Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT problem

Hi,

we have a problem. we have a router which performs NAT, and behind router we have ASA. in inside we have a server. we need requests which come to our outside interface with port number 9000 convert to server ip with port number 443. we do port address translation on router :

ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 9000

and on ASA we permit everything for test.

but our config doesnt work. what should we do?

4 REPLIES
Purple

PAT problem

Hi,

can you provide the config of the ASA.

Regards.

Alain.

Don't forget to rate helpful posts.
New Member

PAT problem

Hi

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.25                                                                             5.255.0

access-list out_to_in extended permit tcp any host 192.168.10.10 eq smtp

access-list out_to_in extended permit tcp any host 192.168.10.10 eq www

access-list out_to_in extended permit tcp any host 192.168.10.10 eq https

pager lines 24

logging enable

logging timestamp

logging list my-list level debugging class vpn

logging trap my-list

logging host inside 192.168.1.10

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list 111

access-group out_to_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

route inside 192.168.1.0 255.255.255.0 172.16.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CiscoAsa protocol radius

aaa-server CiscoAsa (inside) host 192.168.1.10

key 1q2w!1q2w

radius-common-pw 1q2w!1q2w

http server enable

http 10.0.0.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign local

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy RAVPN internal

group-policy RAVPN attributes

dns-server value 192.168.1.10

dhcp-network-scope 192.168.20.0

vpn-idle-timeout 45

username risk password WJjW/emCr.pCrXeq encrypted

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

authentication-server-group CiscoAsa

default-group-policy RAVPN

dhcp-server 192.168.1.10

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e49b92e97309f3e2767d8c8ad29f9c14

: end

PAT problem

Hi,

Can you provide show ip nat translation output from your router as well? Most important to look at is, if the translation is happening. There could be a chance that the traffic is really not coming in with Port 9000 on the router. Hence translation doesnt happen.

New Member

PAT problem

Router#show ip nat translations

Pro Inside global      Inside local                   Outside local           Outside global

tcp 172.16.10.2:9000   192.168.10.10:443     172.16.10.1:1902     172.16.10.1:1902

tcp 172.16.10.2:9000   192.168.10.10:443  ---                ---

and asa access-list:

access-list out_to_in line 1 extended permit tcp any host 192.168.10.10 eq smtp (hitcnt=1) 0x8c8a5270

access-list out_to_in line 3 extended permit tcp any host 192.168.10.10 eq www (hitcnt=0) 0x66a8840a

access-list out_to_in line 4 extended permit tcp any host 192.168.10.10 eq https (hitcnt=5) 0x66546073

427
Views
0
Helpful
4
Replies