topic Re: Cisca ASA NAT in Network Security

Cisca ASA NAT

LovejitSingh1313 — Thu, 03 Sep 2020 17:36:54 GMT

Hello @Richard Burts @balaji.bandi @Rob Ingram

Internal IP address: 10.150.170.72

External IP: x.x.x.x

I am trying to map External IP to Internal IP over port 587. Please advice which commands I need ?

I tried following commands:

object network obj_10.170.150.72
host 10.170.150.72
nat (inside,outside) static x.x.x.x service 587 587

It came with error message:

TMGHQ5516(config-network-object)# nat (inside,outside) static x.x.x.x ser$
ERROR: Address x.x.x.x overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Thanks,

Re: Cisca ASA NAT

Rob Ingram — Thu, 03 Sep 2020 17:39:04 GMT

Hi,

Seems like you are natting to the outside interface, replace X.X.X.X with the value "interface". e.g

nat (INSIDE,OUTSIDE) static interface service tcp 587 587

Re: Cisca ASA NAT

LovejitSingh1313 — Thu, 03 Sep 2020 17:46:54 GMT

@Rob Ingram

I added that and it does not came back with error message.

When i run the packet tracer, it is still coming with error.

TMGHQ5516(config)# packet-tracer input outside tcp 8.8.8.8 587 10.170.150.72 5$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.170.150.72 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_10.170.150.72
nat (inside,outside) static interface service tcp 587 587
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005584a16ce44a flow (nat-rpf-failed)/snp_sp_action_cb:1140

Thanks,

Re: Cisca ASA NAT

Rob Ingram — Thu, 03 Sep 2020 17:55:24 GMT

The output seems to confirm an rpf-check failure.

Run a capture, e.g. capture CAP type asp-drop nat-rpf-failed test again and then provide the output of the capture.

Re: Cisca ASA NAT

LovejitSingh1313 — Thu, 03 Sep 2020 18:05:38 GMT

@Rob Ingram

TMGHQ5516(config)# show capture CAP
Target: OTHER
Hardware: ASA5516
Cisco Adaptive Security Appliance Software Version 9.13(1)
ASLR enabled, text region 55849fa29000-5584a4402d25

0 packet captured

0 packet shown
TMGHQ5516(config)#

Re: Cisca ASA NAT

Rob Ingram — Thu, 03 Sep 2020 18:28:23 GMT

Change the destination of the packet-tracert to the global ip address (natted) and try it again. Better still generate real traffic

Re: Cisca ASA NAT

LovejitSingh1313 — Thu, 03 Sep 2020 18:31:45 GMT

@Rob Ingram

I read this Article and I tested creating session 587 from Internet and it is working. All good now.

https://www.petenetlive.com/KB/Article/0000904

Thanks,

Re: Cisca ASA NAT

Rob Ingram — Thu, 03 Sep 2020 18:37:17 GMT

Correct, you run packet-tracer from outside to inside using the outside interface IP address (public) as the destination rather than the real IP address - that's what I meant by my last post by specifiying the global IP address (natted).

Glad it's working now.