topic Hi Vince, in Network Security

ASA problem - I cannot nat to outside interface

Vince — Tue, 12 Mar 2019 07:11:02 GMT

Noob here. I am having problem configuring ASA to statically nat a server on dmz directly to an outside interface on port 80. I was able to successfully nat it using another IP address (12.12.12.5) but not if I used outside ip (12.12.12.2). Here's a snippet of my configuration:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.5 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0

object network SVR-WEBSERVER-IN
host 172.16.1.100

object network SVR-WEBSERVER-IN
nat (any,outside) static interface service tcp www www

access-list outside_access_in extended permit tcp any object SVR-WEBSERVER-IN eq www

access-group outside_access_in in interface outside
!

I am getting the following error:

ASA-3-710003: {TCP|UDP} access denied by ACL from
source_IP/source_port to interface_name:dest_IP/service

I'm believe it's an acl problem but I cannot seem to figure out where. I'm not that familiar with ASA and I'm just on the process of learning it. Hope someone can shed a light

Hi Vince,

Akshay Rastogi — Sun, 24 Jan 2016 18:37:34 GMT

Hi Vince,

Could you please try with using the 'dmz' keyword instead of 'any' in the NAT statement and see if that works.

Also try the below packet-tracer :

'packet-tracer input outside tcp 8.8.8.8 12345 12.12.12.2 80 detail' and see where the packet is dropped. Also share the output here.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Hi Akshay,

Vince — Sun, 24 Jan 2016 20:53:43 GMT

Hi Akshay,

I changed any to dmz but I'm still having the same problem.

Here's the result of packet-tracer:

packet-tracer input outside tcp 8.8.8.8 12345 12.12.12.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 12.12.12.2 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc14ef80, priority=0, domain=permit, deny=true
hits=31, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I don't understand why it is not hitting my acl and goes to the implicit deny rule

My guess is that it is not

Richard Burts — Sun, 24 Jan 2016 21:22:01 GMT

My guess is that it is not hitting the acl because the translation is not working as you expect it to. Please post current config of interfaces, acl, and translation.

HTH

Rick

here's a snippet of my

Vince — Sun, 24 Jan 2016 21:37:20 GMT

here's a snippet of my configuration (Please note that I'm usually using asdm for configuration):

hostname GTWY-001

names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.5 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!

object service SVC-WEB
service tcp source eq www destination eq www
object network MANAGER
host 13.13.13.2
object network WWW-SERVER
host 172.16.1.100
object network SVR-WEBSERVER-IN
host 172.16.1.100
object network SVR-WEBSERVER-OUT
host 12.12.12.5
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any host 172.16.1.100 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network SVR-WEBSERVER-IN
nat (dmz,outside) static interface service tcp www www
access-group outside_access_in in interface outside
!
router ospf 1
network 172.16.1.0 255.255.255.0 area 1
network 192.168.100.0 255.255.255.0 area 0
log-adj-changes
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

here's my show xlate:

1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from dmz:172.16.1.100 80-80 to outside:12.12.12.2 80-80
flags sr idle 0:05:56 timeout 0:00:00

I also did try inserting another acl (one with outside as destination) but it didn't help

Thank you for the additional

Richard Burts — Mon, 25 Jan 2016 03:17:10 GMT

Thank you for the additional information. Is there anything else in the config that deals with the DMZ interface?

I would suggest that you remove this

object network SVR-WEBSERVER-IN
nat (dmz,outside) static interface service tcp www www

and replace it with this

object network SVR-WEBSERVER-IN
nat (dmz,outside) static 12.12.12.2 service tcp www www

HTH

Rick

Hi Vince,

Shivapramod M — Mon, 25 Jan 2016 05:31:45 GMT

Hi Vince,

Remove the object NAT and create a manual NAT at the top. This should resolve the issue. below are changes you need to do.

object network SVR-WEBSERVER-IN

no nat (dmz,outside) static interface service tcp www www

object service www-80
service tcp source eq www

nat (dmz,outside) 1 source static SVR-WEBSERVER-IN interface service www-80 www-80

Make sure this particular NAT rule is above the "nat (inside,outside) source dynamic any interface"

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

I am getting the following

Vince — Mon, 25 Jan 2016 07:29:08 GMT

I am getting the following error when changing the interface to 12.12.12.2

ERROR: Address 12.12.12.2 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

There are no acl on dmz and the only dmz related configuration that I have added (at least I am aware of) is the nating

Hi Shivapramod,

Vince — Mon, 25 Jan 2016 07:44:53 GMT

Hi Shivapramod,

I made the necessary changes and voila! I did the same config before I tried the object nat. The only difference is the service object (www-80) on which I put 80 on both source and destination port. I guess that's why it did not work.

I'm curious though, does nating to outside interface requires manual NAT or can this be done using object nat as well?

Thanks to everyone for the help!

Hi Vince,

Shivapramod M — Mon, 25 Jan 2016 08:56:21 GMT

Hi Vince,

The problem is due to dynamic PAT associated with the interface. if you were not had the NAT rule "nat (inside,outside) source dynamic any interface" it would have worked with the object NAT.

Thanks,
Shivapramod M

You're right. Tried puttin my

Vince — Mon, 25 Jan 2016 11:11:27 GMT

You're right. Tried puttin my object nat back and I put it on the top and it work like it's suppose to. Thanks again!