topic Can you show the output of in Network Security

NAT Doesn't Want to Work

alurasolutions — Tue, 12 Mar 2019 05:36:45 GMT

I am working on an ASA5509 for a customer of ours and we are trying to open ports to LDAP to an outside service. As far as I can tell, the NAT rules and access-list are setup correctly. When I run packet tracer everything comes back fine and I am seeing the data come in as untranslated_hits, but nothing happens when i telnet to the 389 port from the outside, it ends up timing out.

access-list outside-in line 16 extended permit tcp any4 object VA-002-MGMT-A eq 398 (hitcnt=1) 0xe057c29f

object network VA-002-MGMT-A
 nat (inside,outside) static 98.114.x.x

Your ACL is referencing port

jj27 — Mon, 09 Mar 2015 15:25:45 GMT

Your ACL is referencing port 398, while you stated you are trying port 389. Is that a typo?

Yeah, that's a typo sorry I

alurasolutions — Mon, 09 Mar 2015 15:34:50 GMT

Yeah, that's a typo sorry I know that's a big oversight. The odd things is that we have 2 other 1:1 NAT setup and one is working fine and the other now isn't working. (one was for email port 25 and the other https, the https is no longer working).

Can you show the output of

jj27 — Mon, 09 Mar 2015 15:38:23 GMT

Can you show the output of "show run nat" and "show run access-list outside_in" as well as "show run object" for the appropriate objects?

Also, "show run sysopt" - it is possible proxy arp is enabled on the inside interface and intercepting the traffic.

sh nat

alurasolutions — Mon, 09 Mar 2015 15:59:47 GMT

sh nat

Manual NAT Policies (Section 3) 1 (inside) to (outside) source dynamic any interface translate_hits = 106601, untranslate_hits = 28479

sh run access-list outside-in


asa5510# sh run access-list outside-in
access-list outside-in extended permit object-group ClearScadaServices any4 object ClearScada
access-list outside-in extended permit icmp any4 any4
access-list outside-in extended permit ip 141.151.34.0 255.255.255.0 any4
access-list outside-in extended permit ip 72.44.171.128 255.255.255.192 any4
access-list outside-in extended permit tcp any4 object Exchange eq pop3 inactive
access-list outside-in extended permit tcp any4 object Exchange eq smtp inactive
access-list outside-in extended permit tcp any4 object Exchange eq 7860 inactive
access-list outside-in extended permit tcp any4 object spam eq pop3
access-list outside-in extended permit tcp any4 object spam eq smtp
access-list outside-in extended permit tcp any4 object video eq 993
access-list outside-in extended permit tcp any4 object video eq https
access-list outside-in extended permit tcp any4 object video eq 587 log
access-list outside-in extended permit tcp any4 object scada-dvr eq 7000
access-list outside-in extended permit tcp any4 object VA-028-NSTWEB object-group DM_INLINE_TCP_1 log disable
access-list outside-in extended permit object-group SolarServices any4 object Solar
access-list outside-in extended permit tcp any4 object VA-002-MGMT-A eq ldap

sh run sysopt - no output from this command

I can PM the full config if you would like?

Try: sysopt noproxyarp

jj27 — Mon, 09 Mar 2015 15:59:48 GMT

Try: sysopt noproxyarp inside

See if your traffic works then.

This made no change. And now

alurasolutions — Mon, 09 Mar 2015 16:04:55 GMT

This made no change. And now again, we have a rule in place to allow 25 out from our internal mail server and for some reason this is now not working. There are too many weird things going on with this ASA.

You may need to clear ARP on

jj27 — Mon, 09 Mar 2015 16:13:20 GMT

You may need to clear ARP on your ASA and inside routing device if it is the ASA intercepting the ARP requests for it.

Go ahead and PM me the whole config if you want and I will give it a glance.

Are the servers on a directly

Jon Marshall — Mon, 09 Mar 2015 16:16:03 GMT

Are the servers on a directly connected network to the ASA or are they behind L3 devices ?

What is the default gateway for the servers ?

If so have you checked the routing.

Unlikely to be the issue if the mail server has just stopped working but worth a check.

Jon

Oddly, right before you

alurasolutions — Mon, 09 Mar 2015 16:26:44 GMT

Oddly, right before you posted this, I cleared our ARP on the L3 switch and it fixed the problem. Thanks, I was slowly driving myself crazy over this.

Awesome, glad it is working.

jj27 — Mon, 09 Mar 2015 16:32:58 GMT

Awesome, glad it is working. Have a good one.