Cisco ASA 5510 - NAT Problems with Web Server
I have been pulling out my hair for quite a few hours. Have tried to go by whatever examples I could find, but can not figure out what I am doing wrong.
ASA outside interface on Ethernet0/0 has public IP 69.31.183.110
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254
I have a web server connected as 10.10.30.1
I would like the web server to use public IP 69.31.183.112
I cannot get the above to work.
The base config is below.
With the config below, the web server has outgoing access to the Internet. I can ping external hosts.
From what I've come across, the NAT rule I should be adding is this:
static (vlan30,outside) 69.31.183.112 10.10.30.1 netmask 255.255.255.255
But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.
Inbound access pinging or accessing http on 69.31.183.112 doesn't work either.
What am I doing wrong?
Thanks for any help in advance...
ASA outside interface on Ethernet0/0 has public IP 69.31.183.110
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254
I have a web server connected as 10.10.30.1
I would like the web server to use public IP 69.31.183.112
I cannot get the above to work.
The base config is below.
With the config below, the web server has outgoing access to the Internet. I can ping external hosts.
From what I've come across, the NAT rule I should be adding is this:
static (vlan30,outside) 69.31.183.112 10.10.30.1 netmask 255.255.255.255
But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.
Inbound access pinging or accessing http on 69.31.183.112 doesn't work either.
What am I doing wrong?
Thanks for any help in advance...
ASA Version 7.2(2)
!
hostname amfw2
domain-name <domain>
no names
!
interface Ethernet0/0
description Internet connection
nameif outside
security-level 0
ip address 69.31.183.110 255.255.255.240 standby 69.31.183.111
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.30
description Externally Accessible Servers
vlan 30
nameif vlan30
security-level 30
ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
!
interface Ethernet0/2.254
description Management VLAN
vlan 254
nameif vlan254
security-level 90
ip address 10.10.254.254 255.255.255.0 standby 10.10.254.253
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name <domain>
access-list vlan254_access_in extended permit ip 10.10.254.0 255.255.255.0 any
access-list outside_access_out extended permit ip any any
access-list vlan30_access_in extended permit ip any any
access-list vlan30_access_out extended permit icmp any host 10.10.30.1
access-list vlan30_access_out extended permit tcp any host 10.10.30.1 eq www
access-list vlan30_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any host 69.31.183.112
access-list outside_access_in extended permit tcp any host 69.31.183.112 eq www
access-list vlan254_access_out extended permit ip any any
access-list vlan30_nat_outbound extended permit ip any any
access-list vlan254_nat_outbound extended permit ip any any
access-list remote_vpn_splitTunnelAcl standard permit 10.101.254.0 255.255.255.0
no pager
logging enable
logging timestamp
logging standby
logging emblem
logging list MP-ASA level debugging
logging console emergencies
logging trap debugging
logging history notifications
logging asdm debugging
logging facility 23
logging device-id hostname
logging host outside 66.48.84.26
logging debug-trace
mtu outside 1500
mtu vlan30 1500
mtu vlan254 1500
no failover
monitor-interface vlan254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan30) 1 access-list vlan30_nat_outbound
nat (vlan254) 1 access-list vlan254_nat_outbound
static (vlan254,vlan30) 10.10.254.0 10.10.254.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan30_access_in in interface vlan30
access-group vlan30_access_out out interface vlan30
access-group vlan254_access_in in interface vlan254
access-group vlan254_access_out out interface vlan254
route outside 0.0.0.0 0.0.0.0 69.31.183.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 vlan254
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp vlan254
service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set peer 204.92.97.14
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 41 set pfs
crypto map outside_map 41 set peer 209.82.67.67
crypto map outside_map 41 set transform-set ESP-3DES-SHA
crypto map outside_map 41 set security-association lifetime seconds 2419200
crypto map outside_map 41 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 vlan254
ssh timeout 30
console timeout 30
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc0b57cc1c46b9fb0ee8fa872419c502
: end
adam1115
That IP is not in your subnet...
Usable IPs in that subnet are-
69.31.183.97 - 69.31.183.111
.96 is network, .112 is broadcast.
69.31.183.97 - 69.31.183.111
.96 is network, .112 is broadcast.
ASKER
I apologize for the unnecessary confusion. The original post had the incorrect IPs.
Let's start again with proper IPs here:
-----------------
ASA outside interface on Ethernet0/0 has public IP 69.31.183.210
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254
I have a web server connected as 10.10.30.1
I would like the web server to use public IP 69.31.183.212
I cannot get the above to work.
The base config is below.
With the config below, the web server has outgoing access to the Internet. I can ping external hosts.
From what I've come across, the NAT rule I should be adding is this:
static (vlan30,outside) 69.31.183.212 10.10.30.1 netmask 255.255.255.255
But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.
Inbound access pinging or accessing http on 69.31.183.212 doesn't work either.
What am I doing wrong?
Let's start again with proper IPs here:
-----------------
ASA outside interface on Ethernet0/0 has public IP 69.31.183.210
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254
I have a web server connected as 10.10.30.1
I would like the web server to use public IP 69.31.183.212
I cannot get the above to work.
The base config is below.
With the config below, the web server has outgoing access to the Internet. I can ping external hosts.
From what I've come across, the NAT rule I should be adding is this:
static (vlan30,outside) 69.31.183.212 10.10.30.1 netmask 255.255.255.255
But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.
Inbound access pinging or accessing http on 69.31.183.212 doesn't work either.
What am I doing wrong?
ASA Version 7.2(2)
!
hostname amfw2
domain-name <domain>
no names
!
interface Ethernet0/0
description Internet connection
nameif outside
security-level 0
ip address 69.31.183.210 255.255.255.240 standby 69.31.183.211
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.30
description Externally Accessible Servers
vlan 30
nameif vlan30
security-level 30
ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
!
interface Ethernet0/2.254
description Management VLAN
vlan 254
nameif vlan254
security-level 90
ip address 10.10.254.254 255.255.255.0 standby 10.10.254.253
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name <domain>
access-list vlan254_access_in extended permit ip 10.10.254.0 255.255.255.0 any
access-list outside_access_out extended permit ip any any
access-list vlan30_access_in extended permit ip any any
access-list vlan30_access_out extended permit icmp any host 10.10.30.1
access-list vlan30_access_out extended permit tcp any host 10.10.30.1 eq www
access-list vlan30_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any host 69.31.183.212
access-list outside_access_in extended permit tcp any host 69.31.183.212 eq www
access-list vlan254_access_out extended permit ip any any
access-list vlan30_nat_outbound extended permit ip any any
access-list vlan254_nat_outbound extended permit ip any any
access-list remote_vpn_splitTunnelAcl standard permit 10.101.254.0 255.255.255.0
no pager
logging enable
logging timestamp
logging standby
logging emblem
logging list MP-ASA level debugging
logging console emergencies
logging trap debugging
logging history notifications
logging asdm debugging
logging facility 23
logging device-id hostname
logging host outside 66.48.84.26
logging debug-trace
mtu outside 1500
mtu vlan30 1500
mtu vlan254 1500
no failover
monitor-interface vlan254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan30) 1 access-list vlan30_nat_outbound
nat (vlan254) 1 access-list vlan254_nat_outbound
static (vlan254,vlan30) 10.10.254.0 10.10.254.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan30_access_in in interface vlan30
access-group vlan30_access_out out interface vlan30
access-group vlan254_access_in in interface vlan254
access-group vlan254_access_out out interface vlan254
route outside 0.0.0.0 0.0.0.0 69.31.183.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 vlan254
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp vlan254
service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set peer 204.92.97.14
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 41 set pfs
crypto map outside_map 41 set peer 209.82.67.67
crypto map outside_map 41 set transform-set ESP-3DES-SHA
crypto map outside_map 41 set security-association lifetime seconds 2419200
crypto map outside_map 41 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 vlan254
ssh timeout 30
console timeout 30
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc0b57cc1c46b9fb0ee8fa872419c502
: endASKER
It seems like the public IP 69.31.183.212 isn't being picked up for some reason.
static (vlan30,outside) 69.31.183.212 10.10.30.1 netmask 255.255.255.255
Is this line all I should need to get the ASA to pick up that IP address, or is there something else that I'm missing?
I tested this IP earlier by connecting my laptop directly to the incoming network cable feed, and I was able to use it with no problem.
The netmask for 69.31.183.212 is 255.255.255.240. Is there anywhere I am supposed to specify this, or does the ASA know this because it's main outgoing interface IP 69.31.183.210 is from the same range?
static (vlan30,outside) 69.31.183.212 10.10.30.1 netmask 255.255.255.255
Is this line all I should need to get the ASA to pick up that IP address, or is there something else that I'm missing?
I tested this IP earlier by connecting my laptop directly to the incoming network cable feed, and I was able to use it with no problem.
The netmask for 69.31.183.212 is 255.255.255.240. Is there anywhere I am supposed to specify this, or does the ASA know this because it's main outgoing interface IP 69.31.183.210 is from the same range?
I think once you put in the static NAT you will need to have an access-list rule with 69.31.183.212 in your outside_access_out group. Better still remove the outside_access_out group.
Ah, well, now that we have the right IP? I think you have an IP conflict or a problem upstream, your config looks fine to me...
ASKER
I got some logs from the NOC, and from the looks of it, there has been activity on 69.31.183.212.
It looks like when I was on 10.10.30.1 and did pings out to 208.67.222.222, the packets did make it out of the firewall, but nothing made it back.
When I use an external host to try and ping 69.31.183.212, nothing shows up on the firewall logs at all.
If I ping the external interface IP 69.31.183.210, it shows up in the logs.
It looks like when I was on 10.10.30.1 and did pings out to 208.67.222.222, the packets did make it out of the firewall, but nothing made it back.
When I use an external host to try and ping 69.31.183.212, nothing shows up on the firewall logs at all.
If I ping the external interface IP 69.31.183.210, it shows up in the logs.
ASKER
Someonething else that is quite odd. From an external host, if I do:
telnet 69.31.183.212 80
It actually connects... but I have no idea what device it is connecting to. It doesn't appear to be the 10.10.30.1 server because when I ran a tcpdump -n port 80, it did not show any packets being received.
Of course, going to http://69.31.183.212 from an external host still doesn't work.
telnet 69.31.183.212 80
It actually connects... but I have no idea what device it is connecting to. It doesn't appear to be the 10.10.30.1 server because when I ran a tcpdump -n port 80, it did not show any packets being received.
Of course, going to http://69.31.183.212 from an external host still doesn't work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.