Hello Everyone,
I've got a weird issue with an ASA running pre 8.3 code with NAT.
My setup is pretty basic. I have an internal server sitting at 172.22.109.253 that I want to static NAT to 201.14.14.219 (Just an example address to protect the innocent). My end goal is to have that public IP address respond to SMTP and HTTPS requests and forward it internally to the above RFC 1918 address.
After much troubleshooting on this issue another network engineer passed it to me.
Right now the configuration is as follows
Access List(which as I understand it is evaluated first on pre 8.3 code) is:
access-list outside_access_in extended permit tcp any host 201.14.14.219 eq https
access-list outside_access_in extended permit tcp any host 201.14.14.219 eq smtp
The above ACL is applied on the inbound direction to the outside interface
Next comes my nat section:
static (inside,outside) 201.14.14.219 172.22.109.253 netmask 255.255.255.255
Then my interfaces and routes are as follows:
Outside(VLAN 2) - 201.14.14.218 255.255.255.248
Inside(Vlan 1) - 172.22.109.1 255.255.255.0 (This is the default gateway for the server)
route outside 0.0.0.0 0.0.0.0 201.14.14.217
Using this configuration, everything should flow as planned, however I am not able ping, telnet on port 25, telnet on port 443 or connect to 201.14.14.219 at all, even after adding a "permit ip any host 201.14.14.219" to my access list.
If I do a show nat I get untranslates on that entry and if I run a packet tracer it says all is well, every check passes. I even have other servers statically NATing with the exact same configuration(except IP addresses of course) and they work fine. For example, a webserver at 221 that works wonderfully.
My coworker seems convinced it's an issue with the ISP but the ISP of course says it isn't them and is telling us that we have to change the netmask in the NAT statement to match what they're routing for - so a 255.255.255.248 instead of /32. Not mentioning the fact that the ASA won't even allow you do that do that, my coworker and I are under the impression that defining the mask in your nat is simply telling your ASA you're NATing to a single host. Is that a correct assumption?
I also attempt to port scan that address and get a message that all ports are closed.
And, I should add that the mac address and arp entries in the firewall are correct, and 172.22.109.253 is pingable from the ASA.
I'm not really sure how to proceed at this point, as the ISP is wanting an hourly rate to continue troubleshooting. Any ideas as to what i'm missing here? I usually work with post 8.3 code and never run into this type of issue.
Thanks all
No comments:
Post a Comment