topic What is the output of the in Network Security

NAT Rule not working Static

Adam Coombs — Tue, 12 Mar 2019 04:55:02 GMT

Hello I have a problem with a nat rule, I have setup a device(Video Conferencing) on the DMZ that needs to talk to the internet.

The nat rule is just a normal setup

nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239

there is only one ACL list for the 192.168.69.125 it is a permit IP any

access-list DMZ line 2 extended permit ip host 192.168.69.125 any log debugging interval 300

I have done a few capture off the firewall

capture video interface dmZ match ip any host 192.168.69.125

I never see the 172.16.69.239 address

capture video interface outside match ip any host 172.16.69.239

I never see the 192.168.69.125 address

Here is capture i was trying

capture video type raw-data interface DMZ [Capturing - 0 bytes]
match ip host 192.168.69.125 host 172.16.69.239

any ideas or commands i can run

Please

What is the output of the

Karsten Iwen — Mon, 13 Oct 2014 16:22:22 GMT

What is the output of the packet-tracer when simulating traffic for that device?

packet-tracer input DMZ udp 192.168.69.125 1234 172.16.69.239 1234

Result:input-interface:

Adam Coombs — Mon, 13 Oct 2014 18:22:03 GMT

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

After Phase 1 though 9 results are allow

Please show the actual config

Karsten Iwen — Mon, 13 Oct 2014 19:18:39 GMT

Please show the actual config of the ASA.

Firewall# packet-tracer input

Adam Coombs — Mon, 13 Oct 2014 19:55:22 GMT

Firewall# packet-tracer input dmZ udp 192.168.69.125 1234 172.16.69.239 $

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.69.224 255.255.255.224 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface DMZ
access-list DMZ extended permit ip host 192.168.69.125 any log debugging
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:
Static translate 192.168.69.125/1234 to 172.16.69.239/1234

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE out interface Outside control-plane
access-list OUTSIDE extended permit ip any4 any4 log debugging
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static obj-192.168.69.125 obj-172.16.69.239
Additional Information:

In your first post you say

Karsten Iwen — Mon, 13 Oct 2014 20:43:12 GMT

In your first post you say that you translate to 172.16.69.125, but in the packet-tracer you translate to .239.

Please specify exactly how you want to translate the traffic and which systems should communicate exactly.

Sorry I correct it it is

Adam Coombs — Tue, 14 Oct 2014 12:51:36 GMT

Sorry I correct it

it is .239

I found that I was missing a outside acl line as well I am getting a username and password problem now, instead of server has rejected the connection.

That means, for the ASA

Karsten Iwen — Tue, 14 Oct 2014 13:38:07 GMT

That means, for the ASA-config everything is fine now?

Still working on this problem

Adam Coombs — Tue, 14 Oct 2014 13:43:00 GMT

Still working on this problem but I believe this part is fixed