Max Airing
asked on
Static PAT through ASA not working (or is it?)
PAT through ASA 5506 doesn't load GUI of destination
Client has a single static public IP. They have a camera system and door controller system that they need to manage remotely. Using PAT for the cameras on http works fine, however trying to access the door controller does not work on port 90. I have a PAT and ACL for the door controller which passes packet tracer and not seeing any blocks, but alas the web interface of the door controller does not load, just sits there white screen until timeout. I have tried everything I can think of and running out of options. This used to work with the old firewall and for some reason I have been able to get it to work in the past with this ASA but it was hit or miss so I started over, now it doesn't work at all. What is wrong here? I noticed that in the PAT settings there is a "real" and "mapped" port option and in the past it started working when removing the "Real" port. I see the requests coming in from random ports so I wasn't sure if this could be part of the problem. Obviously routing all requests on the outside interface to the door controller is not ideal and breaks my remote access to the firewall.
FYI loading the GUI internally from a web browser on port 90 of the inside IP 192.168.0.16 works fine. It just doesn't seem to pass the data through the firewall. The logs just show connection built and then tear down.
Config is attached, I appreciate any input as to how to get this to work!
Client has a single static public IP. They have a camera system and door controller system that they need to manage remotely. Using PAT for the cameras on http works fine, however trying to access the door controller does not work on port 90. I have a PAT and ACL for the door controller which passes packet tracer and not seeing any blocks, but alas the web interface of the door controller does not load, just sits there white screen until timeout. I have tried everything I can think of and running out of options. This used to work with the old firewall and for some reason I have been able to get it to work in the past with this ASA but it was hit or miss so I started over, now it doesn't work at all. What is wrong here? I noticed that in the PAT settings there is a "real" and "mapped" port option and in the past it started working when removing the "Real" port. I see the requests coming in from random ports so I wasn't sure if this could be part of the problem. Obviously routing all requests on the outside interface to the door controller is not ideal and breaks my remote access to the firewall.
FYI loading the GUI internally from a web browser on port 90 of the inside IP 192.168.0.16 works fine. It just doesn't seem to pass the data through the firewall. The logs just show connection built and then tear down.
Config is attached, I appreciate any input as to how to get this to work!
ASKER
Thanks Pete, yes the door controller has the ASA as its default gateway and I confirmed the ISP modem is doing no firewalling at all. I have one computer in my office that can consistently launch the GUI albeit slowly, but other machines cannot get it to load (all remote). I am adding some public IPs to use NAT in hopes that will address the issue. I am still interested in figuring out the issue here, and will update soon.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
In the firewall "show xlate | incl 192.168.0.16"
Should tell you if its setup properly, remember the ACL should point to 192.168.0.16 NOT the public address, and your pocket tracer should have you public address as the destination.
P