Hi All,
I have an ASA 5506, connected to 100Mbps Comcast fiber. The public network is 50.xxx.xx.232 /29. Comcast router is 50.xxx.xx.233, and my outside port on ASA is 50.xxx.xx.234. I have three CCTV DVR's in a DMZ on the ASA using LAN IP's 192.168.1.250, 192.168.1.251 and 192.168.1.252. I am static NATing them to 50.xxx.xx.236, 50.xxx.xx.237 and 50.xxx.xx.238 respectively. After making the configurations on the ASA, I cannot ping or access these devices on the above 1-to-1 NATed IP's from the internet. What's more is if I change the public IP of the outside interface of my ASA to something else on the /29 subnet (50.xxx.xx.235 for example), I have no connectivity. But as long as I use 50.xxx.xx.234, I have internet connection.
Packet-tracer tests are passing without a problem when targeting the IP's I'm using for the NATing on the /29. I am starting to suspect ISP as the culprit, but could use some opinions. I've replaced the ASA with two other units - one 5506 and one 5505. Same results each time. Below is the config, followed by packet-tracer.
interface GigabitEthernet1/4
description To_Zonet_ZFS3024_Unmanaged_Switch_Port_24
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
object network CCTV-DVR-1
host 192.168.1.250
object network CCTV-DVR-2
host 192.168.1.251
object network CCTV-DVR-3
host 192.168.1.252
object network CCTV-DVR-1-p
host 50.xxx.xx.236
object network CCTV-DVR-2-p
host 50.xxx.xx.237
object network CCTV-DVR-3-p
host 50.xxx.xx.238
!
object network CCTV-DVR-1
nat (DMZ,outside) static CCTV-DVR-1-p
object network CCTV-DVR-2
nat (DMZ,outside) static CCTV-DVR-2-p
object network CCTV-DVR-3
nat (DMZ,outside) static CCTV-DVR-3-p
Packet Tracer from outside source, inbound to DVR 50.xxx.xx.236:
FW14-SH5506-A# packet-tracer input outside tcp 12.x.xxx.20 8000 50.xxx.xx.236 8000
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network CCTV-DVR-1
nat (DMZ,outside) static CCTV-DVR-1-p
Additional Information:
NAT divert to egress interface DMZ
Untranslate 50.xxx.xx.236/8000 to 192.168.1.250/8000
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object-group Camera-DVRs object-group CameraPorts
object-group network Camera-DVRs
network-object object CCTV-DVR-1
network-object object CCTV-DVR-2
network-object object CCTV-DVR-3
object-group service CameraPorts tcp
port-object eq www
port-object eq 81
port-object eq 82
port-object eq 1024
port-object eq 1025
port-object eq 1026
port-object eq 8000
port-object eq 8001
port-object eq 8002
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network CCTV-DVR-1
nat (DMZ,outside) static CCTV-DVR-1-p
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9405, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
Trace routes to 50.xxx.xx.234 (ASA WAN IP) make it one hop further than trace routes to any of the IP's I am trying to use for the CCTV NATing.
Has to be ISP right? Question is, what could they be doing to it? It was working fine this morning.
No comments:
Post a Comment