ASA 5505 NAT/PAT static Question

Discussion in 'Cisco' started by Colin Cant, Feb 7, 2009.

  1. Colin Cant

    Colin Cant Guest

    Hi NG,

    i got following problem to solve:

    I got one single public ip address where by i PAT all my internal
    192.168.X.Y networks.
    I got one DMZ interface using 192.168.2.X.
    I got internal hosts as example 192.168.3.X.

    now with the following config, my hosts from the internal network as well as
    the dmz hosts can get out to 0.0.0.0 without a problem.

    My current problem is, that i cannot connect from my internal 192.168.3.X
    network via my outside PAT address on to services with are hostet in the DMZ
    (192.168.2.X)
    what is the correct "static" config for connecting from inside via PAT
    address into my DMZ ?

    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 192.168.2.0 255.255.255.0
    static (dmz,outside) tcp interface www 192.168.2.XX www netmask
    255.255.255.255 <-- DMZ Host

    thank you

    colin
     
    Colin Cant, Feb 7, 2009
    #1
    1. Advertisements

  2. Colin Cant

    Colin Cant Guest

    UPDATES:

    with following config applied:

    static (dmz,inside) PUBLIC_IP PUBLIC_IP netmask 255.255.255.255

    i get following log messages:
    #"portmap translation creation failed for tcp src inside: 192.168.3.XY/xxx
    dst dmz:pUBLIC_IP/80"
    the funny thing is, that within the log file i see the source IP of the
    PUBLIC_IP, but no destination....
    now without the "static" config the log entry looks like this:
    #"TCP access denied by ACL from 192.168.3.X/xxx to inside PUBLIC_IP/80"
    and the same, an empty destination field... even when i put the following
    acl's in place, i get that previous TCP denied message, i actually expected
    to
    see from witch ACL name the packet got denied/accepted..


    access-list outside_access_in extended permit tcp any any range 1 65535 log
    access-list outside_access_in extended permit udp any any range 1 65535 log
    access-list outside_access_in extended permit ip any any log
    access-list outside_access_in extended permit icmp any any log

    access-list outside_access_out extended permit tcp any any range 1 65535 log
    access-list outside_access_out extended permit udp any any range 1 65535 log
    access-list outside_access_out extended permit ip any any log
    access-list outside_access_out extended permit icmp any any log

    access-list dmz_access_in extended permit tcp any any range 1 65535 log
    access-list dmz_access_in extended permit udp any any range 1 65535 log
    access-list dmz_access_in extended permit ip any any log
    access-list dmz_access_in extended permit icmp any any log

    access-list dmz_access_out extended permit tcp any any range 1 65535 log
    access-list dmz_access_out extended permit udp any any range 1 65535 log
    access-list dmz_access_out extended permit ip any any log
    access-list dmz_access_out extended permit icmp any any log

    access-list inside_access_in extended permit tcp any any range 1 65535 log
    access-list inside_access_in extended permit udp any any range 1 65535 log
    access-list inside_access_in extended permit ip any any log
    access-list inside_access_in extended permit icmp any any log

    access-list inside_access_out extended permit tcp any any range 1 65535 log
    access-list inside_access_out extended permit udp any any range 1 65535 log
    access-list inside_access_out extended permit ip any any log
    access-list inside_access_out extended permit icmp any any log

    access-group outside_access_in in interface outside
    access-group outside_access_out out interface outside

    access-group dmz_access_in in interface dmz
    access-group dmz_access_out out interface dmz

    access-group inside_access_in in interface inside
    access-group inside_access_out out interface inside
     
    Colin Cant, Feb 7, 2009
    #2
    1. Advertisements

  3. Colin Cant

    Morph Guest

    In the message <498dcdfc$0$146$> Colin Cant
    wrote:

    | Hi NG,
    |
    | i got following problem to solve:
    |
    | I got one single public ip address where by i PAT all my internal
    | 192.168.X.Y networks.
    | I got one DMZ interface using 192.168.2.X.
    | I got internal hosts as example 192.168.3.X.
    |
    | now with the following config, my hosts from the internal network as well as
    | the dmz hosts can get out to 0.0.0.0 without a problem.
    |
    | My current problem is, that i cannot connect from my internal 192.168.3.X
    | network via my outside PAT address on to services with are hostet in the DMZ
    | (192.168.2.X)
    | what is the correct "static" config for connecting from inside via PAT
    | address into my DMZ ?
    |
    | global (outside) 1 interface
    | nat (inside) 0 access-list inside_nat0_outbound
    | nat (inside) 1 0.0.0.0 0.0.0.0
    | nat (dmz) 1 192.168.2.0 255.255.255.0
    | static (dmz,outside) tcp interface www 192.168.2.XX www netmask
    | 255.255.255.255 <-- DMZ Host

    Why don't you connect to the DMZ address instead of the public address?

    If it is because you don't have an inside DNS server and the dns name is
    resolved to the public address then you can sort this out using dns
    doctoring:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
     
    Morph, Feb 8, 2009
    #3
  4. Colin Cant

    Colin Cant Guest

    good guess, its indeed about dns..
    thx i will have a look at it and try it.
     
    Colin Cant, Feb 8, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.