• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 718
  • Last Modified:

Nat not working asa 7.2

I am not able to get to these two over http from outside, what am I doing wrong?


access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
0
j_crow1
Asked:
j_crow1
  • 6
  • 4
  • 2
1 Solution
 
mcsweenSr. Network AdministratorCommented:
Should be (assuming your WAN interface uses DHCP and the internal system is 192.168.0.10)  If you have a static IP on the WAN side use that instead of the word interface.

static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255
0
 
j_crow1Author Commented:
WAN interface is static.
0
 
mcsweenSr. Network AdministratorCommented:
Sorry, I read your answer too quick.  You don't need the ACL inside_access_in and you shouldn't apply an ACL to the inside interface unless you want to restrict traffic going out.

Static PAT commands look like this (assuming 24.24.24.24 as public IP, 192.168.0.10 as private)
static (inside,outside) tcp 24.24.24.24 www 192.168.0.10 www netmask 255.255.255.255

Open in new window


this line is permitting everything in from the outside, this is too open
access-list outside_access_in extended permit ip any any

Open in new window

It should look more like this
access-list ouside_access_in extended permit www any 24.24.24.24 255.255.255.255

Open in new window


ACL should permit traffic to the WAN address, then use STATIC command to map the port translation to the internal address.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
j_crow1Author Commented:
Yeah, but assuming that it was TOO open, it should have worked given the config, correct? adding that line did not fix it.
0
 
Ernie BeekCommented:
Looking at the config I see you're using two different IP ranges:

access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any

ip local pool bleh 172.26.13.20-172.26.13.25 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.23.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.23.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp PUBLICIP2 www 172.23.13.19 www netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48808 172.23.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp PUBLICIP2 48806 172.23.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


Assuming 172.26.13.x is your inside range, you'll need to recreate your statics with the correct IP addresses.....
0
 
j_crow1Author Commented:
The local IP's are right, the range is wrong. I redid the range to the following:

ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240

Still not working. Is it safe to assume at that point it is the device I am trying to connect to?
0
 
Ernie BeekCommented:
Just to make sure:
your pool is:
172.26.13.18-172.26.13.22

The statics use:
static (inside,outside) tcp interface www 172.23.13.18 www netmask 255.255.255.255

That's not going to work.
0
 
j_crow1Author Commented:
DOH!

Alright I fixed the statics, and it's still not working. I am stumped.

static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
0
 
Ernie BeekCommented:
Could you post a new sanitized config to see how it looks now?
0
 
j_crow1Author Commented:
ASA Version 7.2(4)
!
hostname HOSTNAME
domain-name DOMAINNAME
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.26.13.17 255.255.255.240
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address EXTERNALIIP 255.255.255.255 pppoe
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAIN.COM
access-list inside_nat0_outbound extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
access-list inside_NAT_outbound extended permit ip 172.26.13.16 255.255.255.240 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host INTERFACEIP eq www
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48808
access-list outside_access_in extended permit udp any host INTERFACEIP eq 48806
access-list outside_access_in extended permit tcp any host SECONDPUBLICIP eq www
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48808
access-list outside_access_in extended permit udp any host SECONDPUBLICIP eq 48806
access-list 147 extended permit ip 172.26.13.16 255.255.255.240 192.168.47.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Hubbard 172.26.13.18-172.26.13.22 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 172.26.13.18 www netmask 255.255.255.255
static (inside,outside) udp interface 48808 172.26.13.18 48808 netmask 255.255.255.255
static (inside,outside) udp interface 48806 172.26.13.18 48806 netmask 255.255.255.255
static (inside,outside) tcp OUTSIDEIP2 www 172.26.13.19 www netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48808 172.26.13.19 48808 netmask 255.255.255.255
static (inside,outside) udp OUTSIDEIP2 48806 172.26.13.19 48806 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 172.26.13.16 255.255.255.240 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map TUNNEL_MAP 47 match address 147
crypto map TUNNEL_MAP 47 set peer TUNNEL1IP
crypto map TUNNEL_MAP 47 set transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname EMAIL
vpdn group ATT ppp authentication pap
vpdn username EMAIL password PASSWORD
dhcpd dns INTERNALDNSIP 8.8.8.8
dhcpd domain DOMAIN.COM
!
dhcpd address 172.26.13.19-172.26.13.22 inside
dhcpd enable inside
!

username BLAHBLAH
tunnel-group TUNNELIP type ipsec-l2l
tunnel-group TUNNELIP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a3586de2007a3fdc1c1338c5f2ed1b9a
: end
0
 
Ernie BeekCommented:
Mmm, weird indeed.

After a quick look (from my phone, that is ;), can't find it.
Did you have a look at the (ASDM) logs when trying to connect to see if anything shows up there?
Sometimes that helps a lot.
0
 
j_crow1Author Commented:
I can ping it, so I am closing this. I think it is an issue with the actual device.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now