Cisco ASA 5510 - NAT Problems with Web Server

ISoul
ISoul used Ask the Experts™
on
I have been pulling out my hair for quite a few hours. Have tried to go by whatever examples I could find, but can not figure out what I am doing wrong.

ASA outside interface on Ethernet0/0 has public IP 69.31.183.110
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254

I have a web server connected as 10.10.30.1

I would like the web server to use public IP 69.31.183.112

I cannot get the above to work.

The base config is below.

With the config below, the web server has outgoing access to the Internet. I can ping external hosts.

From what I've come across, the NAT rule I should be adding is this:

static (vlan30,outside) 69.31.183.112 10.10.30.1 netmask 255.255.255.255

But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.

Inbound access pinging or accessing http on 69.31.183.112 doesn't work either.

What am I doing wrong?

Thanks for any help in advance...
ASA Version 7.2(2)
!
hostname amfw2
domain-name <domain>
no names
!
interface Ethernet0/0
 description Internet connection
 nameif outside
 security-level 0
 ip address 69.31.183.110 255.255.255.240 standby 69.31.183.111
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.30
 description Externally Accessible Servers
 vlan 30
 nameif vlan30
 security-level 30
 ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
!
interface Ethernet0/2.254
 description Management VLAN
 vlan 254
 nameif vlan254
 security-level 90
 ip address 10.10.254.254 255.255.255.0 standby 10.10.254.253
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name <domain>
access-list vlan254_access_in extended permit ip 10.10.254.0 255.255.255.0 any
access-list outside_access_out extended permit ip any any
access-list vlan30_access_in extended permit ip any any
access-list vlan30_access_out extended permit icmp any host 10.10.30.1
access-list vlan30_access_out extended permit tcp any host 10.10.30.1 eq www
access-list vlan30_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any host 69.31.183.112
access-list outside_access_in extended permit tcp any host 69.31.183.112 eq www
access-list vlan254_access_out extended permit ip any any
access-list vlan30_nat_outbound extended permit ip any any
access-list vlan254_nat_outbound extended permit ip any any
access-list remote_vpn_splitTunnelAcl standard permit 10.101.254.0 255.255.255.0
no pager
logging enable
logging timestamp
logging standby
logging emblem
logging list MP-ASA level debugging
logging console emergencies
logging trap debugging
logging history notifications
logging asdm debugging
logging facility 23
logging device-id hostname
logging host outside 66.48.84.26
logging debug-trace
mtu outside 1500
mtu vlan30 1500
mtu vlan254 1500
no failover
monitor-interface vlan254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan30) 1 access-list vlan30_nat_outbound
nat (vlan254) 1 access-list vlan254_nat_outbound
static (vlan254,vlan30) 10.10.254.0 10.10.254.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan30_access_in in interface vlan30
access-group vlan30_access_out out interface vlan30
access-group vlan254_access_in in interface vlan254
access-group vlan254_access_out out interface vlan254
route outside 0.0.0.0 0.0.0.0 69.31.183.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 vlan254
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp vlan254
service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set peer 204.92.97.14
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 41 set pfs
crypto map outside_map 41 set peer 209.82.67.67
crypto map outside_map 41 set transform-set ESP-3DES-SHA
crypto map outside_map 41 set security-association lifetime seconds 2419200
crypto map outside_map 41 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 vlan254
ssh timeout 30
console timeout 30
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc0b57cc1c46b9fb0ee8fa872419c502
: end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
That IP is not in your subnet...

Commented:
Usable IPs in that subnet are-

69.31.183.97 - 69.31.183.111

.96 is network, .112 is broadcast.

Author

Commented:
I apologize for the unnecessary confusion. The original post had the incorrect IPs.

Let's start again with proper IPs here:

-----------------

ASA outside interface on Ethernet0/0 has public IP 69.31.183.210
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254

I have a web server connected as 10.10.30.1

I would like the web server to use public IP 69.31.183.212

I cannot get the above to work.

The base config is below.

With the config below, the web server has outgoing access to the Internet. I can ping external hosts.

From what I've come across, the NAT rule I should be adding is this:

static (vlan30,outside) 69.31.183.212 10.10.30.1 netmask 255.255.255.255

But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.

Inbound access pinging or accessing http on 69.31.183.212 doesn't work either.

What am I doing wrong?
ASA Version 7.2(2)
!
hostname amfw2
domain-name <domain>
no names
!
interface Ethernet0/0
 description Internet connection
 nameif outside
 security-level 0
 ip address 69.31.183.210 255.255.255.240 standby 69.31.183.211
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.30
 description Externally Accessible Servers
 vlan 30
 nameif vlan30
 security-level 30
 ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
!
interface Ethernet0/2.254
 description Management VLAN
 vlan 254
 nameif vlan254
 security-level 90
 ip address 10.10.254.254 255.255.255.0 standby 10.10.254.253
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name <domain>
access-list vlan254_access_in extended permit ip 10.10.254.0 255.255.255.0 any
access-list outside_access_out extended permit ip any any
access-list vlan30_access_in extended permit ip any any
access-list vlan30_access_out extended permit icmp any host 10.10.30.1
access-list vlan30_access_out extended permit tcp any host 10.10.30.1 eq www
access-list vlan30_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any host 69.31.183.212
access-list outside_access_in extended permit tcp any host 69.31.183.212 eq www
access-list vlan254_access_out extended permit ip any any
access-list vlan30_nat_outbound extended permit ip any any
access-list vlan254_nat_outbound extended permit ip any any
access-list remote_vpn_splitTunnelAcl standard permit 10.101.254.0 255.255.255.0
no pager
logging enable
logging timestamp
logging standby
logging emblem
logging list MP-ASA level debugging
logging console emergencies
logging trap debugging
logging history notifications
logging asdm debugging
logging facility 23
logging device-id hostname
logging host outside 66.48.84.26
logging debug-trace
mtu outside 1500
mtu vlan30 1500
mtu vlan254 1500
no failover
monitor-interface vlan254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan30) 1 access-list vlan30_nat_outbound
nat (vlan254) 1 access-list vlan254_nat_outbound
static (vlan254,vlan30) 10.10.254.0 10.10.254.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan30_access_in in interface vlan30
access-group vlan30_access_out out interface vlan30
access-group vlan254_access_in in interface vlan254
access-group vlan254_access_out out interface vlan254
route outside 0.0.0.0 0.0.0.0 69.31.183.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 vlan254
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp vlan254
service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set peer 204.92.97.14
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 41 set pfs
crypto map outside_map 41 set peer 209.82.67.67
crypto map outside_map 41 set transform-set ESP-3DES-SHA
crypto map outside_map 41 set security-association lifetime seconds 2419200
crypto map outside_map 41 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 vlan254
ssh timeout 30
console timeout 30
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc0b57cc1c46b9fb0ee8fa872419c502
: end

Open in new window

Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Author

Commented:
It seems like the public IP 69.31.183.212 isn't being picked up for some reason.

static (vlan30,outside) 69.31.183.212 10.10.30.1 netmask 255.255.255.255

Is this line all I should need to get the ASA to pick up that IP address, or is there something else that I'm missing?

I tested this IP earlier by connecting my laptop directly to the incoming network cable feed, and I was able to use it with no problem.

The netmask for 69.31.183.212 is 255.255.255.240. Is there anywhere I am supposed to specify this, or does the ASA know this because it's main outgoing interface IP 69.31.183.210 is from the same range?

Commented:
I think once you put in the static NAT you will need to have an access-list rule with  69.31.183.212  in your outside_access_out group.  Better still remove the outside_access_out group.

Commented:
Ah, well, now that we have the right IP?  I think you have an IP conflict or a problem upstream, your config looks fine to me...

Author

Commented:
I got some logs from the NOC, and from the looks of it, there has been activity on 69.31.183.212.

It looks like when I was on 10.10.30.1 and did pings out to 208.67.222.222, the packets did make it out of the firewall, but nothing made it back.

When I use an external host to try and ping 69.31.183.212, nothing shows up on the firewall logs at all.

If I ping the external interface IP 69.31.183.210, it shows up in the logs.

Author

Commented:
Someonething else that is quite odd. From an external host, if I do:

telnet 69.31.183.212 80

It actually connects... but I have no idea what device it is connecting to. It doesn't appear to be the 10.10.30.1 server because when I ran a tcpdump -n port 80, it did not show any packets being received.

Of course, going to http://69.31.183.212 from an external host still doesn't work.
Commented:
Okay, after many, many hours... I finally stumbled upon the culprit.

Proxy ARP was disabled for the outside interface. Once I enabled it, everything started working immediately.

The previous post about being able to telnet to the IP was a red herring. I think the behaviour was because of the remote network and not the one I'm working on.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial