PMGIT
asked on
Cisco ASA 5510 NAT HELP
HELP PLEASE...
I've just replaced my old pix with an ASA, and my inside translations & access rules are not working as expected. Everything else works okay (access to the Internet, internal access to all pc's servers, etc...) EXCEPT for my internal NAT. Here is the key part of the denial log: (Numbers have been painstakingly chanaged; please be kind if I've missed some, it's getting late :-).
2007|18:56:16|106023|155.2 12.28.58|2 00.190.237 .204|Deny tcp src OUTSIDE:155.212.28.58/2412 7 dst INSIDE:200.190.237.204/149 4 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02 2007|18:56:12|106023|155.2 12.28.58|2 00.190.237 .204|Deny tcp src OUTSIDE:155.212.28.58/2412 9 dst INSIDE:200.190.237.204/149 4 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02 2007|18:56:10|106023|155.2 12.28.58|2 00.190.237 .204|Deny tcp src OUTSIDE:155.212.28.58/2412 7 dst INSIDE:200.190.237.204/149 4 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02 2007|18:52:58|106023|155.2 12.28.58|2 00.190.237 .204|Deny tcp src OUTSIDE:155.212.28.58/2406 6 dst INSIDE:200.190.237.204/149 4 by access-group "OUTSIDE_access_in" [0x0, 0x0] 6|Oct 02 2007|18:52:57|302021|200.1 90.237.1|W TS3|Teardo wn ICMP connection for faddr 200.190.237.1/0 gaddr 200.190.237.253/0 laddr WTS3/1025 6|Oct 02
So, it would appear that acces-group "OUTSIDE_access_in" is denying all translation traffic; but I have no idea why. Here is my sho run...
Result of the command: "sho run"
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
domain-name xxxx.com
enable password xxxx encrypted
names
name 192.168.178.13 CSG1 description
name 192.168.178.2 SVR2 description
name 192.168.178.3 SVR3 description
name 192.168.178.11 CITRIX1 description
name 192.168.178.12 CITRIX2 description
name 192.168.178.211 CITRIX3 description
name 192.168.178.208 CITRIX4 description
name 192.168.178.202 CITRIX5 description
name 192.168.178.210 CITRIX6 description
name 192.168.178.217 CITRIX7 description
name 192.168.178.218 CITRIX8 description
name 192.168.178.10 SVR10 description
name 192.168.178.4 SVR4 description
name 192.168.178.5 SVR5 description
name 192.168.178.7 SVR7 description
name 192.168.178.8 SVR8 description
name 192.168.178.9 SVR9 description
name 192.168.178.203 WTS3 description
name 192.168.178.204 WTS4 description
name 192.168.178.206 WTS6 description
name 192.168.178.205 SVR1 description xxxx
name 192.168.178.249 WS0 description xxxx
dns-guard
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 200.190.237.254 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.178.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name myname.com
same-security-traffic permit inter-interface
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq https
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 5910
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq https
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq www
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq imap4
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq smtp
access-list OUTSIDE_access_in extended permit tcp any host xxxxeq pop3
access-list OUTSIDE_access_in extended permit icmp any any unreachable
access-list OUTSIDE_access_in extended permit icmp any any time-exceeded
access-list OUTSIDE_access_in extended permit icmp any any echo
access-list OUTSIDE_access_in extended permit icmp any any echo-reply
access-list INSIDE_access_out extended permit ip any any
access-list OUTSIDE_access_in_1 extended permit ip any host CSG1
access-list OUTSIDE_1_cryptomap remark xxxx
access-list OUTSIDE_1_cryptomap remark xxxx
access-list OUTSIDE_2_cryptomap remark xxxx
access-list OUTSIDE_2_cryptomap remark xxxx
access-list OUTSIDE_3_cryptomap remark xxxx
access-list OUTSIDE_3_cryptomap remark xxxx
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
ip audit name ATTACK attack action alarm
ip audit name INFO info action alarm
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 200.190.237.253 netmask 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp 200.190.237.100 https server1 https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.100 www server1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.9 3389 SVR9 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.8 3389 SVR8 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.7 3389 SVR7 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.3 citrix-ica CITRIX3 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.3 1604 CITRIX3 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.206 citrix-ica WTS6 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.206 1604 WTS6 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.203 citrix-ica WTS3 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.203 1604 WTS3 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.203 3389 WTS3 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.204 citrix-ica WTS4 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.204 1604 WTS4 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 https SVR4 https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 www SVR4 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 imap4 SVR4 imap4 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 smtp SVR4 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 pop3 SVR4 pop3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.249 5910 WS0 5910 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.251 3389 WS0 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 200.190.237.218 CITRIX8 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 200.190.237.252 CSG1 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.190.237.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.178.0 255.255.255.0 INSIDE
http 192.168.178.0 255.255.255.0 management
snmp-server host INSIDE SVR3 community xxxSNMP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
!
username xxx password zQ3oTmmtz5UsZ531 encrypted privilege 15
prompt hostname context
Cryptochecksum:90071a8448d c760ec67cb da7cc36bc0 6
: end
I've just replaced my old pix with an ASA, and my inside translations & access rules are not working as expected. Everything else works okay (access to the Internet, internal access to all pc's servers, etc...) EXCEPT for my internal NAT. Here is the key part of the denial log: (Numbers have been painstakingly chanaged; please be kind if I've missed some, it's getting late :-).
2007|18:56:16|106023|155.2
So, it would appear that acces-group "OUTSIDE_access_in" is denying all translation traffic; but I have no idea why. Here is my sho run...
Result of the command: "sho run"
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
domain-name xxxx.com
enable password xxxx encrypted
names
name 192.168.178.13 CSG1 description
name 192.168.178.2 SVR2 description
name 192.168.178.3 SVR3 description
name 192.168.178.11 CITRIX1 description
name 192.168.178.12 CITRIX2 description
name 192.168.178.211 CITRIX3 description
name 192.168.178.208 CITRIX4 description
name 192.168.178.202 CITRIX5 description
name 192.168.178.210 CITRIX6 description
name 192.168.178.217 CITRIX7 description
name 192.168.178.218 CITRIX8 description
name 192.168.178.10 SVR10 description
name 192.168.178.4 SVR4 description
name 192.168.178.5 SVR5 description
name 192.168.178.7 SVR7 description
name 192.168.178.8 SVR8 description
name 192.168.178.9 SVR9 description
name 192.168.178.203 WTS3 description
name 192.168.178.204 WTS4 description
name 192.168.178.206 WTS6 description
name 192.168.178.205 SVR1 description xxxx
name 192.168.178.249 WS0 description xxxx
dns-guard
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 200.190.237.254 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.178.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name myname.com
same-security-traffic permit inter-interface
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq https
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 5910
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq 3389
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq https
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq www
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq imap4
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq smtp
access-list OUTSIDE_access_in extended permit tcp any host xxxxeq pop3
access-list OUTSIDE_access_in extended permit icmp any any unreachable
access-list OUTSIDE_access_in extended permit icmp any any time-exceeded
access-list OUTSIDE_access_in extended permit icmp any any echo
access-list OUTSIDE_access_in extended permit icmp any any echo-reply
access-list INSIDE_access_out extended permit ip any any
access-list OUTSIDE_access_in_1 extended permit ip any host CSG1
access-list OUTSIDE_1_cryptomap remark xxxx
access-list OUTSIDE_1_cryptomap remark xxxx
access-list OUTSIDE_2_cryptomap remark xxxx
access-list OUTSIDE_2_cryptomap remark xxxx
access-list OUTSIDE_3_cryptomap remark xxxx
access-list OUTSIDE_3_cryptomap remark xxxx
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
ip audit name ATTACK attack action alarm
ip audit name INFO info action alarm
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 200.190.237.253 netmask 255.255.255.0
nat (INSIDE) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp 200.190.237.100 https server1 https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.100 www server1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.9 3389 SVR9 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.8 3389 SVR8 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.7 3389 SVR7 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.3 citrix-ica CITRIX3 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.3 1604 CITRIX3 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.206 citrix-ica WTS6 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.206 1604 WTS6 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.203 citrix-ica WTS3 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.203 1604 WTS3 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.203 3389 WTS3 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.204 citrix-ica WTS4 citrix-ica netmask 255.255.255.255
static (INSIDE,OUTSIDE) udp 200.190.237.204 1604 WTS4 1604 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 https SVR4 https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 www SVR4 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 imap4 SVR4 imap4 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 smtp SVR4 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.2 pop3 SVR4 pop3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.249 5910 WS0 5910 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 200.190.237.251 3389 WS0 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 200.190.237.218 CITRIX8 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 200.190.237.252 CSG1 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.190.237.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.178.0 255.255.255.0 INSIDE
http 192.168.178.0 255.255.255.0 management
snmp-server host INSIDE SVR3 community xxxSNMP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
!
username xxx password zQ3oTmmtz5UsZ531 encrypted privilege 15
prompt hostname context
Cryptochecksum:90071a8448d
: end
ASKER
Hey QB,
Regarding the services being listed in both the NAT & the ACL; I was under the impression that this was just another way to ensure security. This is how my PIX is setup, and it works... :-)
I set this up with the wizard, thru the gui initially (I know, I know), so a lot of the funky stuff you see is due to that (in particular the "CITRIX3" you referred to is the "description field").
Anyway, if you look at the CSG1 entry, there is no service listed in that translation, and it is denying traffic too with the same exact denial
(2007|18:56:16|106023|155. 212.28.58| 200.190.23 7.204|Deny tcp src OUTSIDE:155.212.28.58/2412 7 dst INSIDE:200.190.237.204/149 4 by access-group "OUTSIDE_access_in" [0x0, 0x0] 4|Oct 02)
and I cannot figure out why the "Outside_access_in" is denying traffic (It must be the implicit deny at the end right???).
I'm at a loss here, and I've tried to strip everything like you mention with the same results. I've even taken all the VPN crypto stuff out (and all the relevant NAT's & ACL's) with the same result.
Regarding the services being listed in both the NAT & the ACL; I was under the impression that this was just another way to ensure security. This is how my PIX is setup, and it works... :-)
I set this up with the wizard, thru the gui initially (I know, I know), so a lot of the funky stuff you see is due to that (in particular the "CITRIX3" you referred to is the "description field").
Anyway, if you look at the CSG1 entry, there is no service listed in that translation, and it is denying traffic too with the same exact denial
(2007|18:56:16|106023|155.
and I cannot figure out why the "Outside_access_in" is denying traffic (It must be the implicit deny at the end right???).
I'm at a loss here, and I've tried to strip everything like you mention with the same results. I've even taken all the VPN crypto stuff out (and all the relevant NAT's & ACL's) with the same result.
>access-group INSIDE_access_out out interface INSIDE
Remove this to start with....
>Deny tcp src OUTSIDE:155.212.28.58/2412 7 dst INSIDE:200.190.237.204/149 4
The destination is port 1494
Does this match up with your access-list where xxxx = 200.190.237.204??
>access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
Which matches this:
>static (INSIDE,OUTSIDE) tcp 200.190.237.204 citrix-ica WTS4 citrix-ica netmask 255.255.255.255
Remove this to start with....
>Deny tcp src OUTSIDE:155.212.28.58/2412
The destination is port 1494
Does this match up with your access-list where xxxx = 200.190.237.204??
>access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica
Which matches this:
>static (INSIDE,OUTSIDE) tcp 200.190.237.204 citrix-ica WTS4 citrix-ica netmask 255.255.255.255
ASKER
lrmoore: I added the >access-group INSIDE_access_out out interface INSIDE< (thru the gui) to allow internal traffic out as there didn't appear to be an "outgoing" rule to allow Internet traffic. I know that in theory it SHOULD allow traffic from high to low (more specifically; from 100 to 0), but this wasn't working (although, I did also have an "ospf cost 10" associated with both interfaces which may have been the cause as well; I ultimately did a "no ospf cost 10" on all interfaces at the same time I added the "INSIDE_access_out" command, so maybe it was coincidence, and in fact not needed. I cannot test it again for another 5 hours (production) so I won't know until then.
Regarding the question of the matching "xxx ="; are you asking if the "xxxx" actually says "WTS4"? If so, yes it does (I'm not sure why I commented these out, and left the others, like I said it was getting late).
Regarding the question of the matching "xxx ="; are you asking if the "xxxx" actually says "WTS4"? If so, yes it does (I'm not sure why I commented these out, and left the others, like I said it was getting late).
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
1. That's what I thought (implicit allow), so it must have been the ospf cost 10 line preventing access out
2. You are correct, I took those references out by doing a "no ospf cost 10"
3. access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica actually reads...
"access-list OUTSIDE_access_in extended permit tcp any host WTS4 eq citrix-ica"
Are you saying that this is incorrect, and that I shouldn't be specifying the host specifically here?
4. Do you think that the "access-group INSIDE_access_out out interface INSIDE" would prevent the NAT and ACL's from working correctly?
2. You are correct, I took those references out by doing a "no ospf cost 10"
3. access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica actually reads...
"access-list OUTSIDE_access_in extended permit tcp any host WTS4 eq citrix-ica"
Are you saying that this is incorrect, and that I shouldn't be specifying the host specifically here?
4. Do you think that the "access-group INSIDE_access_out out interface INSIDE" would prevent the NAT and ACL's from working correctly?
3. All I'm saying is that the access-list must reference the EXTernal IP address, and WTS4 references the INTernal IP address per your names list
4. It shouldn't, but want to rule it out. Permit ip any any is default, and explicitly saying permit ip any any is redundant and the ASA doesn't like it.
4. It shouldn't, but want to rule it out. Permit ip any any is default, and explicitly saying permit ip any any is redundant and the ASA doesn't like it.
ASKER
wait, I'm confused; I thought the NAT specified the outside address, and the ACL specified the internal address only???
ASKER
nevermind; that was stupid, sorry...
access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica - gotcha
Now; you're saying let the translation be the "map" from the outside to the inside, and this is how the ASA knows that 200.190.237.204 actually = WTS4 (or 192.168.178.x) correct? and that would be someting like the following?
static (inside,outside) tcp 200.190.237.204 citrix-ica 192.168.178.204 citrix-ica netmask 255.255.255.255 0 0
access-list OUTSIDE_access_in extended permit tcp any host 200.190.237.204 eq citrix-ica - gotcha
Now; you're saying let the translation be the "map" from the outside to the inside, and this is how the ASA knows that 200.190.237.204 actually = WTS4 (or 192.168.178.x) correct? and that would be someting like the following?
static (inside,outside) tcp 200.190.237.204 citrix-ica 192.168.178.204 citrix-ica netmask 255.255.255.255 0 0
Now you're getting the hang of it.
ASKER
I think I just may be... :-) The light bulb came on thanks again to you!
I would start with just one server to see if you can get that working. What i see are some strange things in your setup of the services your advertising and this is how i would do it as a test anyway for 1 server as follows:
name 192.168.178.211 CITRIX3 <-- drop the description part if you can - NOT SURE IF THAT WAS ADDED BY YOU OR THE ASA.
access-list OUTSIDE_access_in extended permit tcp any host xxxx eq citrix-ica <-- LOOKS OK
access-list OUTSIDE_access_in extended permit udp any host xxxx eq 1604 <-- LOOKS OK
static (INSIDE,OUTSIDE) tcp 200.190.237.3 citrix-ica CITRIX3 citrix-ica netmask 255.255.255.255 <-- remove the part citrix-ica - WHY IS THE SERVICE LISTED IN THE TRANSLATION YOU LISTED IT IN THE ACCESS-LIST. Again this could be an ASA thing but for testing i would remove it.