Basic ASA config question

[GremlinHunter]

I am trying to set up our ASA to allow inbound connections to some internal web servers. At the moment I am just trying to get anything from outside inside and having little luck doing it.

The following config keeps throwing "No transaction group found for tcp ..." which makes sense since I do not have a NAT set for outside -> inside. However if I setup a port translation like "nat (ouside) 5 xxx.yyy.0.0 255.255.128.0 outside" I still can not get any inbound and lose my outbound connections to boot. Can anyone tell me what I am missing here?

config:

 mtu management 1500
ip local pool OUTSIDE xxx.yyy.100.2 mask 255.255.128.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 5 interface
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.100.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:76ede7627cb9b9dfcfaeba6329a5bacf
: end

 

[Supergrrover]

Delete this line
global (inside) 5 interface

Now add this
static (inside,outside) tcp interface 80 [InteralIP] 80 netmask 255.255.255.255

Make sure that your ACL allows this. You did not post it so I can't check. You will need a line like
access-list outside_access_in permit tcp any host interface eq 80


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[GremlinHunter]

Tried that with no luck. Also gave "static (inside,outside) interface 192.168.12.246" a shot and still getting the No translation group found.

Sorry about the config post. Thought I did a select all, guess not... Be nice if you could edit old posts.

asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4) 
!
hostname ciscoasa
domain-name foo
enable password fud encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.yyy.100.15 255.255.128.0 
!
interface Ethernet0/1
 nameif inside
 security-level 75
 ip address 192.168.12.246 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool OUTSIDE xxx.yyy.100.2 mask 255.255.128.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 5 interface
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.100.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:fud+n
: end

 

[Supergrrover]

Take out this line
global (inside) 5 interface

Then try the others from above post.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[GremlinHunter]

I tried taking out the global, the code I posted the second time was just a complete copy of the origional code. This is the code block after the changes you mentioned:

asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4) 
!
hostname ciscoasa
domain-name foo
enable password bar encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.yyy.100.15 255.255.128.0 
!
interface Ethernet0/1
 nameif inside
 security-level 75
 ip address 192.168.12.246 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool OUTSIDE xxx.yyy.100.2 mask 255.255.128.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface [URL unfurl="true"]www 192.168.12.246[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.100.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:poof
: end

Is it normal to specify the inbound port? I thought it was normally somewhat random? At least old and firewall and this one seem to show inbound stuff as random source port.

"No translation group found for tcp src outside:xxx.yyy.100.1/338885 dst inside 192.168.12.25/80"

As a side note the xxx.yyy.100.1 is the old firewalls external interface. It is rerouting traffic to 192.168.12.25 to the ASA.

 

[Supergrrover]

OK, that totally confused me. How do you have this set up? (diagram)

static (inside,outside) tcp interface

http://www 192.168.12.246

http://www netmask

255.255.255.255
This line says to listen on port 80 for traffic and then forward that traffic to the inside address of the server at port 80. Change the static's "192.168.12.246" to the IP of the internal web server.

What are you trying to do with this line?
ip local pool OUTSIDE xxx.yyy.100.2 mask 255.255.128.0
Try taking it out.





Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[GremlinHunter]

Layout is basicaly this:

        /- (192.168.12.246) ASA5510 (x.y.100.15)  -\
Private-                                            - Hub - Public
        \- (192.168.12.248) Watchguard (x.y.100.1 -/

Test web server on private is 192.168.12.25

Public network routes to Watchguard external interface.

Watchguard routes packets to 192.168.12.25 (old web server) to the ASA5510 external interface.

ASA5510 is showing the routed packets as from external interface on Watchguard (x.y.100.1)

What are you trying to do with this line?
ip local pool OUTSIDE xxx.yyy.100.2 mask 255.255.128.0
Try taking it out.

Looks to be a left over statement from tinkering I did last week or so. Hmm, Curious, that does not even show under ASDM unless I show running config. Guess that is another case of why GUI can be bad to learn on.

static (inside,outside) tcp interface

http://www 192.168.12.246

http://www netmask

255.255.255.255
This line says to listen on port 80 for traffic and then forward that traffic to the inside address of the server at port 80. Change the static's "192.168.12.246" to the IP of the internal web server.

Still getting the darn No translation group error.