topic Re: Static PAT on ASA5508 not working in Network Security

Static PAT on ASA5508 not working

RemRem — Fri, 21 Feb 2020 16:07:36 GMT

Hi there,

I'm trying to set up a static PAT to a host behind an ASA. Public IP port 2222 is supposed to connect to port 22 of the internal IP 192.168.10.11

The packet-tracer result looks as if it gets highjacked by another NAT rule.

I have included the config bits below. x.x.x.98 is the public ip of the outside interface.

I have removed four NAT rules from the sh nat result (they work and don't seem to be part of the problem).

object network MGMT-INSIDE-HOSTS
range 10.10.18.0 255.255.255.128
object network VPN-HOSTS
range 10.10.10.128 255.255.255.192
object network MGMT-LAN-AP
range 10.10.13.128 255.255.255.128
object network SERVER
range 192.168.10.0 255.255.255.0
object network SERVER-SSH
host 192.168.10.11
object network EXT-Service-IP
host x.x.x.18

nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source dynamic MGMT-INSIDE-HOSTS interface
!
object network MGMT-INSIDE-HOSTS
nat (inside,outside) dynamic interface
object network SERVER-SSH
nat (server,outside) static interface service tcp ssh 2222
!
nat (lanmgmt,outside) after-auto source dynamic MGMT-LAN-AP interface
nat (server,outside) after-auto source dynamic server pat-pool EXT-Service-IP

packet-tracer result:
ASA01# packet-tracer input outside tcp x.x.x.98 2222 192.168.10.11 22

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
Additional Information:
NAT divert to egress interface lanmgmt
Untranslate 192.168.10.11/22 to 192.168.10.11/22

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: lanmgmt
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA01# sh nat
Manual NAT Policies (Section 1)
1 (lanmgmt) to (outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
    translate_hits = 1174, untranslate_hits = 2396
2 (inside) to (outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS
    translate_hits = 0, untranslate_hits = 0
!
!
!
!
7 (inside) to (outside) source dynamic MGMT-INSIDE-HOSTS interface
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (server) to (outside) source static SERVER-SSH interface service tcp ssh 2222
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic MGMT-INSIDE-HOSTS interface
    translate_hits = 0, untranslate_hits = 0

Re: Static PAT on ASA5508 not working

Rob Ingram — Mon, 20 Aug 2018 14:59:00 GMT

Hi,
So you've natted SSH (tcp 22) on 192.168.10.11 to port 2222 and you want to access this from the outside network? You should run a packet trace such as this:-

packet-tracer input outside tcp 1.1.1.123 3000 x.x.x.x 2222

Do you have an ACL rule permitting traffic? The ACL needs to reference the real (inside) ip address and the real port (22).

HTH

Re: Static PAT on ASA5508 not working

RemRem — Tue, 21 Aug 2018 08:09:12 GMT

Hi again,

There is no ACL so I can't allow the traffic so I would think as there is no ACL it won't be denied.

I tried packet-tracer input outside tcp 1.1.1.123 3000 x.x.x.x 2222:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <outside IF public IP> using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Static PAT on ASA5508 not working

Rob Ingram — Tue, 21 Aug 2018 08:17:09 GMT

Hi,

By default the ASA has an implicit rule which does not allow traffic to flow from a lower-security interface to a higher-security interface, unless a specific extended ACL is configured.

Create an ACL to specifically allow the traffic, use the real ip address and real port.

HTH

Re: Static PAT on ASA5508 not working

RemRem — Tue, 21 Aug 2018 09:28:10 GMT

Okay, I added an ACL to the outside interface.

access-list outside_access_in line 1 extended permit tcp any object SERVER-SSH eq ssh (hitcnt=0) 0xc061ee3e
access-list outside_access_in line 1 extended permit tcp any host 192.168.10.11 eq ssh (hitcnt=0) 0xc061ee3e
access-list outside_access_in line 2 extended permit ip any any (hitcnt=1) 0x7e78c5c4

I tried to connect to the host but still no luck. Do I need to also apply an ACL to the internal interface?

Re: Static PAT on ASA5508 not working

Rob Ingram — Tue, 21 Aug 2018 09:40:09 GMT

No you don't need to add an ACL to the internal interface

The hit count on your output there would indicate that it didn't hit line 1(which is your ssh rule), so something in regard to that configure could be incorrect. Can you upload your full config for review?

What is the output when you re-run packet-tracer after applying the ACL?

What is the output of "show xlate" and "show nat"? please upload

Re: Static PAT on ASA5508 not working

RemRem — Tue, 21 Aug 2018 13:13:26 GMT

Here are the packet-tracer and sh nat outputs:

do you need the complete sh xlate output? Because there are a ton of IPs to edit...

Here is the config:

ASA Version 9.8(2)
!
hostname ASA1
enable password $sha512$5000$PQK8KSYe0NmO+h5OBttOig==$aBwdZ7RMs21vTIRUI4SqNg== pbkdf2
passwd o2NK4e2wFa6gGEjn encrypted
names
ip local pool vpnpool 10.10.10.129-10.10.10.190 mask 255.255.255.192

!
interface GigabitEthernet1/1
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
channel-group 8 mode active
!
interface GigabitEthernet1/8
channel-group 8 mode active
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
nameif outside
security-level 0
ip address x.x.x.98 255.255.255.224 standby x.x.x.99
!
interface Port-channel2
lacp max-bundle 8
no nameif
security-level 0
no ip address
!
interface Port-channel2.100
vlan 100
nameif lanmgmt
security-level 0
ip address 10.10.13.129 255.255.255.128 standby 10.10.13.130
!
interface Port-channel2.103
vlan 103
nameif inside
security-level 100
ip address 10.10.18.1 255.255.255.128 standby 10.10.18.2
!
interface Port-channel2.105
vlan 105
nameif bbb
security-level 0
ip address 10.b.b.1 255.255.255.240 standby 10.b.b.2
!
interface Port-channel2.200
vlan 200
nameif ccc
security-level 0
ip address 10.c.c.129 255.255.255.192 standby 10.c.c.130
!
interface Port-channel2.201
vlan 201
nameif ddd
security-level 0
ip address 10.d.d.1 255.255.255.192 standby 10.d.d.2
!
interface Port-channel2.203
vlan 203
nameif eee
security-level 0
ip address 10.e.e.193 255.255.255.192 standby 10.e.e.194
!
interface Port-channel2.221
vlan 221
nameif fff
security-level 0
ip address 10.f.f.209 255.255.255.240 standby 10.f.f.210
!
interface Port-channel2.301
vlan 301
nameif ggg
security-level 0
ip address 10.g.g.65 255.255.255.192 standby 10.g.g.66
!
interface Port-channel2.450
vlan 450
nameif hhh
security-level 0
ip address 10.h.h.65 255.255.255.192 standby 10.h.h.66
!
interface Port-channel2.800
vlan 800
nameif iii
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Port-channel2.801
vlan 801
nameif jjj
security-level 0
ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
interface Port-channel2.810
vlan 810
nameif kkk
security-level 0
ip address 192.168.15.1 255.255.255.0 standby 192.168.15.2
!
interface Port-channel2.820
vlan 820
nameif lll
security-level 0
ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2
!
interface Port-channel2.821
vlan 821
nameif mmm
security-level 0
ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2
!
interface Port-channel2.828
vlan 828
nameif nnn
security-level 0
ip address 192.168.25.1 255.255.255.0 standby 192.168.25.2
!
interface Port-channel2.850
vlan 850
nameif ooo
security-level 0
ip address 172.o.o.1 255.255.0.0 standby 172.o.o.2
!
interface Port-channel2.898
vlan 898
nameif server
security-level 0
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface Port-channel2.899
vlan 899
nameif servermgmt
security-level 0
ip address 192.168.9.1 255.255.255.0 standby 192.168.9.2
!
interface Port-channel2.906
vlan 906
nameif ppp
security-level 0
ip address 10.p.p.193 255.255.255.240 standby 10.p.p.194
!
interface Port-channel2.1000
vlan 1000
nameif qqq
security-level 0
ip address 172.q.q.1 255.255.255.0 standby 172.q.q.2
!
interface Port-channel2.1254
vlan 1254
nameif rrr
security-level 0
ip address 172.r.r.1 255.255.252.0 standby 172.r.r.2
!
interface Port-channel8
description LAN Failover Interface
lacp max-bundle 8
!
banner login ------------------------------------WARNING-------------------------------
banner login ---------------------------------------------------------------------------
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network MGMT-INSIDE-HOSTS
range 10.10.18.0 255.255.255.128
object network VPN-HOSTS
range 10.110.18.128 255.255.255.192
object network XXX-NET
range 10.10.2.0 255.255.255.0
object network YYY-NET
range 10.10.1.0 255.255.255.0
object network MGMT-LAN-AP
range 10.10.13.128 255.255.255.128
object network MMM
range 192.168.22.1 255.255.255.0
object network CCC
range 10.c.c.128 255.255.255.192
object network EXT-Service-IP
host x.x.x.119
object network OOO
range 172.o.o.0 255.255.0.0
object network servermgmt
range 192.168.9.0 255.255.255.0
object network server
range 192.168.10.0 255.255.255.0
object network RRR
range 172.r.r.0 255.255.252.0
object network KKK
range 192.168.15.0 255.255.255.0
object network III
range 192.168.1.0 255.255.255.0
object network NNN
range 192.168.25.0 255.255.255.0
object network QQQ
range 172.q.q.0 255.255.255.0
object network LLL
range 192.168.21.0 255.255.255.0
object network HHH
range 10.h.h.64 255.255.255.192
object network JJJ
range 192.168.20.0 255.255.255.0
object network SERVER-SSH
host 192.168.10.11
description otrum Server
access-list Split_Tunnel_List remark Networks behind ASA
access-list Split_Tunnel_List standard permit 10.17.68.0 255.255.255.128
access-list Split_Tunnel_List standard permit 10.17.63.128 255.255.255.128
access-list XXX-NET remark Network behind xxx
access-list XXX-NET extended permit ip 10.10.18.0 255.255.255.128 10.10.2.0 255.255.255.0
access-list XXX-NET extended permit ip 10.10.33.128 255.255.255.128 10.10.2.0 255.255.255.0
access-list XXX-NET extended permit ip 10.10.2.0 255.255.255.0 10.10.13.128 255.255.255.128
access-list XXX-NET extended permit ip 10.10.2.0 255.255.255.0 10.10.18.0 255.255.255.128
access-list YYY-NET remark Network behind yyy
access-list YYY-NET extended permit ip 10.10.13.128 255.255.255.128 10.10.1.0 255.255.255.0
access-list YYY-NET extended permit ip 10.10.1.0 255.255.255.0 10.10.13.128 255.255.255.128
access-list YYY-NET extended permit ip 10.10.1.0 255.255.255.0 10.10.18.0 255.255.255.128
access-list YYY-NET extended permit ip 10.10.18.0 255.255.255.128 10.10.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any object SERVER-SSH eq ssh
pager lines 24
logging enable
logging timestamp
logging list AUTH message 315011
logging list AUTH message 113005
logging list AUTH message 611103
logging list AUTH message 611102
logging list AUTH message 611101
logging list AUTH message 605005
logging list AUTH message 605004
logging list AUTH message 111008
logging list AUTH message 111009
logging buffer-size 100000
logging buffered debugging
logging trap AUTH
logging asdm informational
logging facility 19
logging host lanmgmt 10.10.13.133
logging message 315011 level debugging
logging message 113005 level debugging
logging message 611103 level debugging
logging message 611102 level debugging
logging message 611101 level debugging
logging message 605005 level debugging
logging message 605004 level debugging
logging message 111008 level debugging
mtu outside 1500
mtu lanmgmt 1500
mtu inside 1500
mtu bbbb 1500
mtu ccc 1500
mtu ddd 1500
mtu eee 1500
mtu fff 1500
mtu ggg 1500
mtu hhhh 1500
mtu iii 1500
mtu jjj 1500
mtu kkke 1500
mtu lll 1500
mtu mmm 1500
mtu nnn 1500
mtu ooo 1500
mtu server 1500
mtu servermgmt 1500
mtu ppp 1500
mtu qqq 1500
mtu rrr 1500
failover
failover lan unit primary
failover lan interface interface Port-channel8
failover interface ip interface 10.10.18.225 255.255.255.224 standby 10.10.18.226
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp outside x.x.x.119 mac.mac.mac alias
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static XXX-NET XXX-NET
nat (lanmgmt,outside) source static MGMT-LAN-AP MGMT-LAN-AP destination static SERVER-NET YYY-NET
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static XXX-NET LORD-NET
nat (inside,outside) source static MGMT-INSIDE-HOSTS MGMT-INSIDE-HOSTS destination static YYY-NET SERVER-NET
nat (inside,outside) source dynamic MGMT-INSIDE-HOSTS interface
!
object network MGMT-INSIDE-HOSTS
nat (inside,outside) dynamic interface
object network SERVER-SSH
nat (server,outside) static interface service tcp ssh 2222
!
nat (server,servermgmt) after-auto source dynamic otrum interface
nat (lanmgmt,outside) after-auto source dynamic MGMT-LAN-AP interface
nat (ccc,outside) after-auto source dynamic CCC pat-pool EXT-Service-IP
nat (ddd,outside) after-auto source dynamic DDD pat-pool EXT-Service-IP
nat (eee,outside) after-auto source dynamic EEE pat-pool EXT-Service-IP
nat (servermgmt,outside) after-auto source dynamic servermgmt pat-pool EXT-Service-IP
nat (fff,outside) after-auto source dynamic FFF pat-pool EXT-Service-IP
nat (ggg,outside) after-auto source dynamic GGG pat-pool EXT-Service-IP
nat (hhh,outside) after-auto source dynamic HHH pat-pool EXT-Service-IP
nat (iii,outside) after-auto source dynamic III pat-pool EXT-Service-IP
nat (jjj,outside) after-auto source dynamic JJJ pat-pool EXT-Service-IP
nat (kkk,outside) after-auto source dynamic KKK pat-pool EXT-Service-IP
route outside 0.0.0.0 0.0.0.0 x.x.x.x.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server TAC protocol tacacs+
aaa-server TAC (outside) host x.x.x.3
key *****
user-identity default-domain LOCAL
aaa authentication ssh console TAC LOCAL
aaa authentication enable console TAC LOCAL
aaa authentication http console TAC LOCAL
aaa accounting command TAC
aaa accounting enable console TAC
aaa accounting ssh console TAC
aaa authentication login-history
http server enable
http x.x.x.0 255.255.240.0 outside
snmp-server host lanmgmt 10.10.13.133 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt noproxyarp outside
sysopt noproxyarp lanmgmt
sysopt noproxyarp inside
sysopt noproxyarp ccwifi
service sw-reset-button
crypto ipsec ikev1 transform-set REMOTE_ACCESS_TS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set LINUX-IPSEC esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map REMOTE_ACCESS_DYNMAP 1 set ikev1 transform-set REMOTE_ACCESS_TS
crypto map REMOTE_ACCESS_MAP 10 match address LORD-NET
crypto map REMOTE_ACCESS_MAP 10 set peer x.x.x.4
crypto map REMOTE_ACCESS_MAP 10 set ikev1 transform-set LINUX-IPSEC
crypto map REMOTE_ACCESS_MAP 10 set reverse-route
crypto map REMOTE_ACCESS_MAP 20 match address SERVER-NET
crypto map REMOTE_ACCESS_MAP 20 set peer x.x.x.5
crypto map REMOTE_ACCESS_MAP 20 set ikev1 transform-set LINUX-IPSEC
crypto map REMOTE_ACCESS_MAP 20 set reverse-route
crypto map REMOTE_ACCESS_MAP 65535 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP
crypto map REMOTE_ACCESS_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 7200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh x.x.x.0 255.255.240.0 outside
ssh 10.10.13.128 255.255.255.128 lanmgmt
ssh 10.10.18.0 255.255.255.128 inside
ssh timeout 5
ssh version 2
ssh cipher encryption high
ssh key-exchange group dh-group1-sha1
console timeout 10

dhcpd auto_config lanmgmt
!
dhcpd address 10.h.h.74-10.h.h.126 hhh
dhcpd dns 8.8.8.8 8.8.4.4 interface hhh
dhcpd option 3 ip 10.h.h.65 interface hhh
dhcpd enable hhh
!
dhcpd address 192.168.20.10-192.168.20.250 jjj
dhcpd dns 8.8.8.8 8.8.4.4 interface jjj
dhcpd option 3 ip 192.168.20.1 interface jjj
dhcpd enable jjj
!
dhcpd address 192.168.22.10-192.168.22.250 mmm
dhcpd dns 8.8.8.8 8.8.4.4 interface mmm
dhcpd option 3 ip 192.168.22.1 interface mmm
dhcpd enable mmm
!
dhcpd address 172.o.o.21-172.o.o+1.20 ooo
dhcpd dns 8.8.8.8 8.8.4.4 interface ooo
dhcpd option 3 ip 172.o.o.1 interface ooo
dhcpd enable ooo
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.13.133
group-policy ASA1 internal
group-policy ASA1 attributes
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
dynamic-access-policy-record DfltAccessPolicy
username admin password pw privilege 15
username root password pw privilege 15
tunnel-group ASA1 type remote-access
tunnel-group ASA1 general-attributes
address-pool vpnpool
authentication-server-group TAC LOCAL
default-group-policy FRARI
tunnel-group ASA1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.4 type ipsec-l2l
tunnel-group x.x.x.4 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.5 type ipsec-l2l
tunnel-group x.x.x.5 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:66bbe06f6ef62e66c9fd5e8a0ec8e8fe
: end

Re: Static PAT on ASA5508 not working

Rob Ingram — Tue, 21 Aug 2018 16:44:04 GMT

Hi,
I cannot see an "access-group" to bind the ACL to the outside interface in the configuration. Try binding the ACL to the interface, if still not working re-run packet-tracer and upload the output.

HTH

Re: Static PAT on ASA5508 not working

RemRem — Wed, 22 Aug 2018 08:19:58 GMT

Hi,

I have added this:

access-group outside_access_in in interface outside

Still not working. Packet-tracer output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.98 using egress ifc identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Static PAT on ASA5508 not working

Rob Ingram — Wed, 22 Aug 2018 09:33:45 GMT

The output of packet tracer would usually indicate what nat rule, acl was matched....it doesn't here.

What values are you putting in the packet-tracer command? Can you re-run the packet-tracer and append "detailed" at the end. Provide the full output

Can you provide the output of "show xlate | inc <external-ip-address>", see if it's actually matching.

Re: Static PAT on ASA5508 not working

RemRem — Wed, 22 Aug 2018 15:22:50 GMT

Here is the complete output:

ASA1# packet-tracer input outside tcp 8.8.8.8 3000 x.x.x.98 2222 de$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffa00658c10, priority=1, domain=permit, deny=false
        hits=2718, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.98 using egress ifc identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff9ff8ec930, priority=0, domain=nat-per-session, deny=false
        hits=243, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffa0065a040, priority=0, domain=permit, deny=true
        hits=484, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Static PAT on ASA5508 not working

RemRem — Thu, 23 Aug 2018 14:59:52 GMT

Okay, as the ACLs did not help I finally removed all other NAT rules and of course, it worked fine.

Then I put the other rules back in one by one.

As it turns out, my static PAT only works if it is the first NAT rule (in the sh nat order).

How can I get it to always be #1 or is there any other workaround?