Solved: Help with ASA 8.2 static nat and access rule

Gentry · ‎09-05-2013

I have an internal web server (172.18.80.99) that I need to access from the outside. I've created the necessary access-rule and static translation but I'm not sure if the configuration is correct. I'm unable to view the webserver from outside. Site is up because I can browse it internally on port 80. Any help is appreciated.

access-list outside_access_in extended permit tcp any host pu.bl.ic.ip eq 4526 log debugging

access-group outside_access_in in interface outside

static (inside,outside) tcp pu.bl.ic.ip 4526 172.18.80.99 www netmask 255.255.255.255

When I do a sh xlate, I can see the translation but the site doesnt come up. It times out after about 30 seconds.

PAT Global pu.bl.ic.ip(4526) Local 172.18.80.99(80)

How can I tell if the firewall is blocking the connection?

Julio Carvajal · ‎09-05-2013

Hello Troy,

Do the following

cap capout interface outside match tcp any host Public_Ip eq 4526

cap capin interface Inside match tcp any host 172.18.80.99 eq 4526

cap asp type asp-drop all circular-buffer

Then try to connect (once) and provide the output after it timed out (Again after you set the captures only access the server once for ease of troubleshooting)

show cap capout

show cap capin

show cap asp | include 172.168.80.99

show cap asp | include Public_IP

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-05-2013

Hello Troy,

Do the following

cap capout interface outside match tcp any host Public_Ip eq 4526

cap capin interface Inside match tcp any host 172.18.80.99 eq 4526

cap asp type asp-drop all circular-buffer

Then try to connect (once) and provide the output after it timed out (Again after you set the captures only access the server once for ease of troubleshooting)

show cap capout

show cap capin

show cap asp | include 172.168.80.99

show cap asp | include Public_IP

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Gentry · ‎09-06-2013

Thank you Julio, it looks like my asa config was correct, I just needed to open port 80 on the webserver. Silly mistake on my part. But here is the capture anyways. What does the F S P R represent?

1: 09:49:53.206211 ou.ts.id.host.1226 > pu.bl.ic.ip.4526: F 412879764:412879764(0) ack 4209187011 win 65535

2: 09:49:53.206486 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: . ack 412879765 win 65533

3: 09:49:54.281754 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: F 4209187011:4209187011(0) ack 412879765 win 65533

4: 09:49:59.206852 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535

5: 09:50:02.218464 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535

6: 09:50:08.250444 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535

7: 09:50:15.128426 ou.ts.id.host.1226 > pu.bl.ic.ip.4526: F 412879764:412879764(0) ack 4209187011 win 65535

8: 09:50:15.128762 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: . ack 412879765 win 65533

9: 09:50:18.175222 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: F 4209187011:4209187011(0) ack 412879765 win 65533

10: 09:50:18.291229 ou.ts.id.host.1226 > pu.bl.ic.ip.4526: . ack 4209187012 win 65535

11: 09:50:20.264070 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535

12: 09:50:45.547853 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535

13: 09:51:40.709435 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535

14: 09:51:40.709954 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: S 255423373:255423373(0) ack 3599978993 win 65535

15: 09:51:41.009963 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: . ack 255423374 win 65535

16: 09:51:41.534731 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: P 3599978993:3599979655(662) ack 255423374 win 65535

17: 09:51:41.535754 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: P 255423374:255423590(216) ack 3599979655 win 64873

18: 09:51:41.920499 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: P 3599979655:3599979929(274) ack 255423590 win 65319

19: 09:51:41.921567 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255423590:255424838(1248) ack 3599979929 win 64599

20: 09:51:41.921659 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255424838:255426086(1248) ack 3599979929 win 64599

21: 09:51:41.921766 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255426086:255427334(1248) ack 3599979929 win 64599

22: 09:51:41.921812 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255427334:255427370(36) ack 3599979929 win 64599

23: 09:51:42.020567 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: R 3599979929:3599979929(0) ack 255424838 win 0

Julio Carvajal · ‎09-06-2013

Hello Troy,

Nice you did it man

S : SYN

R: Reset

F: FIN

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC