topic ASA static nat in Network Security

ASA static nat

shiran.wang — Tue, 12 Mar 2019 09:23:37 GMT

ASA version 9.6(3)1

both nat have same configuration except 172.16.100.2 use interface, anyone have same question?

this object work fine

object network 172.16.100.3_25_xx2
nat (DMZ,xyz) static 202.175.xx.203 service tcp smtp smtp

this object not work
object network 172.16.100.2_25_xx1
nat (DMZ,xyz) static interface service tcp smtp smtp

Cisco Adaptive Security Appliance Software Version 9.6(3)1
Device Manager Version 7.2(2)1

Compiled on Thu 30-Mar-17 21:40 PDT by builders
System image file is "disk0:/asa963-1-smp-k8.bin"
Config file at boot was "startup-config"

packet-tracer input xyz tcp 8.8.8.8 1024 202.175.xx.202 25

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 202.175.xx.202 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: xyz
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

# packet-tracer input xyz tcp 8.8.8.8 1024 202.175.xx.203 25

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.100.3_25_xyz
nat (DMZ,xyz) static 202.175.xx.203 service tcp smtp smtp
Additional Information:
NAT divert to egress interface DMZ
Untranslate 202.175.xx.203/25 to 172.16.100.3/25

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group xyz in interface xyz
access-list xyz extended permit tcp any host 172.16.100.3 eq smtp
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,xyz) source dynamic any interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 538894, packet dispatched to next module

Result:
input-interface: xyz
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Can you post a "sh nat" Jon

Jon Marshall — Sat, 20 May 2017 10:53:57 GMT

Can you post a "sh nat"

Jon

service tcp destination eq

shiran.wang — Sat, 20 May 2017 13:34:39 GMT

service tcp destination eq smtp
nat (ServerFarm,xyz2) source static object_10.10.120.0 object_10.10.120.0 destination static object_10.10.10.10.0 object_10.10.10.10.0
nat (ServerFarm,xyz1) source static object_10.10.120.0 object_10.10.120.0 destination static object_10.10.10.10.0 object_10.10.10.10.0
nat (Inside,xyz2) source dynamic any interface
nat (DMZ,xyz1) source dynamic any interface
nat (DMZ,xyz2) source dynamic any interface
nat (Inside,Informac) source dynamic any interface
nat (ServerFarm,Informac) source dynamic any interface
nat (WIFI_AP,xyz2) source dynamic any interface
nat (WIFI_AP,xyz1) source dynamic any interface
nat (ServerFarm,xyz1) source dynamic any interface
nat (ServerFarm,xyz2) source dynamic any interface
nat (WIFI_Staff,xyz2) source dynamic any interface
nat (WIFI_Staff,xyz1) source dynamic any interface
nat (WIFI_Guest,xyz2) source dynamic any interface
nat (WIFI_Guest,xyz1) source dynamic any interface
nat (WIFI_Media,xyz2) source dynamic any interface
nat (WIFI_Media,xyz1) source dynamic any interface
nat (CCenter,xyz2) source dynamic any interface
nat (CCenter,xyz1) source dynamic any interface
nat (Inside,xyz1) source dynamic any interface
nat (DMZ,xyz1) static 202.175.xx.203 service tcp smtp smtp
nat (ServerFarm,xyz1) static 202.175.xx.203 service tcp https https
nat (ServerFarm,xyz1) static 202.175.xx.203 service tcp www www
nat (ServerFarm,xyz1) static 202.175.xx.204
nat (ServerFarm,xyz1) static 202.175.xx.205 service tcp https https
nat (ServerFarm,xyz1) static 202.175.xx.205 service tcp www www
nat (DMZ,xyz2) static 182.93.x1.27 service tcp smtp smtp
nat (DMZ,xyz2) static 182.93.x1.28 service tcp smtp smtp
nat (ServerFarm,xyz2) static 182.93.x1.27 service tcp https https
nat (ServerFarm,xyz2) static 182.93.x1.27 service tcp www www
nat (ServerFarm,xyz2) static 182.93.x1.29
nat (DMZ,xyz1) static 202.175.xx.202 service tcp smtp smtp

I'm not sure that is the

Jon Marshall — Sat, 20 May 2017 13:55:43 GMT

I'm not sure that is the output of "sh nat" ie. it should show the hits etc.

I think the problem is with the order of your NAT rules but I need to see the proper output first.

Jon