nosebreaker
Vendor
I am pulling my hair out trying to get this to work! I have other NAT/PAT entries for different IP addresses that work fine (DNS/WEB/SSH) but when I try to visit a website they show the IP of the outside interface, so it doesn't appear to be a static NAT.
I have a scrubbed example (using 1.2.3.x as public IPs) below.
I am trying to get crashplan (uses tcp port 4242) to work from the outside, but right now it thinks its public IP is 1.2.3.6 in my example. I have basically 2 options:
1-to-1 NAT using the 1.2.3.9 public IP
Port 4242 PAT on the interface IP of the ASA (1.2.3.6)
The other PAT entries for server2 (ssh/web/dns) work fine, however server2 does think it has a public IP of 1.2.3.6 and not the 1.2.3.8 that it should have. I don't know why I can't just get a 1-to-1 NAT for this server.
I am able to telnet to port 4242 from inside (to 172.16.1.5) and it does respond, so I know the box should work. I have the box named backup in the examples below, and I checked the ACL does show the hitcounts going up.
interface Ethernet0/0
description outside
switchport access vlan 999
!
interface Ethernet0/1
description inside
switchport access vlan 101
!
interface Vlan101
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
interface Vlan999
nameif outside
security-level 0
ip address 1.2.3.4.6 255.255.255.0
!
same-security-traffic permit intra-interface
object service ssh
service tcp source eq ssh
object network server2-inside
host 172.16.1.1
object network server2-outside
host 1.2.3.8
object network server2
host 172.16.1.1
object network luigi
host 172.16.1.10
object network inside-network-vpn
subnet 172.16.1.0 255.255.0.0
object network home-network-vpn
subnet 172.16.0.0 255.255.0.0
object service web
service tcp destination eq www
object service dns
service udp destination eq domain
object service crashplan
service tcp destination eq 4242
object network backup-inside
host 172.16.1.5
object network backup-outside
host 1.2.3.9
object-group network inside-network
network-object 172.16.1.0 255.255.255.0
object-group network remote-vpn-network
network-object 10.1.10.0 255.255.255.0
object-group network internal-vpn-allowed
network-object 172.16.1.0 255.255.255.0
network-object 172.16.0.0 255.255.255.0
access-list in_outside extended permit tcp 173.166.71.40 255.255.255.248 any eq 3389
access-list in_outside extended permit icmp any any echo-reply
access-list in_outside extended permit icmp any any echo
access-list in_outside extended permit tcp any host 172.16.1.1 eq www
access-list in_outside extended permit tcp any host 172.16.1.1 eq ssh
access-list in_outside extended permit tcp any host 172.16.1.1 eq https
access-list in_outside extended permit udp any host 172.16.1.1 eq domain
access-list in_outside extended permit tcp any object backup-inside eq 4242
access-list in_outside extended permit tcp any object backup-outside eq 4242
access-list in_outside extended permit tcp any any eq 4242
access-list in_inside extended permit ip any any
access-list in_inside extended permit icmp any any
access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list vpn_acl extended permit ip object inside-network-vpn object home-network-vpn
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor debugging
mtu management 1500
mtu inside 1500
mtu outside 1500
arp timeout 14400
nat (inside,outside) source static inside-network-vpn inside-network-vpn destination static home-network-vpn home-network-vpn
nat (inside,outside) source static server2-inside server2-outside service ssh ssh
nat (inside,outside) source static server2-inside server2-outside service web web
nat (inside,outside) source static server2-inside server2-outside service dns dns
nat (inside,outside) source static internal-vpn-allowed internal-vpn-allowed destination static remote-vpn-network remote-vpn-network
! I tried this as well, changing order of the final dynamic line also
! nat (inside,outside) source static backup-inside backup-outside service crashplan crashplan
nat (inside,outside) source dynamic any interface
!
object network server2
nat (inside,outside) static 1.2.3.8 dns
object network luigi
nat (inside,outside) static 1.2.3.7
object network backup-inside
nat (inside,outside) static interface service tcp 4242 4242
access-group in_inside in interface inside
access-group in_outside in interface outside
I have a scrubbed example (using 1.2.3.x as public IPs) below.
I am trying to get crashplan (uses tcp port 4242) to work from the outside, but right now it thinks its public IP is 1.2.3.6 in my example. I have basically 2 options:
1-to-1 NAT using the 1.2.3.9 public IP
Port 4242 PAT on the interface IP of the ASA (1.2.3.6)
The other PAT entries for server2 (ssh/web/dns) work fine, however server2 does think it has a public IP of 1.2.3.6 and not the 1.2.3.8 that it should have. I don't know why I can't just get a 1-to-1 NAT for this server.
I am able to telnet to port 4242 from inside (to 172.16.1.5) and it does respond, so I know the box should work. I have the box named backup in the examples below, and I checked the ACL does show the hitcounts going up.
interface Ethernet0/0
description outside
switchport access vlan 999
!
interface Ethernet0/1
description inside
switchport access vlan 101
!
interface Vlan101
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
interface Vlan999
nameif outside
security-level 0
ip address 1.2.3.4.6 255.255.255.0
!
same-security-traffic permit intra-interface
object service ssh
service tcp source eq ssh
object network server2-inside
host 172.16.1.1
object network server2-outside
host 1.2.3.8
object network server2
host 172.16.1.1
object network luigi
host 172.16.1.10
object network inside-network-vpn
subnet 172.16.1.0 255.255.0.0
object network home-network-vpn
subnet 172.16.0.0 255.255.0.0
object service web
service tcp destination eq www
object service dns
service udp destination eq domain
object service crashplan
service tcp destination eq 4242
object network backup-inside
host 172.16.1.5
object network backup-outside
host 1.2.3.9
object-group network inside-network
network-object 172.16.1.0 255.255.255.0
object-group network remote-vpn-network
network-object 10.1.10.0 255.255.255.0
object-group network internal-vpn-allowed
network-object 172.16.1.0 255.255.255.0
network-object 172.16.0.0 255.255.255.0
access-list in_outside extended permit tcp 173.166.71.40 255.255.255.248 any eq 3389
access-list in_outside extended permit icmp any any echo-reply
access-list in_outside extended permit icmp any any echo
access-list in_outside extended permit tcp any host 172.16.1.1 eq www
access-list in_outside extended permit tcp any host 172.16.1.1 eq ssh
access-list in_outside extended permit tcp any host 172.16.1.1 eq https
access-list in_outside extended permit udp any host 172.16.1.1 eq domain
access-list in_outside extended permit tcp any object backup-inside eq 4242
access-list in_outside extended permit tcp any object backup-outside eq 4242
access-list in_outside extended permit tcp any any eq 4242
access-list in_inside extended permit ip any any
access-list in_inside extended permit icmp any any
access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list no_nat extended permit ip 172.16.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list vpn_acl extended permit ip object inside-network-vpn object home-network-vpn
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor debugging
mtu management 1500
mtu inside 1500
mtu outside 1500
arp timeout 14400
nat (inside,outside) source static inside-network-vpn inside-network-vpn destination static home-network-vpn home-network-vpn
nat (inside,outside) source static server2-inside server2-outside service ssh ssh
nat (inside,outside) source static server2-inside server2-outside service web web
nat (inside,outside) source static server2-inside server2-outside service dns dns
nat (inside,outside) source static internal-vpn-allowed internal-vpn-allowed destination static remote-vpn-network remote-vpn-network
! I tried this as well, changing order of the final dynamic line also
! nat (inside,outside) source static backup-inside backup-outside service crashplan crashplan
nat (inside,outside) source dynamic any interface
!
object network server2
nat (inside,outside) static 1.2.3.8 dns
object network luigi
nat (inside,outside) static 1.2.3.7
object network backup-inside
nat (inside,outside) static interface service tcp 4242 4242
access-group in_inside in interface inside
access-group in_outside in interface outside
