Solved

Problem with NAT/PAT on ASA5505

Posted on 2009-07-12
6
1,132 Views
Last Modified: 2012-06-22
This is urgent so please help ASAP if you can at all! Thank you!!

I'm having an issue with an ASA 5505 for a client of mine. They had a PIX for years but it has recently died. We put in a 1711 we had kicking around just to get by temporarily until the ASA could arrive. The 1711 works best kind. The environment is very simple -- a single SBS machine and a Barracuda. The outside IP for the device is x.x.x.218 (/29), and there is PAT setup as follows for the outside IP of x.x.x.219

1. HTTPS is directed to the server (to allow access to webmail and RPC over HTTPS)
2. RDP is directed to the server (this is just temporary of course, but I list it here since it's in the config below)
3. SMTP is directed to the Barracuda

* Everything else is just an overload on .218.

The server has IP of 192.168.1.2 and the Barracuda is 192.168.1.3

With the 1711 in place, it works perfectly fine. When I put in the ASA however, it is giving me a real headache. Basically, it won't let me use the PAT for the .219 IP. However, if I use .221 or something instead, it works perfect! For testing, I added identical access-list entries for .219 and .221 to allow 25, 443, and 3389 in. I then just change my PAT rule accordingly. One works, the other doesn't. It's like the .219 IP won't work no matter what I do if I'm using PAT.

Below are two running configs. The one using .221 works fine, the other doesn't. If you compare them, the only difference is the following line:

WORKS
static (inside,outside) tcp x.x.x.221 smtp barracuda smtp netmask 255.255.255.255

DOESN'T WORK
static (inside,outside) tcp mail.domain.com smtp barracuda smtp netmask 255.255.255.255

Can anyone suggest why this doesn't work? I am completely stumped. I've even reset the ASA back to factory default and built it from scratch again. Thanks.
=====================================
THIS WORKS
=====================================
: Saved
:
ASA Version 8.2(1) 
!
hostname CompanyASA
domain-name domain.local
enable password XYZ encrypted
passwd XYZ encrypted
names
name 192.168.1.2 server1 description server1
name x.x.x.219 mail.domain.com description mail.domain.com
name 192.168.1.3 barracuda description barracuda
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.218 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
object-group service RDP tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.221 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit object-group TCPUDP any any eq domain 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.221 https server1 https netmask 255.255.255.255 
static (inside,outside) tcp x.x.x.221 smtp barracuda smtp netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username user1 password 54N2GBB19GsoJT5J encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5f285f1ab41af355c960184974b9e8d2
: end
 
 
=====================================
THIS DOES NOT WORK
=====================================
: Saved
:
ASA Version 8.2(1) 
!
hostname CompanyASA
domain-name domain.local
enable password XYZ encrypted
passwd XYZ encrypted
names
name 192.168.1.2 server1 description server1
name x.x.x.219 mail.domain.com description mail.domain.com
name 192.168.1.3 barracuda description barracuda
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.218 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
object-group service RDP tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.221 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit object-group TCPUDP any any eq domain 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.221 https server1 https netmask 255.255.255.255 
static (inside,outside) tcp mail.domain.com smtp barracuda smtp netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username user1 password 54N2GBB19GsoJT5J encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5f285f1ab41af355c960184974b9e8d2
: end

Open in new window

0
Comment
Question by:dave_hickman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 166 total points
ID: 24835197
Hi,

If you changed something in the access-list after you must type clear x-late!
After will be works correctly the access-list, and nat!
0
 
LVL 15

Accepted Solution

by:
bignewf earned 167 total points
ID: 24835284
Agree with above, as the PIX/ASA will hold a translation slot open until cleared by
"clear xlate"

I am a bit confused though- are you trying to use port forwarding  on the .19 IP for these servers?
normally, you do port forwarding when you have one static ip, which is the outside interface of the asa, and forward traffic coming in via the one ip to different ports.
I see you have the .218 as the external ip of the outside interface. Is this your goal, to port forward using the .219 IP?

Since you have several static IP's, have you tried the static NAT command with the .219

static (inside,outside) [inside ip of server] public ip of server 255.255.255.255 0 0
and use static nat for each server, if you have enough ip's
then apply inbound access-lists allowing traffic on the selected ports such as 25 to the barracuda



does the .219 work in the above manner with static nat?

However, as ikalmar pointed out, a clear xlate is necessary when changing nat rules
Also, what were the errors in the debugging output when .219 was used in your testing?

0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24837025
bignewf has the addresses in the static around the wrong way - it should be:
static (high security, low security) low-security-interface-address high-security-interface-address
or more simply
static (in,out) out-addr in -addr

if clearing xlate does not resolve, remove the name statement for .219, then have a look at sh run. i suspect you might just be changing the name statement, assuming that will update all references to the name? removing the name statement will then show the remaining commands (static, acl etc) with addresses and i believe you will find they need updating for the new address 219! therefore, you need to update the static and acl along with the name, to effect an address change of a named host, rather than expect that changing name will do it for you.

this behavior may have been changed in recent code but i know version 5 and 6 worked as i describe.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:dave_hickman
ID: 24839083
Hey guys, I have it working now. I forgot to mention but I was doing a 'clear xlate' between all tests. I ended up getting it working after by power cycling the DSL modem, and re-creating my ASA config from scratch again. Stupid me, I didn't power cycle the DSL modem at all before that, and I'm thinking it had something stuck somehow. My config now is identical and it is working fine. I'm guessing I could have just pulled the power on the DSL and it would have started working right away.

So that I know what to look for in the future and prevent a similar hang up again, does anyone know what technically would have been the issue with this? Was it an ARP table issue on the DSL modem perhaps and stuff was never even reaching the ASA (cause the access-list hit count was never increasing, so its like the ASA wasn't seeing anything at all)?
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 167 total points
ID: 24839269
it could have been an old arp entry in the dsl modem that came from when you had the router in there, assuming the router also had a translation for .219. with everything rebooted all the logs will be gone now so we cant really confirm it now.
0
 

Author Closing Comment

by:dave_hickman
ID: 31602582
Assigning split points between you. Thanks guys, she's up and working now.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Copying out Cisco backups from SolarWinds 13 122
FTP through ASA 9.5 1 39
X.509 Cert Upload to Cisco WAP 6 58
Samsung Tablet no Internet but does connect to WiFi 7 52
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question