topic Nat Statement suddenly not works in Network Security

Nat Statement suddenly not works

mm6646 — Tue, 12 Mar 2019 05:19:33 GMT

Firewall: ASA 5550 VPN Premium license Version 9.1(5)16

Incident as below:

Nat statement as below

===================

name 9.x.x.x NAT-E23ESMTP01

nat (SMTP-YELLOW,inside) static 9.x.x.x
object network obj-202.x.x.x

object network NAT-E23ESMTP01
host 9.x.x.x

object-group network NAT-AU-SMTP-Svrs_8
network-object object NAT-E23ESMTP01

Above configuration suddenly stop works

i have added below host under object group then its again working

object-group network NAT-AU-SMTP-Svrs_8
network-object object NAT-E23ESMTP01

network-object host 202.x.x.x

i am also not understanding why suddenly stop working and works after add host which is natted by 202.x.x.x

Please advice

Hi, Can you check the NAT

Jouni Forss — Mon, 12 Jan 2015 11:45:47 GMT

Hi,

Can you check the NAT configuration again and paste it here. Seems to me that there is something missing from your above output or it seems confusing to me.

For example, you first mention the actual "nat" command

nat (SMTP-YELLOW,inside) static 9.x.x.x

But I am not sure under which "network object" command this is configured? And what is the actual "host" address under the "object"? The info might be in your above post but I want to make sure.

Also you mention an "object-group" configuration? This should have nothing to do with the above "nat" command as its a Auto NAT / Network Object NAT and "object-group" are not used as a parameter of those configurations.

Perhaps the "object-group" is related to an ACL? So the problem might actually be some ACL that is using the "object-group" that you mention.

Can you also provide a "packet-tracer" command output of the traffic that does not work or stops working? The format is

packet-tracer input <source interface> tcp <source ip> 12345 <destination ip> <destination port>

- Jouni

Hi Jouni,

mm6646 — Wed, 14 Jan 2015 13:57:22 GMT

Hi Jouni,

Before add host

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside-IN-20130424 in interface inside
access-list inside-IN-20130424 extended deny tcp any4 any4 eq smtp

The packet tracer show traffic deny by any any rule for stop working connection as above

below is Phase 3 of packet tracer after add below host under AU-MAIL-RELAY-SRV-NAT_8

network-object host 202.x.x.x

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-IN-20130424 in interface inside
access-list inside-IN-20130424 extended permit tcp object-group SMTP-DLP-AU object-group AU-MAIL-RELAY-SRV-NAT_8 eq smtp 
object-group network SMTP-DLP-AU
 description: SMTP DLP Sensor AU 
 network-object host 9.x.x.x
object-group network AU-MAIL-RELAY-SRV-NAT_8
network-object object NAT-E23ESMTP01      >> user said was working before with this 
                                             Line, Before add below Host
 network-object host 202.x.x.x

I have just add natted ip of NAT-E23ESMTP01(9.x.x.x)

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-202.x.x.x
 nat (SMTP-YELLOW,inside) static 9.110.x.x 
Additional Information:
NAT divert to egress interface SMTP-YELLOW
Untranslate 9.110.x.x/25 to 202.x.x.x/25

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-202.x.x.x
 nat (SMTP-YELLOW,inside) static 9.x.x.x
Additional Information: