside:10.13.74.100/49201 to inside:192.168.0.20/6190 duration 0:00:21 bytes 334 TCP FINs

6|Mar 16 2012|14:50:35|302014|10.13.74.100|49203|192.168.0.20|6190|Teardown TCP connection 627239 for outside:10.13.74.100/49203 to inside:192.168.0.20/6190 duration 0:00:00 bytes 233 TCP FINs

6|Mar 16 2012|14:50:34|302013|10.13.74.100|49203|192.168.0.20|6190|Built inbound TCP connection 627239 for outside:10.13.74.100/49203 (10.13.74.100/49203) to inside:192.168.0.20/6190 (10.13.74.34/6190)

5|Mar 16 2012|14:50:22|305013|192.168.0.20|4958|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49202 dst inside:192.168.0.20/4958 denied due to NAT reverse path failure

6|Mar 16 2012|14:50:22|302014|10.13.74.100|49198|192.168.0.20|6190|Teardown TCP connection 627228 for outside:10.13.74.100/49198 to inside:192.168.0.20/6190 duration 0:00:30 bytes 326 TCP Reset-I

5|Mar 16 2012|14:50:16|305013|192.168.0.20|4958|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49202 dst inside:192.168.0.20/4958 denied due to NAT reverse path failure

6|Mar 16 2012|14:50:15|302014|192.168.0.108|29191|192.168.0.17|443|Teardown TCP connection 627219 for inside:192.168.0.108/29191 to identity:192.168.0.17/443 duration 0:00:52 bytes 985 TCP FINs

6|Mar 16 2012|14:50:15|302014|192.168.0.108|29195|192.168.0.17|443|Teardown TCP connection 627223 for inside:192.168.0.108/29195 to identity:192.168.0.17/443 duration 0:00:50 bytes 855 TCP FINs

6|Mar 16 2012|14:50:15|302014|192.168.0.108|29197|192.168.0.17|443|Teardown TCP connection 627224 for inside:192.168.0.108/29197 to identity:192.168.0.17/443 duration 0:00:49 bytes 970 TCP FINs

6|Mar 16 2012|14:50:15|725007|192.168.0.108|29201|||SSL session with client inside:192.168.0.108/29201 terminated.

6|Mar 16 2012|14:50:15|106015|192.168.0.108|29201|192.168.0.17|443|Deny TCP (no connection) from 192.168.0.108/29201 to 192.168.0.17/443 flags FIN ACK  on interface inside

6|Mar 16 2012|14:50:15|302014|192.168.0.108|29201|192.168.0.17|443|Teardown TCP connection 627235 for inside:192.168.0.108/29201 to identity:192.168.0.17/443 duration 0:00:00 bytes 726 TCP Reset-O

6|Mar 16 2012|14:50:15|605005|192.168.0.108|29201|192.168.0.17|https|Login permitted from 192.168.0.108/29201 to inside:192.168.0.17/https for user "enable_15"

6|Mar 16 2012|14:50:15|725002|192.168.0.108|29201|||Device completed SSL handshake with client inside:192.168.0.108/29201

6|Mar 16 2012|14:50:15|725001|192.168.0.108|29201|||Starting SSL handshake with client inside:192.168.0.108/29201 for TLSv1 session.

6|Mar 16 2012|14:50:15|302013|192.168.0.108|29201|192.168.0.17|443|Built inbound TCP connection 627235 for inside:192.168.0.108/29201 (192.168.0.108/29201) to identity:192.168.0.17/443 (192.168.0.17/443)

5|Mar 16 2012|14:50:13|305013|192.168.0.20|4958|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49202 dst inside:192.168.0.20/4958 denied due to NAT reverse path failure

6|Mar 16 2012|14:50:13|302013|10.13.74.100|49201|192.168.0.20|6190|Built inbound TCP connection 627233 for outside:10.13.74.100/49201 (10.13.74.100/49201) to inside:192.168.0.20/6190 (10.13.74.34/6190)

6|Mar 16 2012|14:50:13|302014|10.13.74.100|49200|192.168.0.20|6190|Teardown TCP connection 627232 for outside:10.13.74.100/49200 to inside:192.168.0.20/6190 duration 0:00:00 bytes 225 TCP FINs

6|Mar 16 2012|14:50:13|302013|10.13.74.100|49200|192.168.0.20|6190|Built inbound TCP connection 627232 for outside:10.13.74.100/49200 (10.13.74.100/49200) to inside:192.168.0.20/6190 (10.13.74.34/6190)

5|Mar 16 2012|14:50:01|305013|192.168.0.20|4955|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.13.74.100/49199 dst inside:192.168.0.20/4955 denied due to NAT reverse path failure

i analyzed this traffic i see problem with the nat- Asymmetric NAT rules matched for forward and reverse flows

where i made error? help me

thanks

  • LAN Switching and Routing
519
Views
0
Helpful
0
Replies
This widget could not be displayed.