topic ASA 9.1 - static NAT problem in Network Security

ASA 9.1 - static NAT problem

1johnsmith — Tue, 12 Mar 2019 03:22:39 GMT

Hi everyone,

I wanted to create a static NAT by following Cisco's documentation for ASA 9.1 firmware. Inside network is using PAT without any issues but ASA is not doing NAT for some internal servers from outside. I tried to troubleshoot but I have nothing else left to check. Can you please look at my config and let me knnow if there is anything wrong? I am trying to use permit all ACL until my config works. Thanks.

ASA Version 9.1(4)

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

multicast-routing

interface GigabitEthernet0/0

nameif INSIDE

security-level 100

ip address 10.10.1.5 255.255.255.252

ospf message-digest-key 1 md5 *****

ospf authentication message-digest

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.4.18.194 255.255.255.192

interface Management0/0

shutdown

no nameif

no security-level

no ip address

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name net

same-security-traffic permit intra-interface

object network WEB

host 10.100.2.104

object network RAS

host 10.100.99.2

object network box

host 10.120.1.201

object network inside_network

subnet 10.0.0.0 255.0.0.0

access-list OUTSIDE_IN extended permit icmp any any

access-list OUTSIDE_IN extended permit ip any any

access-list OUTSIDE_IN extended permit gre any any

mtu INSIDE 1500

mtu OUTSIDE 1500

ip verify reverse-path interface OUTSIDE

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network WEB

nat (INSIDE,OUTSIDE) static 1.4.18.195

object network RAS

nat (INSIDE,OUTSIDE) static 1.4.18.196

object network box

nat (INSIDE,OUTSIDE) static 1.4.18.198

object network inside_network

nat (INSIDE,OUTSIDE) dynamic interface

access-group OUTSIDE_IN in interface OUTSIDE

router ospf 10

router-id 10.10.1.5

network 10.10.1.4 255.255.255.252 area 0

log-adj-changes

default-information originate metric 95

dynamic-access-policy-record DfltAccessPolicy

service resetoutside

tls-proxy maximum-session 1000

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

inspect icmp

inspect ipsec-pass-thru

inspect mgcp

inspect http

service-policy global_policy global

prompt hostname context

ASA 9.1 - static NAT problem

Jouni Forss — Sat, 28 Dec 2013 16:38:57 GMT

Hi,

I would start with testing the NAT that is not working with "packet-tracer" command.

Simulate/Test some connection coming from the public network with the command

packet-tracer input OUTSIDE tcp 1.1.1.1 12345

You did not mention the Static NAT that is not working (unless the problem is with all of them) so insert the correct NAT IP to the above command.

Do you have a default route configured on the ASA at all? I can't see it in the above output atleast.

Have you checked the ASAs routing table? Does it include the source address of the Static NAT that is working? Just wondering if there is a routing problem.

- Jouni

ASA 9.1 - static NAT problem

1johnsmith — Sun, 29 Dec 2013 05:23:42 GMT

Hi Jouni,

yes there is a static route (it is deleted from the config posted by accident) pointing to the outside interface.

Problem is with all of Static NAT entries. I do not have any issues with any internal routing and I can easily ping my outside gateway.

I will try packet-tracer and see what it shows.

Thanks

John

ASA 9.1 - static NAT problem

fb_webuser — Sun, 29 Dec 2013 13:57:34 GMT

Your internal servers are reachable on a particular port? For instance 80/443?

The NAT statements are fine to me, very basic.

Your access-list is wide open, no problem either.

Try from another internetconnection to telnet to one of your public IP-adresses on a open port 80/443.

---

Posted by WebUser Erik Boss from Cisco Support Community App

ASA 9.1 - static NAT problem

1johnsmith — Mon, 30 Dec 2013 04:26:09 GMT

Hi,

yes my internal servers are reachable, I do not have any other firewall on the servers blocking those ports. I do not think I have any routing or firewall problem. I do not know what I am missing.

Thanks

John

ASA 9.1 - static NAT problem

1johnsmith — Tue, 31 Dec 2013 16:16:40 GMT

Hi,

I've found out after checking with packet tracer, it looks like inbound connection is failing because of rpf-check. how can I make sure that return traffic from servers follow back their original NAT connection?

John

ASA 9.1 - static NAT problem

Jouni Forss — Tue, 31 Dec 2013 22:28:56 GMT

Hi,

The most common reason that the "packet-tracer" might fail with the RPF Check is if you use the actual private IP address as the destination in the "packet-tracer" command.

That or some problems with the NAT configurations but that doesnt seem likely considering your simple NAT configuration.

It would still help to see the actual "packet-tracer" output I suggested originally.

You should be seeing an UN-NAT Phase at the very start of the output which would tell the destination address of the "packet-tracer" matches one of your NAT configurations. Then you should see a ACCESS-LIST Phase which shows an interface ACL allowing the connection.

- Jouni