Cisco ASA NAT problem

michellez · 13 Feb 2011 at 23:14

O joy. Loving the new 'format' to NATing, not! I'm use to old PIX and 800 series boxes. What am I doing wrong here?

Cisco ASA 5505 running 8.4(1).

Outside: Dynamic IP – vlan 2 – 'ip address dhcp setroute'
Inside: 192.168.1.1 – vlan 1
Web server: 192.168.1.254

Config:

Code:

object network webserver
  host 192.168.1.254
 
access-list outside_access extended permit tcp any object webserver eq www
 
object network webserver
  nat (outside,inside) static interface service tcp www www
 
access-group outside_access in interface outside

Yet it isn't working. Logs show:

Code:

TCP access denied by ACL from <remote computer requesting web pages IP>/51210
to outside:<my current outside IP received via DHCP>/80

ACL? I can see other things being denied by the access-list 'outside_access' fine. Why does this say ACL? What is blocking it?

Even resorted to trying to do it via the ASDM but having an a dynamic IP via DHCP is baffling me with a few boxes, and the fact I've never used the ASDM. Always done it via the the CLI!

General NAT is going off via this, general internet access is working:

Code:

nat (inside,outside) source dynamic any interface

Thanks for your help
Shell

Chief Wiggum · 14 Feb 2011 at 07:39

I'm not 100% on this, it's been a while since I used an ASA, don't you have to put a rule to permit traffic to the interface itself ?
Source any, destination interface tcp 80

michellez · 14 Feb 2011 at 10:25

That's what I put "access-list outside_access extended permit tcp any object webserver eq www" in for. It did come to me when lying trying to fall asleep (!) though last night that may be it needs to be "access-list outside_access extended permit tcp any any eq www".

Can not test until tonight though so if any one can spread any light, please do

I am confused by it saying denied by ACL and not specifically 'outside_access'.

matthab · 14 Feb 2011 at 10:37

Have you specified which Outside IP's are allowed in. So create a object for outside traffic?

Sorry if im wrong ASA stuff im still learning.

michellez · 14 Feb 2011 at 12:12

I have the following. The external IP is dynamic so can't specify it.

Code:

object network obj_any
 subnet 0.0.0.0 0.0.0.0


object network obj_any
 nat (inside,outside) dynamic interface

Chief Wiggum · 14 Feb 2011 at 12:12

like I said - I'm a bit rusty, but I'm sure you have to permit traffic to the outside interface itself rather than the webserver as you're doing an interface NAT. You're permitting traffic to the webserver...

I'm sure that there is a control plane ACL that I've heard mentioned before. If I get time later I'll fire up the 5505 on my desk and give it a try

Chief Wiggum · 14 Feb 2011 at 12:13

michellez said:
I have the following. The external IP is dynamic so can't specify it.

Code:

object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj_any nat (inside,outside) dynamic interface

you should have an object for the 'interface' that you can select as the destination - it may be that you have to create that object and update it as your IP changes...

michellez · 14 Feb 2011 at 12:13

That's a point. I have what I put in the my last post *and* this in the top level too.

Code:

nat (inside,outside) source dynamic any interface

michellez · 14 Feb 2011 at 12:14

Chief Wiggum said:
you should have an object for the 'interface' that you can select as the destination

Can you give me an example please? Bit confuzzled. :confused:

derfderfley · 14 Feb 2011 at 19:44

off the top of my head (I never really work with anything on dynamic ip's for firewalls) try something like this;

access-list outside_access remark *** allow anyone access to port 80 ***
access-list outside_access extended permit tcp any eq www log

!map the webserver to the outside interface for port 80 traffic
static(inside,outside) tcp 192.168.1.254 www interface www

michellez · 17 Feb 2011 at 21:46

Ok, still not having any luck with this. Keep in mind/incase you were not aware 8.3 and above is different when it comes to NAT!

I now have the following and still nothing.

Code:

object network webserver 
 host 192.168.1.254

access-list outside_access extended permit tcp any any eq www log 

nat (inside,outside) source dynamic any interface

object network webserver
 nat (inside,outside) static interface service tcp www www 

access-group outside_access in interface outside

Cheers
Shell

michellez · 17 Feb 2011 at 21:51

I'm sure there's a clue in how it doesn't say denied by "outside_access" in logs but does for ICMP.

Code:

%ASA-3-710003: TCP access denied by ACL from <remote PC I am trying to load
web page from>/40871 to outside:<my current dynamic IP>/80
%ASA-4-106023: Deny icmp src outside:<a remote external IP I am trying to 
ping> dst inside:192.168.1.2 (type 0, code 0) by access-group "outside_access" [0x0, 0x0]

Chief Wiggum · 17 Feb 2011 at 22:18

that's really odd, I've not had a chance to fire up my ASA yet, though it is on my desk... I've been working on lots more faults than normal this week.

I'll try and get onto it tomorrow at some stage or might bring it home over the weekend

michellez · 17 Feb 2011 at 22:21

BINGO!!

You don't want "nat (inside,outside) source dynamic any interface" at the top level.

You want instead:

Code:

object network obj_any 
   subnet 0.0.0.0 0.0.0.0
object network obj_any
   nat (inside,outside) dynamic interface

(for the rest see my last post this evening with config copied)

Cheers all, appreciated

Shell

ThorpedoUK · 19 Feb 2011 at 00:55

Glad you got it working mate, I am in love with my 5505, but it took me a whole day to get it working!!

Awesome kit.

The clientless VPN plugins are soooo cooool especially the RDP one.

Hopefully have a 5510 soon with extended license.

Are you running latest ASA image?

michellez · 20 Feb 2011 at 16:57

ThorpedoUK said:
Glad you got it working mate, I am in love with my 5505, but it took me a whole day to get it working!!

Awesome kit.

The clientless VPN plugins are soooo cooool especially the RDP one.

Hopefully have a 5510 soon with extended license.

Are you running latest ASA image?

Yep. Spent plenty time on Pixs and 800 series routers but they've completely changed how some of it works on an ASA.

Not got as far as playing with things like that (clientless VPN plugins) - Sounds interesting! Shall investigate..

Yes. Made sure I updated it all. Also realised after lots of searching and this thread, I do have a Cisco support contract and could have just asked them for help! lol. Old employees never bought them so didn't think. Took no convincing with new employee

michellez · 28 Feb 2011 at 09:49

Written it all down here quickly in case it helps any one finding this post while Googling (and other bits I am discovering..):
http://noidear.tumblr.com/post/3505666403/cisco-asa-nat

derfderfley · 3 Mar 2011 at 20:06

I really must get round to putting 8.3 on one of the spare ASA's at work for a proper looksee. But today has been taken up figuring out the new "mobile access blade" in Checkpoint FW1 R75

And one of the spare ASA's has been set up as a IPv6 only FW, which is my other plaything at the moment