ASA Inbound PAT
Does the ASA do inbound PAT on the outside public IP address?
i think static PAT is what you're looking for. Be sure to use the keyword 'interface' as the external IP if you're PAT'ing the external interface IP.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043281
eg:
static (inside,outside) tcp interface 80 10.1.1.16 8080
Similar Messages
-
ASA policy PAT and src/dst port considerations!!
static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255
What happens/is translated when a packet comes from the Internet destined for 4.2.2.2 with ..........
A:Src tcp port 1025 and dst tcp port 443
B: Src tcp port 443 and dst tcp port 1025
and, in the reverse direction from 10.1.2.3 back towards the internet
A:Src tcp port 1025 and dst tcp port 443
B: Src tcp port 443 and dst tcp port 1025
Or; does
static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255 only affect packets with dst tcp port 443
Or, my real question - will this policy NAT handle two way comms and in the manner TCP should work?What happens/is translated when a packet comes from the Internet destined for 4.2.2.2 with ..........
A) the packet will be redirected to 10.1.2.3 on port 443
B) The packet will be drop by the ASA as there is no port-forwarding for port 1025 ( just for 443)
and, in the reverse direction from 10.1.2.3 back towards the internet
A) Packet from a higher security level to a higher is going to be allowed by default if you have the right translation
B) The ASA will have already a entry on all of its table for this connection ( xlate,local-host and conn Table) so the traffic will be allowed without any inspection.
static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255 only affect packets with dst tcp port 443
Port-Forwarding is only for inbound connections, the outgoin packet for the same connection will hit this nat but if you start a new brand connection ( outbound) you will need a different nat
Regards,
Julio
Rate all the helpful posts -
SA520 NAT/PAT not working with NAT address
The SA520 I have is configured on one public IP address and an exchange server is behind it. THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520. It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address. When this happens the email gets blocked due to spam lists. Then the email will work again correctly.. and then go back. If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)? I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25. How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?Hi John,
In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN. Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address. Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s). See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server. As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace) After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture. Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com. On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button. Open file with Wireshark/Ethereal and observe the source and destination address of the packets. They should have the ALIAS address and not the WAN IP address.
If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
If there are issues, you can post the captures as a personal message to me.
I hope the above will help narrow the issue a bit.
Best regards,
Julio -
Double NATting ASA 5510 8.4 how to ?
Hi, I have a situation that creates a bit of a headache for me.
The task is to use SMB / NetBIOS (Win Server 2008 R2) to open a connection and transfer a file from host 2 to host 1. Sounds easy, I know.
Here's the setup:
Host 1: 192.168.10.34 (on 192.168.10.0/24): on our ASA
VPN-proxy network: 10.14.17.0/28: on our ASA
Host 2: 10.5.26.37 (on 10.5.26.0/24): 3rd party network, cannot touch this
192.168.10.0/24 has a route to 10.5.26.0/24 via 10.14.17.0/28. The ASA dynamically PATs this, so we can open an RDP connection from 192.168.10.0 no problem.
However, 10.5.26.0/24 has NO route to 192.168.10.0/24 (and 3rd party has refused to add one). In other words, I cannot initiate a connection from 10.5.26.37, because it doesn't know where to go.
What I could do of course is create a static route via a proxy address, say 192.168.10.34 = 10.14.17.10. This would allow me to make a connection from host 2 to host 1. However, doing that breaks initiating a connection from any host that is not host 1, since all return traffic would get sent to host 1.
Now my question is, can I configure the ASA such that only SMB/NetBIOS packets that originate from host2 get translated to host1, but all other traffic uses the existing NAT / PAT setup via the proxy network?
I've been trying to figure this out for several weeks now and have hit a wall.
Any help is greatly appreciated!Hello,
Could you look at Policy NAT or NAT Exemption? -
GRE tunnel through asa no pptp, l2tp, ipsec
Hello!
can't understand how to configure GRE tunnel through ASA
i have one router with public ip, connected to internet
ASA 8.4 with public ip connected to internet
router with private ip behind ASA.
have only one public ip on ASA with /30 mask
have no crypto
have network behind ASA and PAT for internet users.
can't nat GRE? cause only TCP/UDP nated(?)
with packet-tracer i see flow already created but tunnel doesn't workA "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Inbound TCP connection denied from x to y
Hi Everyone,
Seeing following logs on ASA:
Inbound TCP connection denied from x to y flags SYN ACK on interface Net
Inbound TCP connection denied from x to y flags ACK on interface Net
Does this mean that there is Asymmetric route or missing ACL?
Regards
MAheshHello Maheshm
First option Asymmetric routing, use the TCP state-bypass option as a workaround.
Remove the asymetric routing as the real fix
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura -
Is it possible to scan all the https traffic passing through AIP module installed on ASA (inbound and outbound)?
Hi,
You can inspect the HTTPS traffic passing through the IPS module on the ASA.
But you need to know that since HTTPS is encrypted, the IPS will not be able to ''read'' the contents of the packet.
So, you can monitor the behavior of the HTTPS traffic, and so on, but you cannot decrypt and obtain the original content (data) of the packets.
Federico. -
Shared Public IP to two Servers - ASA 5510 8.3. NAT/PAT
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?OK, so I beleive I've truncated this down to what you need in order to give me a hand. Remember that I must configure this using ADSM for screenshot purposes. There is currently a temporary static one-to-one NAT in place for NCAFTP01 until we resolve the outbound issue, but I realize this must be removed to properly test. I'll explain the desired topology below the config.:
: Saved
ASA Version 8.3(1)
hostname ASA-SVRRM-5510
domain-name domain.corp
names
name 10.20.1.23 NCASK333
name 10.20.1.40 Barracuda
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.3 255.255.255.248
interface Ethernet0/1
description DMZ
nameif DMZ
security-level 20
ip address 172.16.10.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif Inside
security-level 100
ip address 10.20.1.249 255.255.0.0
object network mail.domain.com
host 10.20.1.40
object network NCASK333
host 10.20.1.23
object network obj-10.20.1.218
host 10.20.1.218
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.192.0.0_16
subnet 10.192.0.0 255.255.0.0
object network NETWORK_OBJ_10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network Remote Site
host 10.1.1.1
object network NCAFTP01:80
host 172.16.10.10
object network 1.1.1.5
host 1.1.1.5
object network NCASK820
host 10.20.1.61
description Exchange Server/ KMS
object service AS2
service tcp source eq 8800 destination eq 8800
object network NCAFTP01:21
host 172.16.10.10
object network NCAFTP01:443
host 172.16.10.10
object network NCAFTP01:53
host 172.16.10.10
object network NCAFTP01:53UDP
host 172.16.10.10
object network NCAFTP01:8080
host 172.16.10.10
object network NCAFTP01:8500
host 172.16.10.10
object network NCAFTP01:5080
host 172.16.10.10
object network NCADMZ02:8800
host 172.16.10.11
object network NCAFTP01
host 172.16.10.10
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq domain
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 8080
service-object tcp destination eq 8500
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object icmp
service-object tcp destination eq 5080
service-object object AS2
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8080
port-object eq www
port-object eq https
port-object eq echo
object-group network DM_INLINE_NETWORK_5
network-object 172.16.10.0 255.255.255.0
nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
object network mail.domain.com
nat (Inside,ATTOutside) static 1.1.1.4
object network NCASK333
nat (Inside,ATTOutside) static 1.1.1.6
object network obj-10.20.1.218
nat (Inside,ATTOutside) static 1.1.1.2
object network obj_any
nat (Inside,ATTOutside) dynamic interface
object network NCAFTP01:80
nat (any,ATTOutside) static 1.1.1.5 service tcp www www
object network NCAFTP01:21
nat (any,ATTOutside) static 1.1.1.5 service tcp ftp ftp
object network NCAFTP01:443
nat (any,ATTOutside) static 1.1.1.5 service tcp https https
object network NCAFTP01:53
nat (any,ATTOutside) static 1.1.1.5 service tcp domain domain
object network NCAFTP01:53UDP
nat (any,ATTOutside) static 1.1.1.5 service udp domain domain
object network NCAFTP01:8080
nat (any,ATTOutside) static 1.1.1.5 service tcp 8080 8080
object network NCAFTP01:8500
nat (any,ATTOutside) static 1.1.1.5 service tcp 8500 8500
object network NCAFTP01:5080
nat (any,ATTOutside) static 1.1.1.5 service tcp 5080 5080
object network NCADMZ02:8800
nat (any,ATTOutside) static 1.1.1.5 service tcp 8800 8800
object network NCAFTP01
nat (any,ATTOutside) static 1.1.1.5
nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface
timeout xlate 3:00:00
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
class class-default
: end
Coming from the outside to public IP 1.1.1.5, we want ports 80, 443, 8080, 8500, 21, and 53 to translate to NCAFTP01/ 172.16.10.10. We want traffic sent to 1.1.1.5 on "AS2" (tcp port 8800) to translate to NCADMZ02/172.16.10.11.
This part is functional, as you instructed above, I simply needed to create individual PAT statements.
My current issue lies in the outbound translation. When we send a request out from NCAFTP01/ 172.16.10.10 on any port, we want it to translate to a public IP of 1.1.1.5. When we send a request out from NCADMZ02/172.16.10.11, we also want it to translate to 1.1.1.5. So in effect, we want it to NAT both devices outbound to the same public IP, but use PAT inbound. These are the only two devices in our DMZ, so if I can simply translate all traffic from the DMZ network outbound to 1.1.1.5, I feel it would be the simplest solution. My question is if we do this, when a request comes inbound from the outside, would the translation fall over to PAT?
This comes about because the client on the outside requires us to use a specific IP to connect to thier EDI server on port 5080. -
Unable to allow inbound ICMPv6 on ASA version 9.0(1)
I have upgraded an ASA 5505 to 9.0(1) as I would like to use ipv6 version of dhcprelay. That said, I am unable to obtain a global unicast address but the link-local address is able to communication with the ISP's gateway/DHCP provider which I hope will allow v6 dhcprelay provide internal clients with IP's from the ISP. Trouble is, unsolicated inbound ICMPv6 messages from the ISP's gateway are being dropped on the way into outside interface.
%ASA-3-313008: Denied IPv6-ICMP type=129, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
I am able to ping the ISP's link-local address of fe80::201:5cff:fe3b:3c41 but I would assume that is because I am initiating the connection. Below is the ASA's configuration. Any help would be appreciated.
ASA Version 9.0(1)
hostname edge
domain-name domain.com
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ipv6 address fec0::/64 eui-64
ipv6 enable
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ipv6 enable
ipv6 nd suppress-ra
boot system disk0:/asa901-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list OUTSIDE-IN extended permit icmp6 any any
access-list OUTSIDE-IN extended permit icmp6 any any membership-report
access-list OUTSIDE-IN extended permit icmp6 any any membership-report 0
access-list OUTSIDE-IN extended permit icmp6 any any echo-reply 0
access-list OUTSIDE-IN extended permit icmp6 any any echo-reply
access-list OUTSIDE-IN extended permit icmp6 host fe80::201:5cff:fe3b:3c41 interface outside
access-list OUTSIDE-IN extended permit icmp6 any interface outside membership-report
access-list OUTSIDE-IN extended permit icmp6 any interface outside membership-report 0
pager lines 24
logging enable
logging console warnings
logging monitor warnings
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
ipv6 icmp permit any inside
ipv6 icmp permit any membership-report outside
ipv6 icmp permit any echo-reply outside
ipv6 icmp permit any router-advertisement outside
ipv6 icmp permit any neighbor-solicitation outside
ipv6 icmp permit any neighbor-advertisement outside
ipv6 icmp permit any outside
ipv6 dhcprelay server fe80::201:5cff:fe3b:3c41 outside
ipv6 dhcprelay enable inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 10.0.0.101-10.0.0.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd option 3 ip 10.0.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00029d8b1ed6504390a6e607bd1772dc
: endHi Jim, thanks for the reply.
More detail about "unable to obtain a global unicast" address would be helpful. For example, is the upstream ISP emitting router advertisements, or not? If they are really doing v6 you should be seeing router-advertisements sourced from fe80::/64+their EUI-64 MAC mapping and probably including at least one /64 or larger prefix flagged for autoconfiguration. Which your outside interface should be able to pick up. Try replacing ipv6 enable with ipv6 address autoconfig, and regardless write back with the output from show ipv6 interface so we can see what's going on a little better.
I did try enabling autoconfiguration but learned that Comcast uses DHCP to distribute their residential customers /64 allocations. My link-local address was able to communicate with their gateway [fe80::201:5cff:fe3b:3c41] which also appeared to be the same device or at least an alias for their DHCP server [ff02::1:2]. I learned this after throwing a tap on the connection and obtaining an global IP with a host that could leverage DHCPv6 verse the ASA which cannot. I also tried pinging ff02::1:2 and the response would come from the aforementioned gateway link-local address but the ASA would block these responses since I guess it was interpreting them as spoofed. The sh ipv6 int outside only shows the link-local address, even with autoconfiguration enabled.
In passing, there isn't really any IPv6 NAT, barring the still-experimental RFC-6296 prefix substitution. And site-local fec0::/10 addresses were deprecated in RFC3879 back in 2004, to the point that newly conforming routers aren't allowed to even configure them as interface addresses, much less forward packets sourced from them. So you probably need a different IPv6 routing strategy for the inside vlan. E.g., have your ISP delegate to you a /48 or a /60 or something and put different /64 subnets on the inside and outside interfaces, with an explicit ipv6 default route, e.g . ipv6 route outside ::/0 fe80::201:5cff:fe3b:3c41I don't think there is any IPv6 equivalent of setroute from "ip address dhcp setroute".
Interesting and good information! So at the point that I was unable to use autoconfiguration but was able to connect to their link-local address (pongs from my ping), I loaded up the new, shiny 9.0(1) release which supports DHCPv6 relaying and gave it a whirl. I specified the gateway address as the DHCPv6 relay server but no luck. Via some debugging, I saw requests from internal clients on the internal going out but no responses. I assumed that this would work find over the ASA's link-local address as that is what a traditional client that does support DHCPv6 would communicate over but no dice.
Your icmp6 commands puzzle me a little. ipv6 icmp permit any outside is the default interface behavior, and makes all the preceding permits moot. Maybe you are planning to replace it with a deny at some future point? Not filtering ICMPv6 at routed interfaces is less dangerous than in the v4 case, as most of the interesting stuff has restrictions to the on-link VLAN like requiring hop limit=255 or link-local source addresses.
My understanding was also that ICMPv6 stuff should work fine without the statements, but after failed autoconfiguration and DHCPv6 relay attempts I was trying to get a little creative, or disparate. I reached out to Comcast's Business and put in a TAC ticket. Although this was for a residential setup, Comcast support (at least the three representatives I spoke with) did not know what IPv6 was and wanted to charge me for premium support (you can imagine my reluctance). I reached out to their business side and they were more interested in helping. Not having an account limited my support but in short, they did not at this time support static /64 allocations, at least that's what I was told. It might of been worth upgrading to a business account if they did but instead I am going to purchase a router which will support DHCPv6... -
Is there a way to preserve the source port for UDP packets that use a PAT pool?
Here is what I need:
The client (1.1.1.1) sends a UDP packet from port 5060 to port 5060 on our external 2.2.2.2. This packet is port forwarded to our internal server 10.10.10.10 with the original source and destination port. The server then sends a UDP response to the client from port 5060 to port 5060. The server is in a PAT pool that only contains the address 2.2.2.2. The ASA changes the source port and our client ends up rejecting the packet because the source port is not what it expected.
How can I preserve the original source port when the packet goes through the PAT pool?
Thanks,
StevenHi,
Well you could probably make this work for the outbound direction BUT in the inbound direction from the Internet I dont think the is really a way to use the same public IP address and public UDP port.
I mean, the ASA doesnt have any way to determine what traffic on destination port UDP5060 to destination IP 2.2.2.2 would have to be forwarded to which internal IP.
It would simply use the first rule matched always.
But as I said for the outbound direction it might work.
You would simply add another similiar NAT statement with different source object with different source IP address. ASA would again accept the command but give an warning about rule overlap.
I guess the below added would work for the outbound direction IN THEORY
object network HOST-1
host 10.10.11.11
object network HOST-2
host 10.10.11.12
nat (inside,outside) source static HOST-1 interface service UDP5060 UDP5060
nat (inside,outside) source static HOST-2 interface service UDP5060 UDP5060
But not for inbound, though if I understood correctly, the inbound traffic should only even go to a single virtual IP
I would imagine this is as close as you can get to "implementing" something wierd on the ASA
- Jouni -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Good morning you clever bunch,
Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static server publicIP service RDP RDP
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
Many thanks,
Sam - below is my running config
ASA Version 8.4(4)1
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.*.*.203 255.255.255.248
ftp mode passive
object network server
host 10.240.0.10
object network publicIP
host 80.*.*.37
object service RDP
service tcp source eq 3389
access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server publicIP service RDP RDP
access-group ouside_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
: endHi Jennifer,
No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
Many thanks.
Sam -
So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
AHello ras,
As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
Hope this information is helpful. -
Hi there.
I just trying to do PAT with gns3. but not working and i don't have any idea.
(Cisco Adaptive Security Appliance Software Version 8.4(2))
and also i figure out that there are some changes in nat configuration. i did but didn't work.
I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8
i turn debug in R1 and i can see the icmp.
R1#
*Mar 1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
*Mar 1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
And also can see xlate on ASA
ASA-1# sh xlate
1 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
ASA-1#
This is my topology.
[ASA1]
ASA-1# sh run ip
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
ASA-1# sh run object network
object network obj-192.168.100.0
subnet 0.0.0.0 0.0.0.0
ASA-1# conf t
ASA-1(config)# ob
ASA-1(config)# object net
ASA-1(config)# object network obj-192.168.100.0
ASA-1(config-network-object)# nat (in
ASA-1(config-network-object)# nat (inside,ou
ASA-1(config-network-object)# nat (inside,outside) dy
ASA-1(config-network-object)# nat (inside,outside) dynamic inter
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-1(config-network-object)# end
[R4]
interface FastEthernet0/0
ip address 10.10.20.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.20.1
[HOST]
ip address 192.168.100.116/24
[R1]
interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 1.1.12.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
what am i mssing ?
please corret me.
Thank you in advance.just reload... .. i'm still stuck in the ping.
changed topology more simple. but still not working.
Here is all what i did.
[ASA]
access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded
access-group ICMP in interface outside
interface GigabitEthernet0
description To_UP
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet1
description To_DOWN
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
[R1]
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
[R4]
interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
[outout tracer]
ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP <---??????????????????????????
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
[ASA]
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
ciscoasa#
I created acl and permit it
Thank you. -
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan
Maybe you are looking for
-
T510 Screen lit but black, can RDP in
While using my T510 the screen suddenly alternated between blank and partially drawn with random colors and patterns filling in the rest before finally remaining blank. I can remote desktop in so the computer is not completely dead. Would I be correc
-
Auto-login then Fast User Switch out?
I've got a few programs (e.g. Chronosync) that need to launch as a user upon login. I need these to launch at boot time. Of course, I could auto-login to this account, but that would leave the machine sitting there with an admin account logged in (so
-
What are symptoms of dead or dying battery?
Besides date & time (which have been fine), what are the other symptoms of a battery that is dying? I'm still on my quest to find whatever might be causing or contributing to occasional system freezes. At this stage, I will rule out nothing. Thanks!
-
My MacBook pro 2009, won't turn on but the indicator light does.
Hey guys, I am computer illiterate as far as hardware goes, so I hope someone can help me. I have a 2009 MacBook pro, and today was the first day I have ever had a problem with it. It won't turn on, however the little power indicator light does com
-
ITunes 9 - Error: Unable to check for available downloads - Grrrr
I'm getting this frustrating error message while trying to download a digital booklet for Jay Z's Blueprint 3. Furthermore, it's not allowing me to download any new content. This is very frustrating. I'm getting the following message: Unable to check