topic Hi Sameer,I am bit confused in Network Security

Static NAT on ASA 5520-version 9.1(2)

msameerkn — Tue, 12 Mar 2019 04:04:47 GMT

Hi All ,

I have an issue with static NAT on ASA 5520 Version 9.1(2) firewall.

Configuration as below

interface GigabitEthernet0/0

description outside

nameif OUTSIDE

security-level 0

ip address 10.x.x.x 255.255.255.0

!interface GigabitEthernet0/2

description dmz1

nameif dmz1

security-level 50

ip address 10.10.10.1 255.255.255.0

nat configuration

object network obj-10.10.10.2

host 10.10.10.2

nat (dmz1,OUTSIDE) static obj-213.x.x.x

ACL

access-list OUTSIDE_access_in line 1 extended permit tcp host 76.x.x.x host 10.10.10.2 eq ssh

access-list dmz1_access_in line 24 extended permit tcp host 10.10.10.2 host 76.x.x.x eq ssh

Packet-tracer output

asa# packet-tracer input outside tcp 76.x.x.x 22 213.x.x.x 22

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-10.10.10.2

nat (dmz1,OUTSIDE) static obj-213.x.x.x

Additional Information:

NAT divert to egress interface dmz1

Untranslate 213.x.x.x/22 to 10.10.10.2/22

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE_access_in in interface OUTSIDE

access-list OUTSIDE_access_in extended permit ip host 76.x.x.x host 10.10.10.2 eq ssh

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IDS

Subtype:

Result: ALLOW

Config:

class-map IPS

match any

policy-map global_policy

class IPS

ips inline fail-open

service-policy global_policy global

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network obj-10.10.10.2

nat (dmz1,OUTSIDE) static obj-213.x.x.x

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20646801, packet dispatched to next module

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: dmz1

output-status: up

output-line-status: up

Action: allow

acl output

access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x eq ssh host 10.10.10.2 eq ssh (hitcnt=0) 0x933a0526
But I tried to telnet 213.x.x.x 22 , but no luck .

I would appreciate help on this matter .

It looks like the other post

jj27 — Tue, 15 Apr 2014 14:02:40 GMT

It looks like the other post we were working on got deleted or something. You mentioned you see no access-list hits for OUTSIDE_access_in.

I noticed your outside interface is on a 10.x.x.x IP range yet your public IP is 213.x.x.x. Is it possible that your ISP's device is not in bridged mode to allow the public assigned IP range through to your firewall? I would start there...

sorry for that , moved to

msameerkn — Tue, 15 Apr 2014 14:14:52 GMT

sorry for that , moved to firewall section , ISP device is bridged mode , other public ip address are working fine , checked with ISP and confirmed that directly routed to our firewall .

while we are checking the packet trace all status are allow and up .

Try modifying the ACE in your

jj27 — Tue, 15 Apr 2014 14:20:05 GMT

Try modifying the ACE in your ACL. It is very unlikely that the source port of your public IP trying to SSH is 22.

instead of:

access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x eq ssh host 10.10.10.2 eq ssh

try:

access-list OUTSIDE_access_in line 27 extended permit tcp host 76.x.x.x host 10.10.10.2 eq ssh

Also confirm the source IP 76.x.x.x is correct when performing your test.

modified the access- list

msameerkn — Tue, 15 Apr 2014 14:24:49 GMT

modified the access- list with any

access-list OUTSIDE_access_in line 27 extended permit ip host 76.x.x.x any4 .. but no luck

I have doubts there are lots of existing Nat rules , it will make any issue ?

Hi Sameer, Hope you are

nkarthikeyan — Tue, 15 Apr 2014 14:31:07 GMT

Hi Sameer,

Hope you are trying to access from outside ( Internet ) to a server in DMZ right???

is the outside interface is connecetd to a public network directly???? bcoz i see some 10.x.x.x mentioned there????

Regards

Karthik

Hi Karthik , you're right ,

msameerkn — Tue, 15 Apr 2014 15:12:26 GMT

Hi Karthik ,

you're right , trying to accessing from outside ,

ISP provided the private ip address to connect their device , we have 30 Public ip address , some of them used and working .

Hi Sameer,I am bit confused

nkarthikeyan — Wed, 16 Apr 2014 10:18:38 GMT

Hi Sameer,

I am bit confused here.... if you have the inetrnet router connected to the fw you can use the public IP's on outside interface right.... or you have the private LAN in between internet and fw segment.... because case to case it differs...

Also you said some are working... are they configured in the same manner which is working???

Regards

Karthik

John , It seems issue on ISP

msameerkn — Wed, 16 Apr 2014 18:38:31 GMT

John , It seems issue on ISP , used another public ip address and working fine.

.Karthik , this data center belongs to the ISP and they provided the private IP address to configure on the outside . sorry I have no more information to explain ,don’t have access to ISP device .

Thanks for all your support .