Link to home
Create AccountLog in
Avatar of AITP
AITP

asked on

Cisco ASA 5505 NAT problem

We have problem with a Cisco ASA 5505 and NAT translation.
Very basic config with one (1) public static IP-address and a local LAN /24.

The problem is to redirect port SSH, tcp/22 from Internet (with same as firewall outside IP-address) to an internal server with IP-address 192.168.1.2.

This is our config as far as my knowledge should work, but it don't.


ASA Version 8.3(1)
!
hostname fw1
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network wc1-ssh
 host 192.168.1.2
access-list inbound extended permit tcp any object wc1-ssh eq ssh
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
object network wc1-ssh
 nat (inside,outside) static interface service tcp ssh ssh
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.51-192.168.1.250 inside
dhcpd dns 1.2.3.6 1.2.3.7 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Could you try replacing:
access-list inbound extended permit tcp any object wc1-ssh eq ssh
with
access-list inbound extended permit tcp any host 192.168.1.2 eq ssh
Avatar of AITP
AITP

ASKER

Thanx but same result.
Mm.

When looking at the (asdm) logs, does anything show when you try to connect?
Everything looks good to me, are you sure your 192.168.1.2 is listening on ssh?
Avatar of AITP

ASKER

From log:
"TCP access denied by ACL from x.x.x.x/26087 to outside:1.2.3.4/22"

SSH works on internal network from a PC.
Can you post the output of the packet tracer?

packet-tracer input outside tcp 1.1.1.1 ssh 192.168.1.2 ssh detailed
Avatar of AITP

ASKER

Result of the command: "packet-tracer input outside tcp 1.1.1.1 ssh 192.168.1.2 ssh detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object wc1-ssh eq ssh
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc978bb58, priority=13, domain=permit, deny=false
      hits=0, user_data=0xc7d813d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=192.168.1.2, mask=255.255.255.255, port=22, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9d91998, priority=0, domain=inspect-ip-options, deny=true
      hits=25194, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc9d9a940, priority=6, domain=nat-reverse, deny=false
      hits=4, user_data=0xc9d99c70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
      input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hm, I am not that good at 8.3 NAT, have never worked with it, however you can just try using a different outside ip address (if you have one) for static NAT

object network wc1-ssh
 nat (inside,outside) static 1.2.3.5 service tcp ssh ssh  
Avatar of AITP

ASKER

Don't have extra IP from our ISP, sorry.
ASKER CERTIFIED SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of AITP

ASKER

All clients on local network must be able to access Internet.
Will they if I remote the command as you suggest?
"nat (inside,outside) source dynamic any interface"

I'm also "off-site" (connected through Teamviewer outgoing connection) right know so I can't test this until tomorrow if my connection will go down. =)
You should be safe, there still is:
object network obj_any
 nat (inside,outside) dynamic interface


You can always first issue the following:

reload in 5

This will cause the firewall to reload in 5 minutes. So if you don't save the configuration and loose connectivity you should be able to connect again after the reload.
Avatar of AITP

ASKER

That did the trick =)
Thanx a lot!
You're welcome :)

Thx for the points.