Solved

Problem with NAT/PAT on ASA5505

Posted on 2009-07-12
6
1,127 Views
Last Modified: 2012-06-22
This is urgent so please help ASAP if you can at all! Thank you!!

I'm having an issue with an ASA 5505 for a client of mine. They had a PIX for years but it has recently died. We put in a 1711 we had kicking around just to get by temporarily until the ASA could arrive. The 1711 works best kind. The environment is very simple -- a single SBS machine and a Barracuda. The outside IP for the device is x.x.x.218 (/29), and there is PAT setup as follows for the outside IP of x.x.x.219

1. HTTPS is directed to the server (to allow access to webmail and RPC over HTTPS)
2. RDP is directed to the server (this is just temporary of course, but I list it here since it's in the config below)
3. SMTP is directed to the Barracuda

* Everything else is just an overload on .218.

The server has IP of 192.168.1.2 and the Barracuda is 192.168.1.3

With the 1711 in place, it works perfectly fine. When I put in the ASA however, it is giving me a real headache. Basically, it won't let me use the PAT for the .219 IP. However, if I use .221 or something instead, it works perfect! For testing, I added identical access-list entries for .219 and .221 to allow 25, 443, and 3389 in. I then just change my PAT rule accordingly. One works, the other doesn't. It's like the .219 IP won't work no matter what I do if I'm using PAT.

Below are two running configs. The one using .221 works fine, the other doesn't. If you compare them, the only difference is the following line:

WORKS
static (inside,outside) tcp x.x.x.221 smtp barracuda smtp netmask 255.255.255.255

DOESN'T WORK
static (inside,outside) tcp mail.domain.com smtp barracuda smtp netmask 255.255.255.255

Can anyone suggest why this doesn't work? I am completely stumped. I've even reset the ASA back to factory default and built it from scratch again. Thanks.
=====================================

THIS WORKS

=====================================

: Saved

:

ASA Version 8.2(1) 

!

hostname CompanyASA

domain-name domain.local

enable password XYZ encrypted

passwd XYZ encrypted

names

name 192.168.1.2 server1 description server1

name x.x.x.219 mail.domain.com description mail.domain.com

name 192.168.1.3 barracuda description barracuda

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.218 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.local

object-group service RDP tcp

 port-object eq 3389

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

 group-object RDP

 port-object eq https

 port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

 group-object RDP

 port-object eq https

 port-object eq smtp

access-list outside_access_in extended permit tcp any host x.x.x.221 object-group DM_INLINE_TCP_1 

access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_2 

access-list outside_access_in extended permit object-group TCPUDP any any eq domain 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp x.x.x.221 https server1 https netmask 255.255.255.255 

static (inside,outside) tcp x.x.x.221 smtp barracuda smtp netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username user1 password 54N2GBB19GsoJT5J encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:5f285f1ab41af355c960184974b9e8d2

: end
 
 

=====================================

THIS DOES NOT WORK

=====================================

: Saved

:

ASA Version 8.2(1) 

!

hostname CompanyASA

domain-name domain.local

enable password XYZ encrypted

passwd XYZ encrypted

names

name 192.168.1.2 server1 description server1

name x.x.x.219 mail.domain.com description mail.domain.com

name 192.168.1.3 barracuda description barracuda

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.218 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

 domain-name domain.local

object-group service RDP tcp

 port-object eq 3389

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

 group-object RDP

 port-object eq https

 port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

 group-object RDP

 port-object eq https

 port-object eq smtp

access-list outside_access_in extended permit tcp any host x.x.x.221 object-group DM_INLINE_TCP_1 

access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_2 

access-list outside_access_in extended permit object-group TCPUDP any any eq domain 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp x.x.x.221 https server1 https netmask 255.255.255.255 

static (inside,outside) tcp mail.domain.com smtp barracuda smtp netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username user1 password 54N2GBB19GsoJT5J encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:5f285f1ab41af355c960184974b9e8d2

: end

Open in new window

0
Comment
Question by:dave_hickman
6 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 166 total points
Comment Utility
Hi,

If you changed something in the access-list after you must type clear x-late!
After will be works correctly the access-list, and nat!
0
 
LVL 15

Accepted Solution

by:
bignewf earned 167 total points
Comment Utility
Agree with above, as the PIX/ASA will hold a translation slot open until cleared by
"clear xlate"

I am a bit confused though- are you trying to use port forwarding  on the .19 IP for these servers?
normally, you do port forwarding when you have one static ip, which is the outside interface of the asa, and forward traffic coming in via the one ip to different ports.
I see you have the .218 as the external ip of the outside interface. Is this your goal, to port forward using the .219 IP?

Since you have several static IP's, have you tried the static NAT command with the .219

static (inside,outside) [inside ip of server] public ip of server 255.255.255.255 0 0
and use static nat for each server, if you have enough ip's
then apply inbound access-lists allowing traffic on the selected ports such as 25 to the barracuda



does the .219 work in the above manner with static nat?

However, as ikalmar pointed out, a clear xlate is necessary when changing nat rules
Also, what were the errors in the debugging output when .219 was used in your testing?

0
 
LVL 8

Expert Comment

by:pgolding00
Comment Utility
bignewf has the addresses in the static around the wrong way - it should be:
static (high security, low security) low-security-interface-address high-security-interface-address
or more simply
static (in,out) out-addr in -addr

if clearing xlate does not resolve, remove the name statement for .219, then have a look at sh run. i suspect you might just be changing the name statement, assuming that will update all references to the name? removing the name statement will then show the remaining commands (static, acl etc) with addresses and i believe you will find they need updating for the new address 219! therefore, you need to update the static and acl along with the name, to effect an address change of a named host, rather than expect that changing name will do it for you.

this behavior may have been changed in recent code but i know version 5 and 6 worked as i describe.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:dave_hickman
Comment Utility
Hey guys, I have it working now. I forgot to mention but I was doing a 'clear xlate' between all tests. I ended up getting it working after by power cycling the DSL modem, and re-creating my ASA config from scratch again. Stupid me, I didn't power cycle the DSL modem at all before that, and I'm thinking it had something stuck somehow. My config now is identical and it is working fine. I'm guessing I could have just pulled the power on the DSL and it would have started working right away.

So that I know what to look for in the future and prevent a similar hang up again, does anyone know what technically would have been the issue with this? Was it an ARP table issue on the DSL modem perhaps and stuff was never even reaching the ASA (cause the access-list hit count was never increasing, so its like the ASA wasn't seeing anything at all)?
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 167 total points
Comment Utility
it could have been an old arp entry in the dsl modem that came from when you had the router in there, assuming the router also had a translation for .219. with everything rebooted all the logs will be gone now so we cant really confirm it now.
0
 

Author Closing Comment

by:dave_hickman
Comment Utility
Assigning split points between you. Thanks guys, she's up and working now.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now