topic Static PAT issue with 8.4 in Network Security

Static PAT issue with 8.4

Lee Breinich — Mon, 11 Mar 2019 22:32:09 GMT

I have a simple small network setup here, and trying to setup a simple Static PAT on HTTPS, for some reason the NAT rule is dropping the packet. Here is the setup.

Internal Subnet: 172.31.0.0/24

External Internet DHCP

Host object: 172.31.0.13

There is also a SSL anyconnect VPN setup but is using port 444.

object network obj_any-01

nat (inside,outside) dynamic interface

object network LD-App01

nat (inside,outside) static interface service tcp https https

nat (inside,any) after-auto source static obj-172.31.0.0 obj-172.31.0.0 destination static Personal-VPN Personal-VPN no-proxy-arp

object network obj-172.31.0.0

subnet 172.31.0.0 255.255.255.0

object network Personal-VPN

subnet 172.31.1.0 255.255.255.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network LD-App01

host 172.31.0.13

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 object Personal-VPN

access-list Personal-VPN-ACL standard permit 172.31.0.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any object LD-App01 eq https

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

Here is the packet trace

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.31.0.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any object LD-App01 eq https

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network LD-App01

nat (inside,outside) static interface service tcp https https

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Please Help...

Thanks,

Lee

Static PAT issue with 8.4

Julio Carvajal — Sun, 19 Feb 2012 21:48:50 GMT

Hello Lee,

The configuaration looks good to me, I would make the following:

object network outside_interface_ip

host x.x.x.x.x

object service https

service tcp source eq 443

object network LD-App01

no nat (inside,outside) static interface service tcp https https

nat (inside,outside) 1 source static LD-App01 outside_interface_ip service https https

Give it a try and let me know regards,

Julio

Do rate helpful posts!

Re: Static PAT issue with 8.4

Lee Breinich — Sun, 19 Feb 2012 22:09:15 GMT

Tried your recomendation but ran into a error.

I created the object outside_int_ip with the outside ip.

Then tried to create the nat as you have listed but got the following error.

nat (inside,outside)1 source static LD-App01 outside_int_ip service https https

ERROR: % Invalid input detected at '^' marker.

LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $

ERROR: Address 75.188.84.144 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Thanks,

Lee

Re: Static PAT issue with 8.4

Julio Carvajal — Sun, 19 Feb 2012 22:18:01 GMT

Hello Lee,

It should not have failed!

You placed the object right, not the Ip?

Regards,

Re: Static PAT issue with 8.4

Lee Breinich — Sun, 19 Feb 2012 22:25:41 GMT

Here is the current object list and the nat command with the failure message. I'm also running the current 8.4(3)

LD-FW01# show run ob

object network obj-172.31.0.0

subnet 172.31.0.0 255.255.255.0

object network Personal-VPN

subnet 172.31.1.0 255.255.255.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network LD-App01

host 172.31.0.13

description Spiceworks

object service https

service tcp source eq https

object network outside_int_ip

host 76.188.84.144

LD-FW01# con t

LD-FW01(config)# object network LD-App01

LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $

ERROR: Address 75.188.84.144 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Re: Static PAT issue with 8.4

Julio Carvajal — Sun, 19 Feb 2012 22:28:00 GMT

Hello,

You need to do it outside the object network that is the problem!

So just by being on config te add the nat command I gave you

Re: Static PAT issue with 8.4

Lee Breinich — Sun, 19 Feb 2012 22:36:00 GMT

still getting the same error.

LD-FW01(config)# nat (inside,outside) 1 source static LD-App01 outside_int_ip $

ERROR: Address 75.188.84.144 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Static PAT issue with 8.4

Lee Breinich — Mon, 20 Feb 2012 13:54:43 GMT

For Julio and anyone else who may read this. The origional config I posted worked just fine though for some reason the NAT in the packet trace still shows as being dropped. The actual issue is that the server I was Natting to closed the 443 (https) port for some reason. As soon as I fixed the port issue on the server, I was able to NAT correctly through the ASA.

Thanks,

Lee

Static PAT issue with 8.4

Julio Carvajal — Mon, 20 Feb 2012 17:24:58 GMT

Hello Lee,

Glad to hear everything is working now.

Just in case the one option I gave you should be like this

nat (inside,outside) 1 source static LD-App01 interface service https https

Regards,

Julio