ASA 5510 Nat Help

[silentblue]

Hi guys and girls I need help as this has been driving me crazy for 3 weeks now!

I'm trying to setup ASA 5510 to allow incoming traffic port 3389 (Terminal Server) to an inside server.

I created only one static NAT entry to translate outside public address to inside private address.

I allowed tcp 3389 traffic in the ACL.

When I try to connect to the public address, I can see the syslog that an inbound tcp connection is established with NAT. However doesn't connect and after 30seconds the connection gets teared down.

My Config.

ciscoasa# config terminal
ciscoasa(config)# show config
: Saved
: Written by enable_15 at 12:10:11.896 GMT/BDT Thu Oct 12 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name xxxxxxxxxxxxxxxxxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.
boot system disk0:/pix721.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxxxxxxx
object-group service 4XDealer tcp
port-object range 4000 4100
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq 3389

pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RemoteIPs 172.16.250.1-172.16.250.254 mask 255
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Outside,Inside) 172.16.100.104 x.x.x.83 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

Regards,
Darren

 

[silentblue]

Kiwi where can i download it if it's free? Think your right tho going to be a cisco case

I hate things beating me!

I know what we done is right coz all the books say and the web sites i looked at including cisco's and there updated pdf's just fustrating!!

Thanks for all your help anyway and will post back what they come up with!

Regards,
Darren

 

[Supergrrover]

Google kiwi syslog. The trial version is free. If you get them on the horn, ask them about emailing the alerts - that doesn't seem to work in 7.2(1) either..



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

Hi Ya just an update, installed another asa5510 with smartnet support over the weekend with software ver 7.0(5), and couldn't get it to NAT so i have setup a cisco tek request so hopefuly they get back soon!

Regards,
Darren

 

[silentblue]

By joe i figured it out!!!!!!!!!!!!!!!!!!!!!!!!!! (I think)

I added this pool and it all seemed to work!!
global (Outside) 1 82.111.251.83-82.111.251.94 netmask 255.0.0.0

Can you look at the config and see if i have created what i wantted or a secuirty hole?

Regards,
Darren.

Result of the command: "show config"

: Saved
: Written by enable_15 at 16:55:51.260 UTC Tue Nov 14 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 82.111.251.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Outside_access_in extended permit tcp any host 82.111.251.83 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 82.111.251.83-82.111.251.94 netmask 255.0.0.0
global (Outside) 2 interface
global (Inside) 1 interface
nat (Inside) 2 0.0.0.0 0.0.0.0
static (Inside,Outside) 82.111.251.83 172.16.100.4 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.111.251.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.16.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.16.0.0 255.255.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

[Supergrrover]

Good. I am not sure why that worked and the PAT didn't. Did TAC give you an answer or good ole trial and error?

global (Outside) 1 82.111.251.83-82.111.251.94 netmask 255.0.0.0
static (Inside,Outside) 82.111.251.83 172.16.100.4 netmask 255.255.255.255
Although nothing is using that global, this static and global overlap. I would make the global 84-94 to avoid problems. The static will do all traffic, so you can run any service you want and just allow it with ACLs.

global (Outside) 2 interface
nat (Inside) 2 0.0.0.0 0.0.0.0
This will do your PAT, so all outbound will be up and running.

global (Inside) 1 interface
I am not sure what the goal of this one is.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

Good old trial and error. I was just about to submit the problem to TAC and then thought i will give it one more go.

But i now have another problem ?!?!?!

If i try to connect to the internet ip from inside it still does the old 30 timeout syn.

ie

HostA - Internet - 82.111.251.83 - Firewal - HostB(172.16.100.2)

if i try to connect to port 82.111.251.83:3389 from HostB get the same error.

Then i tryied it from an external Host(HostA) and connected fine!

Any ideas on this one or shall i submit to TAC.

Regards,
Darren.

 

[Supergrrover]

You are trying to connect to the internet (external) IP of the pix from the inside network?

The pix won't allow that. You can do a dns alias so the pix hands back the internal IP of the machine you are looking for, but that is the only work around I know.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

What are you trying to accomplish?



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[horus42]

If you happen to be using code 7.x you are in luck because its allowed and you just need to run this command

same-security-traffic permit intra-interface


Hope that helps

 

[silentblue]

Yeah, it's no problem i forgot about you can't access an external IP from inside, as a standard i know most firwalls will not do this apart from sonicwall firwalls that i have do.

Well i guess that this is the end of this thread, as problem solved, thanks for all your help!

Regards,
Darren.

 

[silentblue]

Oh really i give it ago! and let you know!

Regards,
Darren

 

[silentblue]

Sorry that command didn't work

I have had to take the ASA5510 offline now coz there are some really strange things that are happening anyway, First thing is i have an ftp server on the inside, but when i try to connect from Outside with a winXP pc it don't work but does from a win2K pc, also have a web server on the inside and i have had clients on the outside, ring up saying that they can access it, sometimes!?!
Thought this may have been because of the inspections going on but i seen that it's not inspecting http????

Config still the same as above, is there something in it that would do all this?

I am at a lost with this now think i am over my head, as this is my frist cisco firewall i brought and i haven't had much luck with it. (Don't reget buying it tho).

Regards,
Darren.

 

[Supergrrover]

Could be a bad box. Those all seem really strange. I haven't had any of the problems you have had and I have put quite a few of these in.

Just a side note - the pix won't do secure ftp. It can't read the natted info in the encrypted packets.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[prince78]

Brent or Darren

just using the above example to make my question simpler,

global (Outside) 1 82.111.251.83-82.111.251.94 netmask 255.0.0.0
static (Inside,Outside) 82.111.251.83 172.16.100.4 netmask 255.255.255.255
access-list Outside_access_in extended permit tcp any host 82.111.251.83 eq 3389

If I have single public ip as 82.111.251.83 and multiple servers on inside for different services
eg - 172.16.100.4 (3389), 172.16.100.5 (ftp), 172.16.100.6(http) and can you advise how can I configure for outside users to access inside servers on mentioned services using 1 public ip address?

can I configure as below
access-list outside_in extended permit tcp any host 82.111.251.83 eq 3389
access-list outside_in extended permit tcp any host 82.111.251.83 eq ftp
access-list outside_in extended permit tcp any host 82.111.251.83 eq http
static (Inside,Outside) tcp 82.111.251.83 3389 172.16.100.4 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 82.111.251.83 21 172.16.100.5 21 netmask 255.255.255.255
static (Inside,Outside) tcp 82.111.251.83 80 172.16.100.6 80 netmask 255.255.255.255
access-group outside_in in interface Outside

thanks

 

[silentblue]

Your config looks good to me, as what your doing is PAT.

Brent I still having tho's problems!?! Crazy!

Regards,
Darren.

 

[Supergrrover]

silentblue,
Sorry it is a long thread - which problem? The timeout?
I will have new test equipment after the holidays so I should be able to see if it a config issue or if it might be your box.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[silentblue]

The timeout problems, sorry is getting bit long this one.

Regards,
Darren.