NAT/PAT questions ASA5510 1

[jjfbcn]

Hi, I'm new with CISCO, I never have worked before with CISCO so Ihave problems configuring NAT in ASA 5510.

I've configure the outside interface with an IP of my range (113.127.111.176/29)

interface outside 113.127.111.178

I've configure PAT:

global (outside) 1 interface
nat (inside) 1 0 0
nat (dmz) 1 0 0


So now I want to :

1) redirect Web requests to the webserver on the DMZ:

static (dmz,outside) tcp 113.127.111.178

http://www 192.168.10.8

http://www netmask

255.255.255.255

2) redirect incoming mails to the smtp gateway on the DMZ:

static (dmz,outside) tcp 113.127.111.179 smtp 192.168.10.4 smtp netmask 255.255.255.255

3) send e-mails through the same IP I receive them, the smtp server is connected to the inside interface, not to the DMZ:
static (inside,outside) 113.127.111.179 192.168.20.19 netmask 255.255.255.255

Looks like something is wrong...

Thanks in advance,

JjFBcN

 

[NetworkGhost]

try this:
no static (inside,outside) 113.127.111.179 192.168.20.19 netmask 255.255.255.255
access-list 100 permit ip host 192.168.20.19 any
nat (inside) 2 access-list 100
global (outside) 2 113.127.111.179

http://www.wr-mem.com

 

[jjfbcn]

Thank you NetworkGhost, my first problem is that the configuration I have don't allow incoming

http://www traffic

to my website.

I don't know if there may be a problem configuring static PAT (static (dmz,outside) tcp 113.127.111.178

http://www 192.168.10.8

http://www netmask

255.255.255.255) for redirecting

http://www traffic

to the webserver on the DMZ with the same IP I've configured PAT for outbound traffic (global (outside) 1 interface
nat (inside) 1 0 0).

But I will try your suggestion for outbound smtp traffic.

JjFBcN

 

[jjfbcn]

I'm doing a little lab work, and I don't achive the web server in the DMZ...

Using Packet Tracer I receive that:
source: 113.127.111.177:1065
target: 113.127.111.178:80

1 FLOW-LOOKUP false
2 UN-NAT false
static (dmz,outside) tcp 113.127.111.178

http://www 192.168.10.8

http://www netmask

255.255.255.255 match tcp DMZ host 192.168.10.8 eq

http://www INET

any static translation to 113.127.111.178/80 translate_hits = 0, untranslate_hits = 14

3 ROUTE-LOOKUP false
Info
in 113.127.111.178 255.255.255.255 identity

4 ACCESS-LIST true
Config
Implicit Rule

100 RESULT - The packet is dropped. true

The item "translate_hits = 0, untranslate_hits = 14" means that the translation has not been occurred? Why not?! Is it because I'm using the same IP (113.127.111.178) for PAT?

Logs say:

Cisco(config)# %ASA-5-210003: TCP access denied by ACL from 113.127.111.177/58921 to outside:113.127.111.178/80
%ASA-7-210005: TCP request discarded from 213.27.211.177/58921 to outside:113.127.111.178/80
%ASA-3-210003: TCP access denied by ACL from 113.127.111.177/58921 to outside:113.127.111.178/80
%ASA-7-710005: TCP request discarded from 113.127.111.177/58921 to outside:113.127.111.178/80

It says access denied by ACL but I have an ACL allowing access from any to 113.127.111.178 tcp/http applied in interface outside incoming.

Thank you in advance,

JjFBcN

 

[NetworkGhost]

Need to see a scrubbed config. Can you post it?

http://www.wr-mem.com

 

[jjfbcn]

Sorry, right now I'm out of the office...

But my question is more simple than it looks like(I say it just because I've wrote a lot)... If I use an IP for PAT

nat (inside) 1 0 0
global (outside) 1 89.23.21.22

Could I use that IP for redirecting incoming traffic to a web server, mail server or whatever...?

static (inside,outside) tcp 89.23.21.22

http://www 192.168.1.11

8080 netmask 255.255.255.255

¿?

Or I lost that IP for any other use than PAT?

Thank you,

 

[Supergrrover]

Yes, you can still use it for PAT.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VanZenden]

Hi everyone,

I'm new with Cisco gear & I have problems configuring NAT on ASA 5505.

I'd like to port forward 55512 to my torrent application for incoming connections, but it doesn't work.

Can anyone assist me with that problem?




:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 1K2oIYvXKgScGpA9 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.8.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.68.210 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ywL5eNY/yDiP2dof encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list TORRENT extended permit tcp host 192.168.8.10 host xxx.xxx.68.210 eq 55512
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.68.210

http://www 192.168.8.10

55512 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route inside 192.168.0.0 255.255.0.0 192.168.8.1 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.68.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.8.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.8.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.65.11
dhcpd auto_config outside
!
dhcpd address 192.168.8.80-192.168.8.89 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.8.10 C:\TFTP-Root
username asa9 password 9UIVSWIp7g..yY9. encrypted
prompt hostname context
Cryptochecksum:208142822b41f827b8835ee3c62140dc
: end

 

[Supergrrover]

VanZenden,
You should start a new thread on this but here you go...

Delete all your access lists. They aren't doing anything and delete this
static (inside,outside) tcp xxx.xxx.68.210

http://www 192.168.8.10

55512 netmask 255.255.255.255

Now
access-list outside_access_in extended permit ip any interface outside eq www
access-list outside_access_in extended permit ip any interface outside eq 55512
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 55512 192.168.8.10 55512 netmask 255.255.255.255

That should do what you want.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VanZenden]

Thanks for a quick reply...
Just after I submited my question I noticed that I didn't start a new thread .. I was in a hurry

1.) when I entered this line I received error:

ciscoasa# access-list outside_access_in extended permit ip any interface outsi$

access-list outside_access_in extended permit ip any interface outside eq www
^
ERROR: % Invalid input detected at '^' marker.

Even if I change interace to a IP number it is the same...

2.) I can't delete access-list TORRENT. I've tried clear command and also searched it in ASDM (Security policy), but no luck...

 

[Supergrrover]

You are in exec mode but not in the config mode. You need to type
config t
first.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VanZenden]

Yeap, usually I am in Config mode, but wasn't this time ...

 

[VanZenden]

i've erased access list Torrent:

ciscoasa(config)# clear configure access-list TORRENT


then i've tride what you recommended, but no go:

ciscoasa(config)# access-list outside_access_in extended permit ip any interfa$

access-list outside_access_in extended permit ip any interface outside eq www
^
ERROR: % Invalid Hostname


I'm missing something?

 

[Supergrrover]

sorry, should be
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 55512



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[VanZenden]

Thanks, it works