Static NAT not working on 5512X

jgenender — Tue, 12 Mar 2019 05:30:46 GMT

I have been using a ASA 5505 for quite a while and decided it was time to upgrade. So I went to a 5512-X and I have been very unsuccessful in getting static NAT to work.

Here is the situation (IPs and domains changed to protect the innocent):

I have an outside set of IPs of 1.1.1.78/29

I have inside setup of 10.0.1.0/24

I have a web server that is at 1.1.1.77 and I want it mapped to 10.0.1.0

Internet from the inside to the outside works just fine. But I cannot get inbound traffic to my webserver.

Config is more or less:
!

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.73 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.197.254 255.255.255.0
!

object network webserver
host 10.0.197.1
object network webserver-external-ip
host 1.1.1.77

object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable

access-list outside_access_in extended permit tcp any object webserver eq www
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any

object network webserver
nat (inside,outside) static webserver-external-ip
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.78 1

show nat detail:

1 (inside) to (outside) source static webserver webserver-external-ip
translate_hits = 2276, untranslate_hits = 4
Source - Origin: 10.0.197.1/32, Translated: 1.1.1.77/32

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 1.1.1.73/29

Packet trace inbound:

packet-tracer input outside tcp 8.8.8.8 12345 1.1.1.77 http

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver
nat (inside,outside) static webserver-external-ip
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.77/80 to 10.0.197.1/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.78 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any4 object webserver eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver
nat (inside,outside) static webserver-external-ip
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12995, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

packet trace from webserver on the inside out:

packet-tracer input inside tcp 10.0.197.1 http 8.8.8.8 12345

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.78 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network webserver
nat (inside,outside) static webserver-external-ip
Additional Information:
Static translate 10.0.197.1/80 to 1.1.1.77/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13448, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Now here is the interesting part... I get no traffic to the internet from the inside with the web rule in effect. The only way that gets working again is if I either remove the webserver nat or I move the manual nat (section 3) to section 1. But the webserver access never works.

My goals are to have static nat from the outside web server ip to the internal, and to also have general internet access from the inside. As stated before, it worked great on a ASA5505.

Any ideas?

Ok...one more bit of

jgenender — Tue, 17 Feb 2015 15:33:07 GMT

Ok...one more bit of information. The internet access is ok from the inside net as for some reason the web server happens to be my DNS server as well. The DNS resolutions seems to completely stop with that static nat for the web server. I have attempted to enable all protocols on the web server, but it still is not passing anything. I think if I can crack that nut, this should be solved. Ideas are welcome 😉

Please remove this line no

rizwanr74 — Tue, 17 Feb 2015 21:51:29 GMT

Please remove this line

no nat (inside,outside) after-auto source dynamic any interface

and copy below lines instead.

object network obj-10.0.197.0-24
subnet 10.0.197.0 255.255.255.0
nat (inside,outside) dynamic interface

Let me know, if this helps.

Thanks

Rizwan Rafeek.

Unfortunately, that did not

jgenender — Tue, 17 Feb 2015 22:00:51 GMT

Unfortunately, that did not help. Same thing... no static NAT on the web server. It cannot get inbound traffic to the web.

Please post your whole

rizwanr74 — Wed, 18 Feb 2015 19:05:42 GMT

Please post your whole configuration.

thanks

Hi. Thanks for following up.

jgenender — Wed, 18 Feb 2015 20:28:55 GMT

Hi. Thanks for following up. I actually did the dirty deed and opened a TAC case and we got it working. It wasn't the unit, it was something stupidly external. I'm embarrassed to say what 😉

No worries. Good to hear it

rizwanr74 — Wed, 18 Feb 2015 21:23:40 GMT

No worries.

Good to hear it is working for you.