For the last two days i'm working on some very strange issue regarding 'static' or '1:1' mapping. Here is the scenario:
I have one firewall (ASA 5505) with two interfaces (vlan1 - which is the 'inside' and vlan2 - which is the outside) Vlan1 has default security level100 and vlan2 with security level 0. So, i have an ip address configured on vlan2 (10.0.0.2) with gateway 10.0.0.1 . On the other interface i have configured ip addres 192.168.0.1.
192.168.0.1(inside +ASA+ outside)10.0.0.2
Behind vlan1, i have network station with ip address 192.168.0.2. The goal is to achieve two-way NAT (static) for all packets going from 192.168.0.2 to be translated into public ipv4 ip x.x.x.x. For this i'm using the static command with following arguments:
And here is where my problems started. From inside to outside (i mean traffic initiated from 192.168.0.2) everything looks fine. The address is translated into x.x.x.x and it works fine. BUT when i try to reach the ip address x.x.x.x from ip located behind outside interface (let's say from 10.0.0.1) the traffic IS NOT redirected to address 192.168.0.2 (which the command static should process) but it's have been processed by the ASA itself like the traffic is destined for 10.0.0.2 (which is the outside ip address of the firewall). I have configured access-list which permits ip from any to any (with testing purposes) applied as an access-group for inbound traffic to outside interface:
access-list outside_access_in extended permit ip any any
access-group outside_access_in in interface outside
Does anyone can give me a clue, because i'am getting desperate! What should i do to stop the ASA processing this traffic which should be redirected/translated? One more thing. I did a network scan with nmap software to check the open ports of the ASA: (here is the result)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
Which application is using the http-proxy port? Because my problems starts here (traffic destined to x.x.x.x is with dst port 8080, so i believe there must be a reason for ASA to process it by itself)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...