Announcement

Collapse
No announcement yet.

ASA 5505 Port Forwarding, NAT error

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505 Port Forwarding, NAT error

    Hi.

    I try to configure Port forwarding on a ASA 5505.
    Inside it's a SBS 2008 that need to be reached from the outside on prt 25, 80, 443 and 987.

    I am using ASDM to configure, but running Packet Tracer gives an NAT error that drives me crazy. See attachment.

    Running Config is:

    Result of the command: "show running-config"

    : Saved
    :
    ASA Version 7.2(4)

    names
    name 192.168.1.101 SBS2008 description SBS 2008 server
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 82.xxx.xxx.xxx 255.255.255.248
    !
    interface Vlan12
    no forward interface Vlan1
    nameif dmz
    security-level 10
    ip address 10.0.0.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    switchport access vlan 12
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup dmz
    dns server-group DefaultDNS
    name-server 217.144.239.98
    name-server 82.xxx.xxx.xxx
    domain-name default.domain.invalid
    same-security-traffic permit intra-interface
    access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.128
    access-list outside_access_in remark Open http for SBS 2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq www
    access-list outside_access_in remark Open for Companyweb on SBS2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq 987
    access-list outside_access_in remark Open SMTP to SBS2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq smtp
    access-list outside_access_in remark Open https to SBS 2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq https
    pager lines 24
    logging enable
    logging asdm informational
    logging from-address xxxxxxxxxxx
    logging recipient-address xxxxxxxxxxx level alerts
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool Inside_VPN 192.168.1.50-192.168.1.75 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp SBS2008 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface www SBS2008 www netmask 255.255.255.255
    static (inside,outside) tcp interface https SBS2008 https netmask 255.255.255.255
    static (inside,outside) tcp interface 987 SBS2008 987 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 82.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs group1
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs group1
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd dns 217.144.239.98 82.xxx.xxx.xxx interface inside
    dhcpd lease 10000 interface inside
    !
    dhcpd address 10.0.0.10-10.0.0.40 dmz
    dhcpd dns 217.144.239.98 82.xxx.xxx.xxx interface dmz
    dhcpd lease 1000 interface dmz
    dhcpd enable dmz
    !

    ...............
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    ..................................
    : end

    Can someone help? I'm about to get crazy

    Best regards NAN
    Attached Files
    Last edited by AndyJG247; 6th March 2009, 13:27.

  • #2
    Re: ASA 5505 Port Forwarding, NAT error

    Hi NAN,

    I've change your route statement below as well because it exposed your public IP.

    It all looks pretty good from what I have seen in the config. I haven't used ASDM so not sure config wise on that but you generally need:

    Code:
    access-list outside_access_in remark Open http for SBS 2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq www 
    access-list outside_access_in remark Open for Companyweb on SBS2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq 987 
    access-list outside_access_in remark Open SMTP to SBS2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq smtp 
    access-list outside_access_in remark Open https to SBS 2008
    access-list outside_access_in extended permit tcp any host SBS2008 eq https 
    static (inside,outside) tcp interface smtp SBS2008 smtp netmask 255.255.255.255 
    static (inside,outside) tcp interface www SBS2008 www netmask 255.255.255.255 
    static (inside,outside) tcp interface https SBS2008 https netmask 255.255.255.255 
    static (inside,outside) tcp interface 987 SBS2008 987 netmask 255.255.255.255 
    access-group outside_access_in in interface outside
    those commands for inbound traffic here and they all look good.
    I assume you have tested externally to see if it does connect?



    Also your DHCP settings are giving out Public DNS servers?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: ASA 5505 Port Forwarding, NAT error

      Hi Andy and thank's for your reply.

      Yes, I have tested it from outside, but it's not working.

      DHCP settings were temporarely during configuring the network, I've forgot to change it. Thank's for the reminder

      Comment


      • #4
        Re: ASA 5505 Port Forwarding, NAT error

        As a guess can you try altering the public IP your are using for the static?
        You have nat and global plus the statics all using the "interface" but you also have 6 useable IP addresses so how about incrementing the number by 1 to test?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: ASA 5505 Port Forwarding, NAT error

          PROBLEM SOLVED

          Changed ACL to point to public address, not the internal SBS.

          That solved the problem.

          Comment


          • #6
            Re: ASA 5505 Port Forwarding, NAT error

            How embarrassing I missed that completely.
            Should have read your names entry more carefully. Glad you sorted it. For other readers the ACL statements are along the lines of:

            access-list NAME permit tcp any host 1.1.1.1 eq smtp

            access-list : this is the command
            NAME : this is a name for the ACL, needs to be used for access-group as well
            permit : can be permit or deny
            tcp : tcp, udp, IP etc
            any : this allows from anywhere, can be replaced with "host 2.2.2.2" for specifics
            host 1.1.1.1 : this is the external (in this case) IP address that is "publishing"
            eq smtp : equals SMTP, can use equals anything here, even ranges etc.

            Thanks steffen_sor, a good lesson in paying attention to details!
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment

            Working...
            X