Cisco ASA NAT problem

Associate
Joined
19 Mar 2005
Posts
326
Location
London, England
O joy. Loving the new 'format' to NATing, not! I'm use to old PIX and 800 series boxes. What am I doing wrong here? :(

Cisco ASA 5505 running 8.4(1).

Outside: Dynamic IP – vlan 2 – 'ip address dhcp setroute'
Inside: 192.168.1.1 – vlan 1
Web server: 192.168.1.254

Config:

Code:
object network webserver
  host 192.168.1.254
 
access-list outside_access extended permit tcp any object webserver eq www
 
object network webserver
  nat (outside,inside) static interface service tcp www www
 
access-group outside_access in interface outside

Yet it isn't working. Logs show:

Code:
TCP access denied by ACL from <remote computer requesting web pages IP>/51210
to outside:<my current outside IP received via DHCP>/80

ACL? I can see other things being denied by the access-list 'outside_access' fine. Why does this say ACL? What is blocking it?

Even resorted to trying to do it via the ASDM but having an a dynamic IP via DHCP is baffling me with a few boxes, and the fact I've never used the ASDM. Always done it via the the CLI!

General NAT is going off via this, general internet access is working:

Code:
nat (inside,outside) source dynamic any interface

Thanks for your help
Shell
 
I'm not 100% on this, it's been a while since I used an ASA, don't you have to put a rule to permit traffic to the interface itself ?
Source any, destination interface tcp 80
 
That's what I put "access-list outside_access extended permit tcp any object webserver eq www" in for. It did come to me when lying trying to fall asleep (!) though last night that may be it needs to be "access-list outside_access extended permit tcp any any eq www".

Can not test until tonight though so if any one can spread any light, please do :)

I am confused by it saying denied by ACL and not specifically 'outside_access'.
 
Have you specified which Outside IP's are allowed in. So create a object for outside traffic?

Sorry if im wrong ASA stuff im still learning.
 
I have the following. The external IP is dynamic so can't specify it.

Code:
object network obj_any
 subnet 0.0.0.0 0.0.0.0


object network obj_any
 nat (inside,outside) dynamic interface
 
like I said - I'm a bit rusty, but I'm sure you have to permit traffic to the outside interface itself rather than the webserver as you're doing an interface NAT. You're permitting traffic to the webserver...

I'm sure that there is a control plane ACL that I've heard mentioned before. If I get time later I'll fire up the 5505 on my desk and give it a try :)
 
I have the following. The external IP is dynamic so can't specify it.

Code:
object network obj_any
 subnet 0.0.0.0 0.0.0.0


object network obj_any
 nat (inside,outside) dynamic interface

you should have an object for the 'interface' that you can select as the destination - it may be that you have to create that object and update it as your IP changes...
 
That's a point. I have what I put in the my last post *and* this in the top level too.

Code:
nat (inside,outside) source dynamic any interface
 
off the top of my head (I never really work with anything on dynamic ip's for firewalls) try something like this;

access-list outside_access remark *** allow anyone access to port 80 ***
access-list outside_access extended permit tcp any eq www log

!map the webserver to the outside interface for port 80 traffic
static(inside,outside) tcp 192.168.1.254 www interface www
 
Ok, still not having any luck with this. Keep in mind/incase you were not aware 8.3 and above is different when it comes to NAT!

I now have the following and still nothing.

Code:
object network webserver 
 host 192.168.1.254

access-list outside_access extended permit tcp any any eq www log 

nat (inside,outside) source dynamic any interface

object network webserver
 nat (inside,outside) static interface service tcp www www 

access-group outside_access in interface outside

Cheers
Shell
 
I'm sure there's a clue in how it doesn't say denied by "outside_access" in logs but does for ICMP.

Code:
%ASA-3-710003: TCP access denied by ACL from <remote PC I am trying to load
web page from>/40871 to outside:<my current dynamic IP>/80
%ASA-4-106023: Deny icmp src outside:<a remote external IP I am trying to 
ping> dst inside:192.168.1.2 (type 0, code 0) by access-group "outside_access" [0x0, 0x0]
 
that's really odd, I've not had a chance to fire up my ASA yet, though it is on my desk... I've been working on lots more faults than normal this week.

I'll try and get onto it tomorrow at some stage or might bring it home over the weekend
 
BINGO!!

You don't want "nat (inside,outside) source dynamic any interface" at the top level.

You want instead:
Code:
object network obj_any 
   subnet 0.0.0.0 0.0.0.0
object network obj_any
   nat (inside,outside) dynamic interface

(for the rest see my last post this evening with config copied)

Cheers all, appreciated :)
Shell
 
Glad you got it working mate, I am in love with my 5505, but it took me a whole day to get it working!!

Awesome kit.

The clientless VPN plugins are soooo cooool especially the RDP one.

Hopefully have a 5510 soon with extended license.

Are you running latest ASA image?
 
Last edited:
Glad you got it working mate, I am in love with my 5505, but it took me a whole day to get it working!!

Awesome kit.

The clientless VPN plugins are soooo cooool especially the RDP one.

Hopefully have a 5510 soon with extended license.

Are you running latest ASA image?

Yep. Spent plenty time on Pixs and 800 series routers but they've completely changed how some of it works on an ASA.

Not got as far as playing with things like that (clientless VPN plugins) - Sounds interesting! Shall investigate..

Yes. Made sure I updated it all. Also realised after lots of searching and this thread, I do have a Cisco support contract and could have just asked them for help! lol. Old employees never bought them so didn't think. Took no convincing with new employee :)
 
I really must get round to putting 8.3 on one of the spare ASA's at work for a proper looksee. But today has been taken up figuring out the new "mobile access blade" in Checkpoint FW1 R75 ;)
And one of the spare ASA's has been set up as a IPv6 only FW, which is my other plaything at the moment :D
 
Back
Top Bottom