[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 inbound nat\pat traffic problem

Posted on 2007-10-19
2
Medium Priority
?
8,383 Views
Last Modified: 2012-06-21
Hello
I'm having trouble getting inbound traffic to work on a Cisco ASA5505. I have a single public IP and i need smtp and https to one server and rdp to another. I've configured the box in the same way i've done with older pix and ios versions but i seem to have got something wrong here. Inbound traffic didn't work in it's production environment so i've got it on the bench with 2 PCs hooked up to it. Packet tracer is failing the nat rpf-check no matter what i seem to try.

Here's the packet tracer result
Config
static (inside,outside) tcp 81*** smtp kr*** smtp netmask 255.255.255.255 nat-control match tcp inside host kr*** eq 25 outside any static translation to 81***/25 translate_hits = 0, untranslate_hits = 0

And here's the config.

hostname ciscoasa
domain-name default.domain.invalid
enable password F5p/7RbY6NdxtpxB encrypted
names
name 21**** ad***
name 192.168.101.2 kr***
name 192.168.101.3 kr***
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 81.*** 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp host ad*** eq 3389 host kr*** eq 3389
access-list outside_access_in extended permit tcp any eq smtp host kr*** eq smtp
access-list outside_access_in extended permit tcp any eq https host kr*** eq https
access-list outside_access_in extended permit icmp any any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.101.192 255.255.255.192
access-list outside_nat_static extended permit tcp host 81.*** eq smtp host krane01
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool krane 192.168.101.200-192.168.101.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.101.0 255.255.255.0
static (inside,outside) tcp 81.*** https krane01 https netmask 255.255.255.255
static (inside,outside) tcp 81.*** smtp krane01 smtp netmask 255.255.255.255
static (inside,outside) tcp 81.*** 3389 krane02 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 81.** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.101.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address krane01-192.168.101.33 inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server inside krane01 tftp-root\asdm-602.bin
webvpn
 enable outside
  auto-signon allow ip 192.168.101.2 255.255.255.255 auth-type basic
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.101.2
 dns-server value 192.168.101.2
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value kr**
username bruker password gRktPqkF/eqBRK8+91kkLw== nt-encrypted privilege 0
username bruker attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool k**
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
prompt hostname context
Cryptochecksum:8861b66304fa20f1f74f55f9ea304c33
0
Comment
Question by:simonorch
2 Comments
 
LVL 3

Accepted Solution

by:
theeter earned 1000 total points
ID: 20109537
If 81.x.x.x is your outside interace address you must replace it with the keyword "interface"

static (inside,outside) tcp interface https krane01 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp krane01 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 krane02 3389 netmask 255.255.255.255

Also, you acl's are wrong.

access-list outside_access_in extended permit tcp host ad*** host 81.x.x.x eq 3389
access-list outside_access_in extended permit tcp any host 81.x.x.x eq smtp
access-list outside_access_in extended permit tcp any host 81.x.x.x eq https
access-list outside_access_in extended permit icmp any any
access-group outside_access_in in interface outside

They could also look like this...

access-list outside_access_in extended permit tcp host ad*** interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit icmp any any
access-group outside_access_in in interface outside
0
 

Author Comment

by:simonorch
ID: 20125184
Many thanks theeter, that did the trick. I didn't realise that you couldn't use the configured outside interface IP and had to use the Interface keyword. When using the ASDM to configure  NAT outside\inside are not options you can choose though if you start to type outside in the relevant field it does come up.


0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question