topic Re: NAT rule not working in Network Security

NAT rule not working

Lajja1234 — Tue, 26 Mar 2019 00:49:59 GMT

Hi!

I need one DMZ server to access my inside network, but it does not work. I have made an access rule and the rule is working. Verified with packet tracer, packet tracer drops packet at the NAT step. The strange thing is that the NAT rule doesn't get hit at all.

Is there something wrong with the statement below?

static (inside,DMZ) DMZ-servername DMZ-servername netmask 255.255.255.255

/Lajja1234

NAT rule not working

Jouni Forss — Tue, 22 Jan 2013 18:38:35 GMT

Hi,

As I said in the previous thread on these forums, this is hard to troubleshoot when you dont have anything to work with.

If you dont want to share the configurations at all I would go through all the NAT rules and look for some existing rule that would apply to the traffic between DMZ and inside.

It seemed to me that there is some conflicting NAT rule. But cant say for sure what the specific reason is as you dont share the "packet-tracer" output or the NAT configurations

- Jouni

Re: NAT rule not working

Lajja1234 — Tue, 22 Jan 2013 19:04:37 GMT

Hi!

I would prefer not to share the configuration. I can share only the NAT rules, but its a big net with many NAT rules. I do not only have one DMZ, i have several. The NAT config is attached below (I have edited names and numbers).

I have removed the sensitive stuff of the packet tracer.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.100.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ_access_in in interface DMZ

access-list DMZ_access_in extended permit tcp host DMZ-server host Inside-server object-group Licensegroup

object-group service Licensegroup tcp

port-object eq 5511

port-object eq 5588

port-object eq 5555

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (DMZ,inside) DMZ-server DMZ-server netmask 255.255.255.255

match ip DMZ host DMZ-server inside any

static translation to DMZ-server

translate_hits = 508, untranslate_hits = 4516

Additional Information:

Static translate DMZ-server/0 to DMZ-server/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,External_wan) DMZ-server DMZ-server netmask 255.255.255.255

match ip DMZ host DMZ-server External_wan any

static translation to DMZ-server

translate_hits = 66, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 10.1.0.0 255.255.0.0

match ip inside 10.1.0.0 255.255.0.0 DMZ any

dynamic translation to pool 1 (No matching global)

translate_hits = 202562, untranslate_hits = 0

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

/Lajja1234

NAT rule not working

lcambron — Wed, 23 Jan 2013 01:13:50 GMT

Hello,

Seems like you have asymmetric NAT, the destination is self translated from DMZ to inside, and the packet is hitting the "nat (inside) 1 10.1.0.0 255.255.0.0" command.

you can fix this with NAT 0.

Example:

access-list nat0 permit ip inside_network host DMZ_Server

nat (inside) 0 access-list nat0

So the ASA wont try to nat the source IP for the reply of the connection.

Regards,

Felipe.