ASA5100 static PAT not working

eanemer
eanemer used Ask the Experts™
on
Hello
I have recently inherited an ASA5100 and since our current PIX 501 is out of date and cant support our needs anymore I've decided to replace it.

Right now the ASA has a very small config because I started with making sure I could get static PAT working, and even though the steps seem pretty much the same as they were on the PIX, it will not work.

I have a proper ACL (which gets hits when I try) and static PAT seems to be configured correctly with the proper global NAT group as well.
But no matter what the connection will not succeed.
Im forwarding 80 -> 80, 21 -> 21, and 1212 -> 80, none of which work.

Very simple setup right now for testing.
ISP static IP -> ASA -> Private network
Internet access through the ASA is fine.

What am I missing?
According to the CLI guide for 8.2 everything is correct. (and seemingly the steps are the same as they were on the Pix 501)

config below:
: Saved
: Written by enable_15 at 16:18:31.421 EST Thu Jan 28 2010
!
ASA Version 8.2(2) 
!
hostname ASA5510
domain-name x.x
enable password dsaft45wf43q3tr encrypted
passwd aseg45w5yw4gsq encrypted
names
name 192.168.2.10 server
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.13 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.7 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name x.x
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside eq 1212 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.2.75 www netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.2.27 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface 1212 192.168.2.12 www netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server server source inside prefer
tftp-server inside server tftp
webvpn
username user password /GohvGdjpkDBsqbD encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map global-policy
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:8a95046e8adc7566b4cf3f624fdea02f
: end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010
Commented:
The code looks correct to me.  

Just as a sanity check, From the ASA, make sure you can ping internally to any of the 3 hosts.   Make sure the hosts can get outbound on the internet...  

On the ASA, might as well houseclean and do a CLEAR XLATE, clear out ARP as well while you are at it.  

Also, in the ASA's ASDM or syslog, are you showing any dropped packets for any reason?   Threat detection or something similiar?  

Is the ASA the only gateway for this subnet?  
You have a nat 0 bound to an access-list for the inside interface which I do not see helping you any because your not going between interfaces (dmz, inside, etc) and your not showing any VPN tunnel configuration for that communication. You also have a global overall nat for any address on the inside. I would first try testing by removing the following command:

nat (inside) 0 access-list inside_nat0_outbound

and then possibly update your nat (inside) 1 192.168.2.0 255.255.255.0 which will make sure only devices with an IP on your internal subnet get address translation outbound towards the Internet.

Author

Commented:
Thanks for the suggestions.

MikeKane:
You made me remember something.
I never changed the gateway IP on the Apache server!
I do still have the old PIX active on the network and am configuring the ASA before swapping it out, so Apache was still going through the PIX.

Changed the gateway on that server and now its all good!

brentloper:
Thanks for the reply.
There will be VPN tunnels soon, so that ACL will then be used.
I did change the nat inside though to the 192.168.2.0 network specifically, although it does still work with 0.0.0.0, but why not be more specific.

thanks guys

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial