ASA NAT

denilson.mota — Fri, 07 Feb 2020 07:24:30 GMT

Hello everyone,

I have problem to give internet access to a specific host from the ASA, I have a static NAT from host x.x.x.x to the outside interface and I also have an acces-list permit the host x.x.x.x to any ip. But the host still not going to the internet.

Please see the attached pcap for you reference and please help me to figure out what happen.

Thank you,

Re: ASA NAT

Karsten Iwen — Fri, 07 Feb 2020 09:42:24 GMT

Static NAT to the outside interface will likely not work. Configure a dynamic NAT/PAT for outgoing traffic. This NAT-statement should go to Section 3, "after auto NAT".

Re: ASA NAT

denilson.mota — Fri, 07 Feb 2020 10:11:51 GMT

Hello Karsten,

Thank you for your reply,

I deleted all NAT for this particular rule and I have created a dynamic NAT/PAT but still not going to the internet.

this is the command a used:

nat (Customs,Outside) after-auto source dynamic RemoteGroup_Internet-Access interface

Re: ASA NAT

Karsten Iwen — Fri, 07 Feb 2020 10:15:31 GMT

What does packet-tracer tell you when simulating a connection?

Re: ASA NAT

denilson.mota — Fri, 07 Feb 2020 10:21:06 GMT

This is the output for the packet tracer:

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadcffd810, priority=13, domain=capture, deny=false
hits=21355839, user_data=0x2aaadccc62c0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Customs, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad82c9fe0, priority=1, domain=permit, deny=false
hits=754156783, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Customs, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.30.3 using egress ifc Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Customs_access_in in interface Customs
access-list Customs_access_in extended permit object-group DM_INLINE_SERVICE_45 object-group RemoteGroup_Internet-Access any4
object-group service DM_INLINE_SERVICE_45
group-object Ping
service-object tcp destination eq www
service-object tcp destination eq https
object-group network RemoteGroup_Internet-Access
network-object object Maputo-APN-TEST
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadd3c4820, priority=13, domain=permit, deny=false
hits=19, user_data=0x2aaae7bcef80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=172.189.10.11, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaea091890, priority=7, domain=conn-set, deny=false
hits=43004879, user_data=0x2aaaea08b1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Customs,Outside) after-auto source dynamic RemoteGroup_Internet-Access interface
Additional Information:
Dynamic translate 172.189.10.11/443 to 10.0.30.1/443
Forward Flow based lookup yields rule:
in id=0x2aaaecade330, priority=6, domain=nat, deny=false
hits=24, user_data=0x2aaadc22e850, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.189.10.11, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=Outside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac6e87930, priority=1, domain=nat-per-session, deny=true
hits=191613289, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad82d2f00, priority=0, domain=inspect-ip-options, deny=true
hits=59151317, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaaea09f4b0, priority=70, domain=inspect-icmp-error, deny=false
hits=39551817, user_data=0x2aaaea097490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any

Phase: 10
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaadb59e9a0, priority=20, domain=lu, deny=false
hits=16725822, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=any

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Customs,Outside) after-auto source dynamic RemoteGroup_Internet-Access interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaaddc47a60, priority=6, domain=nat-reverse, deny=false
hits=25, user_data=0x2aaadcd83270, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.189.10.11, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Customs, output_ifc=Outside

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac6e87930, priority=1, domain=nat-per-session, deny=true
hits=191613291, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaad81033c0, priority=0, domain=inspect-ip-options, deny=true
hits=44025294, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 241221054, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.30.3 using egress ifc Outside

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 001f.a011.9838 hits 201496 reference 6236

Result:
input-interface: Customs
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Re: ASA NAT

Karsten Iwen — Fri, 07 Feb 2020 10:41:19 GMT

At least the ASA says it would be allowed and that the right NAT-rule is used. It is likely that the problem is somewhere else.

topic Re: ASA NAT in Network Security

ASA NAT

Re: ASA NAT

Re: ASA NAT

Re: ASA NAT

Re: ASA NAT

Re: ASA NAT