https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308780#M311173 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Its failing because you are targetting the local IP address of the destination host in the <STRONG>"packet-tracer"</STRONG> command.</P><P></P><P>If someone on the external network were to connect to this host then the destination IP address would be that of your <STRONG>"outside"</STRONG> interface.</P><P></P><P>Use the <STRONG>"outside"</STRONG> interface IP address as the destination IP in the <STRONG>"packet-tracer"</STRONG> command and post that output if there is still a problem with it</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 10 Oct 2013 16:30:14 GMT Jouni Forss 2013-10-10T16:30:14Z https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308779#M311172 <P>Here are the relevant parts of my config:</P><P></P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 172.18.67.1 255.255.255.0</P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address 71.x.x.x 255.255.255.0</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P></P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>access-list NAT extended permit ip 172.18.67.0 255.255.255.0 10.11.0.0 255.255.0.0</P><P>access-list NAT extended permit ip 172.18.67.0 255.255.255.0 10.41.0.0 255.255.0.0</P><P>access-list Port_Forwarding-ACL extended permit tcp any host 172.18.67.2 eq 3389</P><P>!</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list NAT</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,outside) tcp interface 3389 172.18.67.2 3389 netmask 255.255.255.255</P><P></P><P>access-group Port_Forwarding-ACL in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 71.169.11.1 1</P><P></P><P></P><P>Here is a packet tracer output:</P><P>eas-ny-pinn# packet-tracer input outside tcp 1.1.1.1 3389 172.18.67.2 3389</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 172.18.67.0&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group Port_Forwarding-ACL in interface outside</P><P>access-list Port_Forwarding-ACL extended permit tcp any host 172.18.67.2 eq 3389</P><P>Additional Information:</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 5</P><P>Type: HOST-LIMIT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 6</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: DROP</P><P>Config:</P><P>static (inside,outside) tcp interface 3389 172.18.67.2 3389 netmask 255.255.255.255</P><P>&nbsp; match tcp inside host 172.18.67.2 eq 3389 outside any</P><P>&nbsp;&nbsp;&nbsp; static translation to 71.169.11.10/3389</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 6</P><P>Additional Information:</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P>Why is this failing?</P> Tue, 12 Mar 2019 02:50:17 GMT https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308779#M311172 jasonww04 2019-03-12T02:50:17Z https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308780#M311173 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Its failing because you are targetting the local IP address of the destination host in the <STRONG>"packet-tracer"</STRONG> command.</P><P></P><P>If someone on the external network were to connect to this host then the destination IP address would be that of your <STRONG>"outside"</STRONG> interface.</P><P></P><P>Use the <STRONG>"outside"</STRONG> interface IP address as the destination IP in the <STRONG>"packet-tracer"</STRONG> command and post that output if there is still a problem with it</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 10 Oct 2013 16:30:14 GMT https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308780#M311173 Jouni Forss 2013-10-10T16:30:14Z https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308781#M311174 <HTML><HEAD></HEAD><BODY><P>This is what I get now.</P><P></P><P>eas-ny-pinn# packet-tracer input outside tcp 1.1.1.1 3389 71.169.11.10 3389</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>static (inside,outside) tcp interface 3389 172.18.67.2 3389 netmask 255.255.255.255</P><P>&nbsp; match tcp inside host 172.18.67.2 eq 3389 outside any</P><P>&nbsp;&nbsp;&nbsp; static translation to 71.169.11.10/3389</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 18</P><P>Additional Information:</P><P>NAT divert to egress interface inside</P><P>Untranslate 71.169.11.10/3389 to 172.18.67.2/3389 using netmask 255.255.255.255</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Thu, 10 Oct 2013 19:21:11 GMT https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308781#M311174 jasonww04 2013-10-10T19:21:11Z https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308782#M311175 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Try adding</P><P></P><P><STRONG>access-list Port_Forwarding-ACL extended permit tcp any interface outside eq 3389</STRONG></P><P></P><P>Then test the actual connection again and <STRONG>"packet-tracer"</STRONG> if you want.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 10 Oct 2013 19:24:36 GMT https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308782#M311175 Jouni Forss 2013-10-10T19:24:36Z https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308783#M311176 <HTML><HEAD></HEAD><BODY><P>That fixed it. I'm always screwing up ACLs on interfaces when it comes to NAT. No one outside the network is trying to reach the private IP, that's what the NAT does.</P></BODY></HTML> Thu, 10 Oct 2013 19:54:43 GMT https://community.cisco.com/t5/network-security/static-pat-problem-on-asa-7-2/m-p/2308783#M311176 jasonww04 2013-10-10T19:54:43Z