Cisco ASA 5505 NAT problem

AITP
AITP used Ask the Experts™
on
We have problem with a Cisco ASA 5505 and NAT translation.
Very basic config with one (1) public static IP-address and a local LAN /24.

The problem is to redirect port SSH, tcp/22 from Internet (with same as firewall outside IP-address) to an internal server with IP-address 192.168.1.2.

This is our config as far as my knowledge should work, but it don't.


ASA Version 8.3(1)
!
hostname fw1
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network wc1-ssh
 host 192.168.1.2
access-list inbound extended permit tcp any object wc1-ssh eq ssh
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
object network wc1-ssh
 nat (inside,outside) static interface service tcp ssh ssh
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.51-192.168.1.250 inside
dhcpd dns 1.2.3.6 1.2.3.7 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Could you try replacing:
access-list inbound extended permit tcp any object wc1-ssh eq ssh
with
access-list inbound extended permit tcp any host 192.168.1.2 eq ssh

Author

Commented:
Thanx but same result.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Mm.

When looking at the (asdm) logs, does anything show when you try to connect?
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Top Expert 2011

Commented:
Everything looks good to me, are you sure your 192.168.1.2 is listening on ssh?

Author

Commented:
From log:
"TCP access denied by ACL from x.x.x.x/26087 to outside:1.2.3.4/22"

SSH works on internal network from a PC.
Top Expert 2011

Commented:
Can you post the output of the packet tracer?

packet-tracer input outside tcp 1.1.1.1 ssh 192.168.1.2 ssh detailed

Author

Commented:
Result of the command: "packet-tracer input outside tcp 1.1.1.1 ssh 192.168.1.2 ssh detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object wc1-ssh eq ssh
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc978bb58, priority=13, domain=permit, deny=false
      hits=0, user_data=0xc7d813d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=192.168.1.2, mask=255.255.255.255, port=22, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9d91998, priority=0, domain=inspect-ip-options, deny=true
      hits=25194, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc9d9a940, priority=6, domain=nat-reverse, deny=false
      hits=4, user_data=0xc9d99c70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
      input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Top Expert 2011

Commented:
Hm, I am not that good at 8.3 NAT, have never worked with it, however you can just try using a different outside ip address (if you have one) for static NAT

object network wc1-ssh
 nat (inside,outside) static 1.2.3.5 service tcp ssh ssh  

Author

Commented:
Don't have extra IP from our ISP, sorry.
Senior infrastructure engineer
Top Expert 2012
Commented:
Try removing:
nat (inside,outside) source dynamic any interface

Author

Commented:
All clients on local network must be able to access Internet.
Will they if I remote the command as you suggest?
"nat (inside,outside) source dynamic any interface"

I'm also "off-site" (connected through Teamviewer outgoing connection) right know so I can't test this until tomorrow if my connection will go down. =)
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
You should be safe, there still is:
object network obj_any
 nat (inside,outside) dynamic interface


You can always first issue the following:

reload in 5

This will cause the firewall to reload in 5 minutes. So if you don't save the configuration and loose connectivity you should be able to connect again after the reload.

Author

Commented:
That did the trick =)
Thanx a lot!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
You're welcome :)

Thx for the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial