Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with NAT/PAT on ASA5505

Posted on 2009-07-12
6
Medium Priority
?
1,135 Views
Last Modified: 2012-06-22
This is urgent so please help ASAP if you can at all! Thank you!!

I'm having an issue with an ASA 5505 for a client of mine. They had a PIX for years but it has recently died. We put in a 1711 we had kicking around just to get by temporarily until the ASA could arrive. The 1711 works best kind. The environment is very simple -- a single SBS machine and a Barracuda. The outside IP for the device is x.x.x.218 (/29), and there is PAT setup as follows for the outside IP of x.x.x.219

1. HTTPS is directed to the server (to allow access to webmail and RPC over HTTPS)
2. RDP is directed to the server (this is just temporary of course, but I list it here since it's in the config below)
3. SMTP is directed to the Barracuda

* Everything else is just an overload on .218.

The server has IP of 192.168.1.2 and the Barracuda is 192.168.1.3

With the 1711 in place, it works perfectly fine. When I put in the ASA however, it is giving me a real headache. Basically, it won't let me use the PAT for the .219 IP. However, if I use .221 or something instead, it works perfect! For testing, I added identical access-list entries for .219 and .221 to allow 25, 443, and 3389 in. I then just change my PAT rule accordingly. One works, the other doesn't. It's like the .219 IP won't work no matter what I do if I'm using PAT.

Below are two running configs. The one using .221 works fine, the other doesn't. If you compare them, the only difference is the following line:

WORKS
static (inside,outside) tcp x.x.x.221 smtp barracuda smtp netmask 255.255.255.255

DOESN'T WORK
static (inside,outside) tcp mail.domain.com smtp barracuda smtp netmask 255.255.255.255

Can anyone suggest why this doesn't work? I am completely stumped. I've even reset the ASA back to factory default and built it from scratch again. Thanks.
=====================================
THIS WORKS
=====================================
: Saved
:
ASA Version 8.2(1) 
!
hostname CompanyASA
domain-name domain.local
enable password XYZ encrypted
passwd XYZ encrypted
names
name 192.168.1.2 server1 description server1
name x.x.x.219 mail.domain.com description mail.domain.com
name 192.168.1.3 barracuda description barracuda
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.218 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
object-group service RDP tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.221 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit object-group TCPUDP any any eq domain 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.221 https server1 https netmask 255.255.255.255 
static (inside,outside) tcp x.x.x.221 smtp barracuda smtp netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username user1 password 54N2GBB19GsoJT5J encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5f285f1ab41af355c960184974b9e8d2
: end
 
 
=====================================
THIS DOES NOT WORK
=====================================
: Saved
:
ASA Version 8.2(1) 
!
hostname CompanyASA
domain-name domain.local
enable password XYZ encrypted
passwd XYZ encrypted
names
name 192.168.1.2 server1 description server1
name x.x.x.219 mail.domain.com description mail.domain.com
name 192.168.1.3 barracuda description barracuda
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.218 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
object-group service RDP tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.221 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit object-group TCPUDP any any eq domain 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.221 https server1 https netmask 255.255.255.255 
static (inside,outside) tcp mail.domain.com smtp barracuda smtp netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username user1 password 54N2GBB19GsoJT5J encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5f285f1ab41af355c960184974b9e8d2
: end

Open in new window

0
Comment
Question by:dave_hickman
6 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 498 total points
ID: 24835197
Hi,

If you changed something in the access-list after you must type clear x-late!
After will be works correctly the access-list, and nat!
0
 
LVL 15

Accepted Solution

by:
bignewf earned 501 total points
ID: 24835284
Agree with above, as the PIX/ASA will hold a translation slot open until cleared by
"clear xlate"

I am a bit confused though- are you trying to use port forwarding  on the .19 IP for these servers?
normally, you do port forwarding when you have one static ip, which is the outside interface of the asa, and forward traffic coming in via the one ip to different ports.
I see you have the .218 as the external ip of the outside interface. Is this your goal, to port forward using the .219 IP?

Since you have several static IP's, have you tried the static NAT command with the .219

static (inside,outside) [inside ip of server] public ip of server 255.255.255.255 0 0
and use static nat for each server, if you have enough ip's
then apply inbound access-lists allowing traffic on the selected ports such as 25 to the barracuda



does the .219 work in the above manner with static nat?

However, as ikalmar pointed out, a clear xlate is necessary when changing nat rules
Also, what were the errors in the debugging output when .219 was used in your testing?

0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24837025
bignewf has the addresses in the static around the wrong way - it should be:
static (high security, low security) low-security-interface-address high-security-interface-address
or more simply
static (in,out) out-addr in -addr

if clearing xlate does not resolve, remove the name statement for .219, then have a look at sh run. i suspect you might just be changing the name statement, assuming that will update all references to the name? removing the name statement will then show the remaining commands (static, acl etc) with addresses and i believe you will find they need updating for the new address 219! therefore, you need to update the static and acl along with the name, to effect an address change of a named host, rather than expect that changing name will do it for you.

this behavior may have been changed in recent code but i know version 5 and 6 worked as i describe.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:dave_hickman
ID: 24839083
Hey guys, I have it working now. I forgot to mention but I was doing a 'clear xlate' between all tests. I ended up getting it working after by power cycling the DSL modem, and re-creating my ASA config from scratch again. Stupid me, I didn't power cycle the DSL modem at all before that, and I'm thinking it had something stuck somehow. My config now is identical and it is working fine. I'm guessing I could have just pulled the power on the DSL and it would have started working right away.

So that I know what to look for in the future and prevent a similar hang up again, does anyone know what technically would have been the issue with this? Was it an ARP table issue on the DSL modem perhaps and stuff was never even reaching the ASA (cause the access-list hit count was never increasing, so its like the ASA wasn't seeing anything at all)?
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 501 total points
ID: 24839269
it could have been an old arp entry in the dsl modem that came from when you had the router in there, assuming the router also had a translation for .219. with everything rebooted all the logs will be gone now so we cant really confirm it now.
0
 

Author Closing Comment

by:dave_hickman
ID: 31602582
Assigning split points between you. Thanks guys, she's up and working now.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question