https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044595#M145841 <P>So it looks like it is hitting a NAT before that takes precedence, any suggestions?</P> <P></P> <P>fw# packet-tracer input outside tcp 8.8.8.8 1234 174.78.8.xxx 4558</P> <P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />object network 1.25<BR /> nat (inside,outside) static 1.25-ext<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate 174.78.221.138/4558 to 192.168.1.25/4558</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Sun, 12 Mar 2017 17:44:33 GMT davidblumberg 2017-03-12T17:44:33Z https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044593#M145837 <P>We have a user trying to access a local machine from the Internet and they are getting blocked by our ASA firewall. &nbsp;We can access the internal machine from inside the network. &nbsp;Our nat statements are getting blocked as follows:</P> <P>Commands</P> <P>object network obj_192.168.1.20<BR />&nbsp; &nbsp;host 192.168.1.20<BR />&nbsp; &nbsp;nat (inside,outside) static 174.78.221.138 service tcp 4570 4570<BR /><BR /></P> <P>access-list outside_access_in extended permit tcp any host 192.168.1.20 eq https<BR />access-list outside_access_in extended permit tcp any host 192.168.1.20 eq www<BR />access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 4570</P> <P></P> <P>Trace</P> <P>befw# packet-tracer input outside tcp 8.8.8.8 1234 192.168.1.20 4570</P> <P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 192.168.1.0 255.255.255.0 inside</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group outside_access_in in interface outside<BR />access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 4570<BR />Additional Information:</P> <P>Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 6<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />object network obj_192.168.1.20<BR /> nat (inside,outside) static 174.78.8.xxx service tcp 4570 4570<BR />Additional Information:</P> <P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P></P> <P></P> Tue, 12 Mar 2019 09:03:08 GMT https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044593#M145837 davidblumberg 2019-03-12T09:03:08Z https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044594#M145839 <P>Hi&nbsp;</P> <P>Could you do again your packet-tracer but using your public ip instead of 192.168 IP?&nbsp;</P> <P></P> <P>Could you paste the output you have?&nbsp;</P> <P></P> <P>Thanks</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Sun, 12 Mar 2017 14:58:11 GMT https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044594#M145839 Francesco Molino 2017-03-12T14:58:11Z https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044595#M145841 <P>So it looks like it is hitting a NAT before that takes precedence, any suggestions?</P> <P></P> <P>fw# packet-tracer input outside tcp 8.8.8.8 1234 174.78.8.xxx 4558</P> <P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />object network 1.25<BR /> nat (inside,outside) static 1.25-ext<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate 174.78.221.138/4558 to 192.168.1.25/4558</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P> <P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Sun, 12 Mar 2017 17:44:33 GMT https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044595#M145841 davidblumberg 2017-03-12T17:44:33Z https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044596#M145842 <P>Hi&nbsp;</P> <P>The internal ip shown on the output is ending by 25 while your acl on your first post shows ip ending by 20.&nbsp;</P> <P>Could you please attach your config (remove all confidential stuff)&nbsp;</P> <P>Thanks&nbsp;</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Mon, 13 Mar 2017 04:00:50 GMT https://community.cisco.com/t5/network-security/external-nat-getting-blocked/m-p/3044596#M145842 Francesco Molino 2017-03-13T04:00:50Z